Wireguard config does not work on openwrt router 22.03.05

Just follow @pshermans advice

1 Like
root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer A7 v5",
        "board_name": "tplink,archer-a7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

And these as well:

1 Like

Guys thanks a lot for trying to help me....
Somehow - It works now...I could check my ip is same as protonvpn provided server ip
But the speed is very slow ..it gives me 12 mbps download and 20mbps upload - its weird ..usually download is more and upload is less...
I believe this is because free protonvpn I am using ? or there is something to tweak in openwrt?

@psherman @lleachii Sorry I could not give full config or network and firewall -..because at first I did not know how to even get it and than I got worried about sharing it over the internet.

1 Like

When I check my ip ..it shows same as configuration file I entered in to router ...but when I check dnsleaktest - it shows comcast 4 different ip ...so this is dnsleak..if I change dns to google servers ..it shows google servers ...but google is also third party...what should I do to stop the leak between me and proton vpn?

If you showed us the config, we might easily see your issue. We're just guessing without it.

Just obscure things like MACs and passwords.

It almost seemed as if you had no leak, but it's hard to determine without seeing your config. It doesn't matter which servers you pick as long as those are the ones you trust. Any DNS server other than your ISP is 3rd party, so I was confused at the comment.

You also don't show us the dnsleaktest results.

1 Like

A DNS leak is usually defined as a DNS query not using the VPN Tunnel.
(ipleak.net will show the origin of the DNS query and the used DNS servers).

Not sure if this is your problem or is the problem that you are using DNS servers which are not set in the WG interface?

Unfortunately it is difficult to see what DNS servers you have set as we do not have any information about your settings.

So just some general information:

`How DNS works (as far as i know :slight_smile: )

Your router hands out its own address as DNS server to your clients
The router itself (to be precise DNSMasq) queries upstream DNS servers, all the DNS servers you entered on your interfaces (WAN, LAN, WireGuard) are added to a resolv file (usually /tmp/resolv.conf.d/resolv.conf.auto)

The router queries these upstream DNS server using the default route of the main table.
this can be shown with: ip route show
`
So if you want only DNS servers from Proton you can set those as your regular DNS servers provided they are publicly available if not then there are scripts which are setting the WG DNS servers exclusive to DNSMasq on startup of the WG interface and route those servers via the WG tunnel

1 Like

You should check if: option dns 'x.x.x.x' is set in
/etc/config/network under the wireguard interface

or via luci

Network > Interfaces > Wireguard > Edit > Advanced Settings > Use custom DNS servers

What I can tell from this site it should be set to: 10.2.0.1

1 Like
  • This will only work for traffic initiated from the router thru the interface
  • You have to ensure that you also route the DST IP thru the correct interface, regardless of DNS IP or interface assigned

(this is why we need to see the config)

Example with DNS (via Cloudflare WARP Wireguard tunnel):

config route
        option interface 'wg_warp'
        option target '1.1.1.1/32'
3 Likes

I think he still needs to do this under the LAN interface.
Define additional DHCP options, for example "6,192.168.2.1,192.168.2.2" which advertises different DNS servers to clients.
and let it point to the router.

@seccam49
Network > Interfaces > LAN > DHCP server > Advanced Settings > DHCP-options

1 Like

Actually, these don't do anything. DNS is controlled elsewhere.
See this:

2 Likes

I have already set 10.2.0.1 as custom dns under wireguard interface - advanced settings...still saw comcast (not local comcast but in other states)
But I will share config with you guys...I am too tired right now ..because of work..so will share when I am up ...Thanks for help

Example assuming 10.2.0.1 is the remote end of the WG interface:

# in /etc/config/network
config route
        option interface 'wg_warp'
        option target '10.2.0.1/32'

and

# in /etc/config/dhcp

config dhcp 'lan'                                    
        option interface 'lan'
#...   ...   
        list dhcp_option '6,10.2.0.1'  #<---

! Make a backup before using this.

So I wiped a spare router to test, and I got it working just fine with the commands below. To test just choose NL-FREE#187118 and download the ProtonVPN config, then fill in the private and public keys below and execute the commands.

# disable/ignore wan dns
uci set network.wan.peerdns='0'

# add wireguard interface
uci set network.wg0=interface
uci set network.wg0.proto='wireguard'
uci set network.wg0.private_key=''
uci add_list network.wg0.addresses='10.2.0.2/32'
uci add_list network.wg0.dns='10.2.0.1'

# add wireguard connection
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].description='NL-FREE#187118'
uci add_list network.@wireguard_wg0[-1].allowed_ips='0.0.0.0/0'
uci set network.@wireguard_wg0[-1].route_allowed_ips='1'
uci set network.@wireguard_wg0[-1].endpoint_host='149.34.244.159'
uci set network.@wireguard_wg0[-1].endpoint_port='51820'
uci set network.@wireguard_wg0[-1].persistent_keepalive='25'
uci set network.@wireguard_wg0[-1].public_key=''
uci set network.@wireguard_wg0[-1].private_key="$(uci get network.wg0.private_key)"

