Wireguard Has Killed my OpenVPN setup

HELP!

I have been happily running OpenVPN client on my Openwrt router for some time using (very simple) policy routing rules. It connects to my private server where I run an OpenVPN server using both 1194 and 1195 ports. As I write, all is working fine on my server as I can connect to it from my devices.

This evening I installed and tried to setup Wireguard on the router. I installed the packages and followed a guide from VPN Unlimited as I could not find any instructions on the Openwrt website or any relevant posts here in the forum. I have adapted the instructions to suit my server but I am not sure if I have missed a step or done something incorrect. I saved the configuration and rebooted the server.

However, when I rebooted the router and applied the Wireguard settings, the Wireguard interface came up but it killed my openVPN! The Tun0 interface disappeared and I had no Internet access, direct or via either of the VPN interfaces. To recover the Tun0 interface, I stopped and restarted OpenVPN and Tun0 returned. However, neither Wireguard nor my VPN settings are giving me internet access even though both interfaces are up and appear to be transmitting and receiving packages.

I am now stuck with no internet access through the server of any kind. I run a second wifi so am at least able to send this message.

I do not know where to start looking for the problem so can anyone help please? I will post whatever logs and other information is needed.

Thanks,

Geoff

almost certainly a misconfiguration....

let's look at your config

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/openvpn

Keep in mind that routing and bootstrapping becomes rather complicated with two parallel VPN (-client) configurations running concurrently, who's going to get the default route (clear internet, OpenVPN, wireguard), which route are the tunnels going to take. It's not impossible, just on the complex side of life - and it's usually easier to start out fresh, using one method (and only once confirmed working, to integrate it into the full setup and pbr ruleset; using a spare (older?) router for experiments like these does help).

Hi slh and thanks.

Yes I am aware of that. I am only trying windscribe over wireguard as it appears to work better for me than my own server. They have more time to do the VPN battle than I do! I am geoblocked on channels that they can access.

So, if I can get it to work, I will move exclusively to their service which I pay for as a back up at the moment. Appreciate your comments.

I am sure it is so thanks for offering to help.

ubus call system board

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.4.179",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Newifi-D2",
	"board_name": "d-team,newifi-d2",
	"release": {
		"distribution": "OpenWrt",
		"version": "21.02.2",
		"revision": "r16495-bf0c965af0",
		"target": "ramips/mt7621",
		"description": "OpenWrt 21.02.2 r16495-bf0c965af0"
	}
}
root@OpenWrt:~# 

cat /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd33:1ec6:00a8::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '10.0.0.1/24'
	option gateway '192.168.2.20'
	option broadcast '192.168.2.255'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '1'
	option name 'lan4.1'
	option mtu '1500'
	option mtu6 '1500'

config interface 'wan_sfr'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.0.20'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option metric '30'
	option auto '0'

config device
	option name 'tun0'
	option mtu '1500'
	option mtu6 '1500'

config interface 'ovpn_wan_free'
	option proto 'none'
	option defaultroute '0'
	option metric '20'
	option device 'tun0'

config route
	option interface 'ovpn_wan_free'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '30'

config device
	option type '8021q'
	option ifname 'lan3'
	option vid '1'
	option name 'lan3.1'
	option mtu '1500'

config interface 'wan_fbx'
	option proto 'static'
	list dns '8.8.8.8'
	list dns '1.1.1.1'
	list dns '8.8.4.4'
	option metric '10'
	option device 'wan'
	list ipaddr '192.168.2.20/24'
	option gateway '192.168.2.1'

config device
	option name 'eth0'

config device
	option name 'wan'
	option ipv6 '0'

config interface 'WindscribeVPN'
	option proto 'wireguard'
	option private_key '***************************************'
	list addresses '100.100.16.230/32'
	option listen_port '1194'
	option auto '0'

config wireguard_WindscribeVPN
	option description 'Windscribe'
	option public_key '**********************************'
	option preshared_key '****************************'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '************************'
	option endpoint_port '1194'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

config device
	option name 'WindscribeVPN'

root@OpenWrt:~#

cat /etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	option input 'REJECT'
	list network 'wan_sfr'
	list network 'ovpn_wan_free'
	list network 'wan_fbx'
	list network 'WindscribeVPN'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

root@OpenWrt:~# 

cat /etc/config/openvpn

root@OpenWrt:~# cat /etc/config/openvpn

config openvpn 'geoff'
	option config '/etc/openvpn/geoff.ovpn'

config openvpn 'kodi'
	option config '/etc/openvpn/kodi.ovpn'
	option enabled '1'

root@OpenWrt:~# 

I have only had to mask the keys. The Openwrt router connects to the internet via a static IP on my telecom supplier router.

