Wireguard Client on access point

Installing and Using OpenWrt
1

Been reading for hours but still can’t find the solution. After managing configuring my router with 3 networks:

  • Standard (through WAN, with LAN configurtion)
  • Guest (through WAN, No LAN access)
  • VPN (Wireguard client)

I would like to configure a wired access point in the same way.

As the LAN DHCP server is on the primary router, I removed the WAN/WAN6 interfaces and added the WAN port to the LAN bridge. Works fine for the Standard network (assigning IPs from the primary router 192.168.1.x) and the guest network (assigning IPs from a different subnet, 192.168.11.x). The VPN networks also assigns IPs, 192.168.12.x, and the wireguard interface is up and running.

I still can’t get internet acces through this network.

It would be very nice if someone could have a look at the following configuration to give hints or solutions concerning what I am doing wrong.

network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde3:78a9:6dab::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-vpn'
	option bridge_empty '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.8'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns_metric '0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config interface 'guest_int'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.11.1'
	option netmask '255.255.255.0'

config interface 'vpn_int'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '192.168.12.1'
	option netmask '255.255.255.0'

config interface 'wg_int'
	option proto 'wireguard'
	option private_key 'key'
	list addresses '10.14.0.2/16'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_wg_int
	option description 'Surfshark_FRA'
	option public_key 'key'
	option endpoint_host 'de-fra.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '30'
	list allowed_ips '0.0.0.0/0'

firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'lan'

config zone
	option name 'guest_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest_int'

config zone
	option name 'vpn_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'vpn_int'
	option mtu_fix '1'

config zone
	option name 'wg_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg_int'
	option mtu_fix '1'
	option masq '1'

config forwarding
	option src 'vpn_zone'
	option dest 'wg_zone'

config rule
	option src 'guest_zone'
	option name 'Allow-DNS-Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'guest_zone'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'vpn_zone'
	option name 'Allow-VPN-DNS'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'vpn_zone'
	option name 'Allow-VPN-DHCP'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config forwarding
	option src 'guest_zone'
	option dest 'lan'

config forwarding
	option src 'wg_zone'
	option dest 'lan'

config rule
	option src 'guest_zone'
	option dest 'lan'
	option name 'Block_Guest_from_LAN'
	list proto 'all'
	list dest_ip '192.168.1.0/24'
	option target 'REJECT'
2

You are setting up a wg vpn on a bridged ap.

That needs some special settings.

My notes have a paragraph dedicated to this see:
https://raw.githubusercontent.com/egc112/OpenWRT-egc-add-on/main/notes/OpenWRT%20WireGuard%20Client%20Setup%20guide%20using%20LuCi.pdf

3

I was living with the idea that I followed your guide. There are two guestnetworks, but however I try to let one of those route through the wireguard interface, I fail…

4

I had a hard time sleeping, so went through the whole setup again. All networks working fine until starting the wireguard interface. Can’t find an obvious mistake.

All help much appreciated!

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.104",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.3",
                "revision": "r28872-daca7c049b",
                "target": "ipq806x/generic",
                "description": "OpenWrt 24.10.3 r28872-daca7c049b",
                "builddate": "1758316778"
        }
}
root@OpenWrt:~#  cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde3:78a9:6dab::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config device
        option type 'bridge'
        option name 'br-vpn'
        option bridge_empty '1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.8'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns_metric '0'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config interface 'guest_int'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

config interface 'vpn_int'
        option proto 'static'
        option device 'br-vpn'
        option ipaddr '192.168.12.1'
        option netmask '255.255.255.0'

config interface 'wg_int'
        option proto 'wireguard'
        option private_key 'key'
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config wireguard_wg_int
        option description 'Surfshark_FRA'
        option public_key 'key'
        option endpoint_host 'de-fra.prod.surfshark.com'
        option endpoint_port '51820'
        option persistent_keepalive '30'
        list allowed_ips '0.0.0.0/0'

root@OpenWrt:~#  cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'STD'
        option encryption 'psk2'
        option key 'key'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option band '2g'
        option channel 'auto'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'STD'
        option encryption 'psk2'
        option key 'key'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'GUEST'
        option encryption 'psk2+ccmp'
        option key 'key'
        option network 'guest_int'
        option isolate '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'GUEST'
        option encryption 'psk2+ccmp'
        option key 'key'
        option network 'guest_int'
        option isolate '1'

config wifi-iface 'wifinet4'
        option device 'radio0'
        option mode 'ap'
        option ssid 'VPN'
        option encryption 'psk2+ccmp'
        option key 'key'
        option network 'vpn_int'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid 'VPN'
        option encryption 'psk2+ccmp'
        option key 'key'
        option network 'vpn_int'

root@OpenWrt:~#  cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'guest_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest_int'

config zone
        option name 'vpn_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vpn_int'

config rule
        option src 'guest_zone'
        option name 'Allow-DNS-Guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'guest_zone'
        option name 'Allow-DHCP-Guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'vpn_zone'
        option name 'Allow-VPN-DNS'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option src 'vpn_zone'
        option name 'Allow-VPN-DHCP'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config forwarding
        option src 'guest_zone'
        option dest 'lan'

config rule
        option src 'guest_zone'
        option dest 'lan'
        option name 'Block_Guest_from_LAN'
        list proto 'all'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

config zone
        option name 'wg_zone'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg_int'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'vpn_zone'
        option dest 'wg_zone'

root@OpenWrt:~#  wg show
interface: wg_int
  public key: key
  private key: (hidden)
  listening port: 46672

peer: peer
  endpoint: 146.70.160.211:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 40 seconds ago
  transfer: 552 B received, 1.77 KiB sent
  persistent keepalive: every 30 seconds
root@OpenWrt:~#
5

You're missing a line here:

Add:

        option route_allowed_ips '1'
1 Like
6

There have been problems reported when using the wan interface in a bridged AP maybe it is already solved but see:

7

Thank you! This got the wireguard interface working. Experiencing DNS leaks which I was thinking to handle with PBR, but I can’t start PBR service and there is no active service gateway listed…

Checking list allowed_ips also crashed my guest network.

Would working PBR be a solution for both DNS leak and guest network?

8

DNSMasq will use all DNS servers added to the interfaces so also will use the DNS server on the LAN interface

Although it looks like you have a default route via the VPN there is also a route for 192.168.1.0/24 via the LAN interface so that the DNS server 192.168.1.1 can/will be used.

there are several ways out of this:
Remove 192.168.1.1 as DNS server but this is a bit tricky as there is then only DNS after the tunnel is up and for the tunnel to go up you need DNS so you can add a specific server to DNSMasq to resolve the time server and endpoint address via 192.168.1.1 e.g.:

list server '/wg-endpoint-adress/openwrt-timeserver/192.168.1.1'

or use a script to use the WireGuard DNS servers exclusively after the tunnel is up (see: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak)
Or
use DHCP option 6: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak
Or
nftables: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak#iptablesnftables
nftables is what is used by the PBR app so that is also a viable alternative

1 Like
9

I would deny VPN users the use of local dnsmasq (block input on port 53) and use DHCP option to advertise the VPN provider's DNS or other DNS that is reachable through the tunnel. These changes will only affect the vpnuser network.

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.