# configure firewall
uci set firewall.@defaults[0].synflood_protect='1'
uci set firewall.@defaults[0].drop_invalid='1'
uci add firewall zone
uci set firewall.@zone[-1].name='vpn'
uci set firewall.@zone[-1].input='REJECT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='REJECT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci set firewall.@zone[-1].network='wg0'
uci set firewall.@forwarding[0].dest='vpn'

uci commit
service network restart
1 Like
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config device
        option name 'eth0.2'
        option macaddr ''

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option metric '20'
        option peerdns '0'
        list dns '10.2.0.1'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3 4 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config interface 'Gary201'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option device 'wlan1-1'
        option gateway '192.168.1.1'

config interface 'Gary501'
        option proto 'static'
        option ipaddr '192.168.9.1'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option device 'wlan0-1'
        option gateway '192.168.1.1'

config device
        option name 'wlan0-1'

config device
        option name 'wlan0'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '3'
        option name 'eth0.3'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'

config interface 'VLAN3'
        option proto 'static'
        option device 'eth0.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option type 'bridge'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option gateway '192.168.1.1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'

config device
        option type 'bridge'
        option name 'VLAN'
        list ports 'VLAN.30'
        list ports 'VLAN.40'
        list ports 'VLAN.20'

config bridge-vlan
        option device 'VLAN'
        option vlan '20'
        list ports 'VLAN.20:t'

config bridge-vlan
        option device 'VLAN'
        option vlan '30'
        list ports 'VLAN.30:t'

config bridge-vlan
        option device 'VLAN'
        option vlan '40'
        list ports 'VLAN.40:t'

config interface 'IOT'
        option proto 'static'
        option device 'VLAN.20'
        option netmask '255.255.255.0'
        list dns '8.8.8.8'
        list dns '1.1.1.1'
        option ipaddr '192.168.20.1'
        option gateway '192.168.1.1'

config device
        option name 'wlan1-1'

config device
        option name 'wlan1'

config interface 'OPVN'
        option proto 'none'
        option device 'tun0'
        option delegate '0'

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.2.0.2/32'
        option delegate '0'
        option metric '10'
        list dns '10.2.0.1'
        option private_key ''

config device
        option name 'eth0'

config device
        option name 'wg0'

config wireguard_wg0
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option description 'Houston'
        option public_key ''
        option endpoint_host '37.19.221.194'
        option persistent_keepalive '25'

@psherman @egc @lleachii @Dantes

Please check above and advise
Please ignore some of the irrelevant interfaces like IOT/VLAN3 etc... - I was just checking something...trial and error..

[quote="psherman, post:2, topic:167376"]
`cat /etc/config/firewall`
[/quote]

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        option family 'ipv4'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'wg0'
        list device 'tun0'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Gary201'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'Gary201'

config zone
        option name 'Gary501'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'Gary501'

config forwarding
        option src 'Gary201'
        option dest 'wan'

config forwarding
        option src 'Gary501'
        option dest 'wan'

config rule
        option name 'Gary201-DHCP'
        list proto 'udp'
        option src 'Gary201'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Gary501-DHCP'
        list proto 'udp'
        option src 'Gary501'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Gary201-DNS'
        option src 'Gary201'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Gary501-DNS'
        option src 'Gary501'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Gary201-Block'
        option src 'Gary201'
        option target 'DROP'

config rule
        option name 'Gary501-Block'
        option src 'Gary501'
        option target 'DROP'

config zone
        option name 'IOT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'IOT'

config zone
        option name 'VLAN3'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'VLAN3'

config rule
        option name 'IOT-DHCP'
        list proto 'udp'
        option src 'IOT'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IOT-DNS'
        option src 'IOT'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IOT-Block'
        option src 'IOT'
        option target 'DROP'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'OPVN'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list device 'tun0'
        list network 'OPVN'

config zone
        option name 'Wireguard'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        list device 'wg0'
        list network 'wg0'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'Wireguard'
        option dest 'wan'

config forwarding
        option src 'OPVN'
        option dest 'wan'

Again please ignore IOT and VLAN3 interface ...I have stopped them so not active.

interface: wg0
  public key: ''
  private key: (hidden)
  listening port: 40997

peer: 'public key'
  endpoint: 37.19.221.194:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 56 seconds ago
  transfer: 493.47 MiB received, 300.49 MiB sent
  persistent keepalive: every 25 seconds

@psherman @lleachii @Dantes @egc

There are a ton of issues in these config files. So many, in fact, that I think it would be quite time consuming to fix them. My advice is to make a backup and then reset to defaults. From there, you can rebuild the config, and it'll be faster than trying to fix what's going on currently.

I understand but to fix dns leak - I think it should not take much time ...so if u can focus only on dns leak issue...it will be helpful @lleachii @Dantes @xize @egc

I would not recommend trying to fix the dns leak when so much else is wrong. It is like trying to fix a leaky faucet in your bathroom sink when you have a sewer line backing up.

1 Like