Geoff

Are you extracting the Michael?

Sorry, do not understand. The idea is that I do not like Wireguard, whereas @psherman likes it. I recommend to use OpenVPN, and your topic exactly represents my position

Concerning your topic. I recommend you to install last version of OpenWRT 23.05.0

I see two wan interfaces, so, please, explain utilizing of them in PBR, what is default gateway (I think, the issue is in default gateway), and give routes for each:

route
ip r

Also not good idea to cover zone wan with multiple interfaces.

First thing of note is this:

21.02 is EOL and unsupported (if you need to run 21.02, you should at least be running the latest 21.02.7). Please upgrade to 23.05.

Next... remove the gateway (shouldn't be specified here except in specific situations) and the broadcast (which is wrong) from the lan interface stanza.

remove this route:

Since you're using PBR and running multiple VPNs simultaneously, you need to remove route_allowed_ips (or set it to '0') and then manually set your routes.

Delete this vestage...

Ulmwind,

"Extracting the Michael" is long-hand for "Taking the Mick' which simply means playing a joke or having a laugh at someone's expense in idiomatic English. Sorry if this confused you.

Like you, I also prefer OpenVPN as it is the system I have used for years, is reasonably well documented and runs well on both my server and clients. However, when I tried to set up a profile to access Windscribe it would not allow me to enter the certificates so I then started to read about Wireguard. As it appeared to be a faster VPN solution I wanted to try it and that is how I got here.

My ideal would be to use OpenVPN but have the option to sign in to Windscribe via OpenVPN if I wanted to in lieu of my own VPN server.

WANs
When I first started with Openwrt I was living in a rental house with no phone line so no internet (we lost our house in a fire at Easter 2022). I organised two 4G boxes, one with "free" and the other with "SFR", two of our local telecom suppliers. SFR, because I was a long standing customer, it was offered at low cost BUT, the signal was appalling. The free telecom backs off the Orange network connections and was the best (strongest) signal option for our village. I set up and shared the two interfaces across both VPN and non VPN connections and this worked fine (although still a little slow and underpowered).

When fibre arrived earlier this year I dropped the 4G boxes, converted the free 4G interface to the WAN_FBX (Freebox) and now run of the fibre only. I have just never deleted the old interface. It is stopped and does not come up at boot so can be ignored.

I also decided to simplify the network so now, the Freebox delivers the internet to most devices and guests on a primary LAN 192.168.2.0/24. My Openwrt router sits behind the Freebox router on a static link (192.168.2.20) and delivers a secondary LAN 10.0.0.0/24. This secondary LAN is only used by specified devices that require a VPN plus my iMac that I manage the network from. The iMac can access either the primary or secondary LAN. Primary if I need speed and secondary if I need to access and manage the Openwrt router.

Although PBR ( vpn-policy-routing 0.3.4-8) is in use it too is now very simple. 10.0.0.41 to 10.0.0.200 are all directed to the OVPN_WAN_FREE which in turn uses the WAN_FBX. 10.0.0.40 (the iMac) is an independent listing so I can switch between the interface options to test the results without firing up the devices using the VPN.

Everything was working fine until I added the WindscribeVPN interface.

Right, so now you know the history of how I got here.

Tonight, I have stopped and disabled the WindscribeVPN and hard reset the router (the reboots were not working properly). I now have internet access again but although the OpenVPN client is up and running and PBR says its service is running, I cannot access the VPN from any of the devices on the 10.0.0.0 LAN. I am sure as you say it is a gateway issue but I am not confident with changing these settings.

Route Output

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    10     0        0 wan
default         *               0.0.0.0         U     30     0        0 tun0
10.0.0.0        *               255.255.255.0   U     0      0        0 br-lan
77.68.100.23    192.168.2.1     255.255.255.255 UGH   0      0        0 wan
192.168.2.0     *               255.255.255.0   U     10     0        0 wan

ip r Output

root@OpenWrt:~# ip r
default via 192.168.2.1 dev wan proto static metric 10 
default dev tun0 proto static scope link metric 30 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.1 
77.68.100.23 via 192.168.2.1 dev wan 
192.168.2.0/24 dev wan proto static scope link metric 10 

Under normal running circumstances the WAN firewall would only have the WAN and OpenVPN interfaces attached.

