Hello, I hope you are doing well!
I have connectivity issues with WireGuard client using Surfshark VPN configuration provider. I've tried those configurations and they work on my Mac using WireGuard client, but not on my router. I also tried to set it up in a different way but it's unsuccessful for me.
I did all the steps described in this guide but in the end, I have no traffic going through VPN. I need your help to figure out what is wrong with it
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "TP-Link Archer AX23 v1",
"board_name": "tplink,archer-ax23-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd4:1766:f920::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key '+FH5WVw9GfmOR5LTo2B6IHASHOL8GXD0s='
list addresses '10.14.0.9/16'
list dns '162.252.122.57'
list dns '149.154.119.92'
config wireguard_wg0
option description 'Kyiv'
option public_key 'wy+PhWBP715KfBrsQHASH77FmZWQinwYLmo='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'ua-iev.surfshark.com'
option endpoint_port '51820'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg0'
option masq '1'
config forwarding
option src 'lan'
option dest 'vpn'
wg show
interface: wg0
public key: ipWIXtI42oe7AHASHwny8YKQg=
private key: (hidden)
listening port: 42515
peer: wy+PhWBP715HASH7FmZWQinwYLmo=
endpoint: 143.244.46.99:51820
allowed ips: 0.0.0.0/0
Don't post your private key as anyone can use it to connect instead of you. Keys can't be re-used for multiple connections, so that will prevent you from being able to connect. Cancel that key and set up a new one with Surfshark.
For the standard send all Internet usage via VPN, set route_allowed_ips on the peer, and add wg0 into the firewall wan zone.
4 Likes
All sensitive data are mocked, no worries. I'll try it, thanks!
1 Like
Just an observation here, not directly related to the content of the thread --
It seems quite common for people to fail to redact their network PII / confidential info in log & config file output. Wifi SSIDs, private keys, public IPs, etc. In this case OP did use mock private keys but on the whole it would seem better to have a CLI + LuCi function that allows generation of diagnostic reports that are automatically redacted.
Opnsense has such a fuction provided through a plugin called "hwprobe" (Hardware probe). It creates a full report, thoroughly redacts it, and then posts it on a public website. Here's an example output from the report:
(note, the bsd-hardware.info site can be slow & unresponsive at times)
Does OpenWRT have such a feature or plugin already? If not, is there any existing discussion about such a feature or plugin? If no existing discussion already I will start a separate thread about it.
2 Likes
It fixed my issue, thank you a lot!
Check the box "Route Allowed IPs" on the Interfaces, WG0, Peers page. The screencap on the SurfShark page shows the box unchecked, but the text says it must be checked. Make sure your system clock has the correct time too or WireGuard won't work no matter what you do.
I see you've resolved your issue. Keeping this for reference anyway.
1 Like
Just for reference, you don't add WG0 to the firewall wan zone, you have to create a separate VPN zone that includes WG0 with settings identical to the wan zone, and then add that zone to the, "Allow forward to destination zones" of the lan.
The WireGuard setup on OpenWrt is really tricky and has no error tolerance.
1 Like
You are right! I did all the moves that you mentioned above and it works, thanks!
This would be an excellent feature!
The advice from @mk24 WireGuard connectivity issue with Surfshurk VPN - #4 by mk24 placing the wg0 interface in the WAN zone is also working and to troubleshoot you want to simplify as much as possible.
His only actual issue was one tick box. Putting wg0 in the WAN zone won't work so I don't think he did that to solve the problem. When he answered you he'd already solved the problem. But maybe I'm wrong too. I could not get the WireGuard to work that way and it has to be setup differently than the way OpenVPN uses the tun0 interface in the wan zone. I thought the same thing when I first started trying to make WireGuard work. This is an area needing improvement/development. There should be a method to switch between different peers in WireGuard developed and a simpler setup. The existing setup is quite difficult and the issue of the system clock having to be exactly correct for it to work needs to be addressed in future development.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.