Trying to setup Proton VPN wireguard client profile on my OpenWRT router and it's not working. However, the same profile works fine on phone. I also tried setting up my openwrt router as client and my laptop as server, just to check. Same type of result but I have deleted that interface. Below is the Proton VPN client setup config only. Please help to check.
root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fdfa:c86f:7523::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '58:ef:68:xx.xx.xx'
config device
option name 'lan2'
option macaddr '58:ef:68:xx.xx.xx'
config device
option name 'lan3'
option macaddr '58:ef:68:xx.xx.xx'
config device
option name 'lan4'
option macaddr '58:ef:68:xx.xx.xx'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option gateway '192.168.1.254'
option broadcast '192.168.2.255'
config device
option name 'wan'
option macaddr '58:ef:68:xx.xx.xx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wireguard'
option proto 'wireguard'
option private_key 'yHItP3qa2Yo3Qarxxxxxx'
list addresses '10.2.0.2/32'
option peerdns '0'
list dns '10.2.0.1'
config wireguard_wireguard
option description 'Imported peer configuration'
option public_key 'MqSC5RXp76Bxqxxxxxx'
list allowed_ips '0.0.0.0/0'
option endpoint_host '138.199.xx.xx'
option endpoint_port '51820'
option route_allowed_ips '1'
option persistent_keepalive '25'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wireguard'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wgfw'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wireguard'
config forwarding
option src 'lan'
option dest 'wgfw'
head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.10/24 brd 192.168.1.255 scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
valid_lft forever preferred_lft forever
14: wireguard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 10.2.0.2/32 brd 255.255.255.255 scope global wireguard
valid_lft forever preferred_lft forever
default dev wireguard scope link
192.168.1.0/24 dev wan scope link src 192.168.1.10
192.168.2.0/24 dev br-lan scope link src 192.168.2.1
local 10.2.0.2 dev wireguard table local scope host src 10.2.0.2
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.1.0 dev wan table local scope link src 192.168.1.10
local 192.168.1.10 dev wan table local scope host src 192.168.1.10
broadcast 192.168.1.255 dev wan table local scope link src 192.168.1.10
broadcast 192.168.2.0 dev br-lan table local scope link src 192.168.2.1
local 192.168.2.1 dev br-lan table local scope host src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~#
Wireguard uses the public key to uniquely identify and route a client. This means that you can't have the same key on two clients that are simultaneously connected to the same server.
When using wireguard to redirect the whole house Internet usage, place it in the wan zone, or make a new zone with masquerade enabled. The VPN provider does not know about your LAN to install a return route to it, so you need to NAT all LAN Internet access to originate from the tunnel IP, like a road warrior does.
Check the wireguard status by running wg with no parameters. If you see that handshakes are occurring, the basic setup with keys and endpoint address is working then you would look at routing and firewall.
I second everything said by @mk24 . Assuming the keys are right, the problem is likely the fact that you have the wireguard interface in two firewall zones... remove it from the lan zone.
Also worth mentioning... DNS entries do not do anything in wireguard interfaces on OpenWrt... you can remove those two lines.
No (usable) encrypted packets have been received from the Proton VPN server. The first check would be to see if it is reachable at all with ping 138.199.22.97.
It is behaving strangely anyway. Earlier I deleted the interface and add it again and there was handshake but internet was not passing through the tunnel. After reboot no handshake.
root@OpenWrt:~# wg
interface: wg0
public key: ZTVvEuWcrScfC6dbq**********************
private key: (hidden)
listening port: 58939
peer: MqSC5RXp76BxqvagxLEIg***********************
endpoint: 138.199.22.97:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 34 seconds ago
transfer: 276 B received, 1.06 KiB sent
persistent keepalive: every 25 seconds
Not being able to reach the remote endpoint is usually indicative of a problem (although it is possible the ping responses are disabled on that remote system).
Are you able to succesfully connect using your phone right now?
If the WG tunnel attempts to start before the clock is able to synchronize with an NTP server, there is a chicken or egg situation that occurs. Time must be correct for WG to function.
I can ping that IP. Comment out the wireguard interface and make sure your router can generally access the Internet.
(There is no clock hardware in most routers, the time must be pulled from the Internet using NTP. So the time being wrong is just a symptom of the Internet not being reached.)
Remove the explicit gateway... that may be the issue here. While you're at it, you can also remove the broadcast address (it doesn't matter, but the broadcast is calculated automatically, so no need to include it).