Finally, the point about upgrading! I bought a ready built box to avoid having to flash the router and have never tried to upgrade but I will give it a go. I will read the documentation and hopefully it will all be fine.

Geoff

Thanks for the reply. Please see my note to Ulmwind. Upgrade is required before anything else is attempted. I will post results when done.

OK, I am a bit confused. If I go to the firmware selector for my model (D-Team Newifi D2) it offers (and I have downloaded) 23.05.0. As I wanted it to be automated, I used the arc (the luck equivalent) to do the upgrade for me.

However it only offered me 21.02.7 - r16847-f8282da11e. I assumed I had to do a series of upgrades to get to the latest but after upgrading successfully to the above, the Sysupgrade now tells me I am up to date and there are no other firmware versions for me.

So, can my device run 23.05.0 and if so how do I install it with the automated process that preserves my packages?

actually, the user in question here simply trolls on many Wireguard related posts because they swear by OpenVPN and they have some fundamental (and entirely unfounded) objection to WireGuard, reasons unknown. Maybe they're just change averse, but regardless, it's not funny or useful in any way, just simply trolling.

Take a look at the attended sysupgrade process. Only one issue is that you are currently running 2 versions behind -- a direct upgrade (keeping settings) is not officially tested or supported.

@GeoffatMM, thank you for explanation! I am ready both to study, and teach

Concerning your configuration, sorry, to my mind it is very weird.
You have named ovpn-interface as 'second wan', now I have realized it.

I can see two default routes with zero mask, sorry, it is very weird routing table. @psherman, please, give your opinion, whether to use it.

In 'standard' OpenVPN-approach two additional routes should be added with mask 128.0.0.0 (1000 0000.0000 0000.0000 0000.0000 0000), I can not see them.

Please, remove route section from network:

config route
	option interface 'ovpn_wan_free'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option metric '30'

Please, install 'stock' OpenWRT, and start from scratch, posing config on each step here.

Still trying to upgrade.

When I searched the hardware table I found a partial listing for the device. Most importantly this note:

Same installation method as as Newifi D1:

1. Users may need to request unlock code from the device manufacturer. Otherwise, a SPI flash programmer may be necessary to get the firmware flashed.

2. After the device is unlocked, press and hold reset button before power cable plugs in.

3. Then go to http://192.168.1.1 to upload and flash the firmware package.

Hi

My spellchecker intervened. I used auc and sysupgrade through luci and both said there is no further update so I have do a full install (and lose settings IF 23.05.0 runs on the device. It says it does so I will try.

I will back up first to aid recovery.

Will post later.

Hello again.

I went to do some work on this and discovered that after the upgrade, the VPN now seems to be working although the PBR is not. As this is the main method of watching TV I am loathe to try to upgrade this machine (which I suspect is locked by the manufacturer) in case I brick it. So I am happy to leave this machine as it is while it is working.

However, I do want to invest in a better machine and build it offline as a replacement with the latest firmware. Looking at the Openwrt stats it seems that the Linksys or the D-Link machines are the most popular and best supported. I want to invest in a router that will handle the VPN and still provide a high bandwidth.

Do you have any recommendations for current (or cheaper recent machines) that I should look at? I am afraid the specification information does not help me as I am unsure what does what. I would just like a reasonably fast router that support hardware and software offloading to maximise the bandwidth for incoming data.

Do you have anything you can recommend I look at?

Geoff

Post Script

Why do I want to invest in another router?

Recent speedtest results from my iMac (Connection : Upload : Download [Mbps])

Direct to WAN_FBX : 669 : 196
OVPN client direct to WAN_FBX : 373 :207
Direct to OVPN_WAN_FREE : 9.47 : 16.9

So it appears that the router running OVPN_WAN_FREE is seriously throttling the bandwidth.

OK, in another similar thread there is similar behavior of PBR: it does not add routing table with corresponding route. 'Dumb' solution was to add static route.

Yes, data encryption limits speed of connection, it is normal situation. I think, you should consider 'micro-pc' like NanoPi to meet your needs.

As I did to want to brick the router trying to upgrade it, I have bought both a D-Link DIR 2660 and a Linksys WRT 3200 ACM to try out for improved speeds as both were recommended.

I looked at a Raspberry Pi but it became a bit too cumbersome so bought the routers instead.

I will set each up and test them and once completed will report back here. I will come back sooner if I encounter more problems!

Thanks for your help.

OK, so I am going to close this and move to a new thread as I need help setting up the D-Link.