Wireguard Firewall in 18.06.0

Prior to flashing 18.06.0 I had previously installed "snapshots" and successfully connected for 4 months to Wireguard (luci-proto-wireguard) installed on my router.
Yesterday I flashed 18.06.0 and set up Wireguard in precisely the same way as before. I rebooted and got locked out. Following a hard reset I checked multiple times that my firewall setting were correct - as specified in Mullvads guides. But I continue to get locked out.
The suggested firewall settings are here :https://mullvad.net/media/uploads/2018/01/11/lede-zones.png
Any suggestions please

me too were in trouble with it.

are you allowing full access to the 2 LAN being linked?
with WireGuard laying within same IP and subnet per each LAN network?

If yes, forget about the suggested firewall settings in your link above, just add your wireguard interface in the "Create / Assign firewall-zone" with your LAN within Firewall Settings tab in your wireguard interface.

(General Setup - Advances Settings - Firewall Settings)

1 Like

I've upgraded all of my devices running Wireguard with no issues. I had no need to edit the configs to work on version 18.

Are you certain that the interface came up?

I've observed issues where the random number pool is not full enough to bring up the encrypted interface for ~5-10 minutes (especially if WiFi is disabled).

Post the results of cat /proc/sys/kernel/random/entropy_avail upon booting.

To clarify, The interface did not come up. I was unable obtain a connection to the router and therefore had to reset it.
I waited 20mins but no connection.
result from cat /proc/sys/kernel/random/entropy_avail = 68.

I've now managed to get things working by tweaking the firewall settings. But I'm unsure if its secure!

I didn't think it would, that's what I unfortunately expected to happen...

This is too low for the Wireguard interface to come up. I don't know what number IS high enough, since I was in the 80's when I checked, and when I introduced entropy, it was over 3000.

  • What did you tweak in the firewall (you should only need to allow the UDP listening port in Traffic Rules, otherwise just forwarding between Zones)???
  • Did the available entropy increase during this time period???
  • If you have a WiFi card (especially if its ath9k-based), can you enable it (this is because the Kernel can gain entropy from the random WiFi noise)?

Firewall Tweak - basically its as per the Mullvad setup I linked to in the original post. However I tweaked Lan zone such that Inter-Zone Forwarding ---> Allow forward to destination zones:

wan:wan: [Software VLAN: "eth0.2"] wan6: [Software VLAN: "eth0.2"]

Does this seem reasonable?

Entropy up to 907?

I don't have a wifi card

OK, if you're using Mulivasd, you don't need to open the port, you would use a keepalive (if preferred).

I'm not sure what this notation means...if it means you allowed LAN to forward to WGZONE, that should work.