WireGuard on dumb ap

ahm · November 27, 2022, 6:55pm

I'm new with openwrt, and I'm trying to setup WireGuard on openwrt router.

This is now my simple router setup looks like:

I want a setup where in which whatever device connects with openwrt Wi-Fi, it's traffic goes through WireGuard.

Following is my configuration:

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdff:fa0a:6ffb::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr 'xxxxxxxxx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.120'
	option gateway '192.168.178.1'
	list dns '8.8.8.8'
	option force_link '0'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'g0'
	option proto 'wireguard'
	option private_key '<Some Value>'
	option defaultroute '0'
	list addresses '10.27.150.105/24'

config wireguard_g0
	option description 'Imported peer configuration'
	option public_key '<Some value>'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '102.165.16.66'
	option endpoint_port '1337'

# cat /etc/config/firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option name 'lan'
	list network 'lan'

config zone
	option name 'go'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'g0'
	option forward 'REJECT'

config forwarding
	option src 'go'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'go'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac81'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'DE'

config wifi-device 'radio1'
	option type 'mac8'
	option path 'platform/1.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Haze'
	option encryption 'sae'
	option key 'somekey'
	option network 'lan'

Current when I connect with Haze (openwrt router) network, I'm able to access internet, but traffic is not going through VPN.

psherman · November 27, 2022, 7:22pm

You can't easily use a dumb AP as a VPN because the gateway that will be advertised by DHCP (from your Fritz) is going to be the fritzbox (i.e. the main router).

There are several ways of approaching this challenge, depending on your goals... do you want all of your internet traffic to go through the tunnel?

ahm · November 27, 2022, 7:24pm

@psherman Thanks for replying.
Yes, all traffic can go through vpn

psherman · November 27, 2022, 7:35pm

Ok... so there are a few ways of handling this:

Option 1: If your Fritz (main router) supports changing the DHCP advertised router/gateway, you can simply set that gateway as 192.168.168.120.

Option 2: Turn off the DHCP server on the Fritz and use the DHCP server on the OpenWrt router. By default, it will send its own address (.120) as the gateway, so all devices will then use the OpenWrt system with WG to route to the internet.

Option 3: Remove the fritz entirely... if this is an option, just simply remove it and put the OpenWrt router in its place. If the Fritz is a modem + router, you might be able to make it a modem only (bridge mode), and then the OpenWrt device will be the only router in the system.

Option 4: connect the OpenWrt device via the WAN port (instead of the LAN)... you'll need to change the subnet of the OpenWrt LAN, but then what you'll have is cascaded routers. Once there, you will have all device connect to the OpenWrt device (no clients will connect to the Fritz) and then they will all use the WG tunnel.

Meanwhile: several errors I see in your configuration:

below, you should have input = reject
this zone should have masquerading enabled.

remove this.... it shouldn't be there.

turn of masquerading on the lan zone

you need to enable route_allowed_ips in this section of your network file

ahm:

config wireguard_g0
	option description 'Imported peer configuration'
	option public_key '<Some value>'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '102.165.16.66'
	option endpoint_port '1337'

Also, you no longer have a wan interface or firewall zone, so if you use the wan connection method I mentioned earlier, you'll need to recreate those aspects.

ahm · November 27, 2022, 7:56pm

@psherman
I will try to implement option 4 and will get back to you
You mentioned that I have to remove all the devices from main router, Is this necessary ?

psherman · November 27, 2022, 8:26pm

Necessary? not absolutely required. Depends on your goals. If you want the devices to use the vpn, they need to be behind the openwrt router. Or if you need the devices to be able to communicate with each other, they also need to be connected to the same router.

ahm · November 27, 2022, 9:06pm

Ok seems like it's not easy to make AP using WAN (can you guide me how this can be done) or is there another way to achieve this without tinkering main router (FRITZBOX) ?

psherman · November 27, 2022, 9:11pm

The point of option 4 is to use the OpenWrt device as a normal router and not as a dumb AP. This means that the WAN of the OpenWrt router would be on the same subnet as the main router, but the OpenWrt LAN would be an entirely different network.

trendy · November 28, 2022, 10:46am

I think it can be implemented in an easier way. The requirement is for clients connecting to the OpenWrt wifi to get routed over VPN.
Therefore the dumbAP can remain as is. A special SSID needs to be created on the OpenWrt, which will be bound to a new inteface. All traffic from this interface will go to VPN.

ahm · November 28, 2022, 1:33pm

@psherman
I tried option 6, but I have no idea why I'm running into no internet problem (I assigned static address to WAN which was in the same subnet as main router and i assigned a different subnet to LAN).

@trendy
Thanks for offering your help. I liked your idea, and it sounds easy to implement, but due to my limited knowledge in networking I'm still stuggling. If possible, can you help me in implementation. The following is how my config looks now:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd28:714c:ff0d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '50:d3:f4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.120'
	list dns '8.8.8.8'
	option gateway '192.168.178.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'gate'
	option proto 'static'
	option device 'br-lan'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'
	option gateway '192.168.178.1'

config interface 'g0'
	option proto 'wireguard'
	option private_key 'asdfasdf='
	option peerdns '0'
	list dns '10.0.0.243'
	list dns '10.0.0.242'
	list addresses '10.27.150.105/24'

config wireguard_g0
	option description 'Imported peer configuration'
	option public_key 'adsfdsaf='
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '102.165.16.66'
	option endpoint_port '1337'

cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'gate'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'gate'
	list network 'g0'

cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac1'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac2'
	option path 'platform/.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Haze'
	option encryption 'sae'
	option key 'blue$ock$'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Secure'
	option encryption 'sae'
	option key '!@#$'
	option network 'gate'

gate is this new interface (i have given it a different subnet, I hope it's the correct way to go). I have assigned this interface to Secure AP. Please let me know how I can establish this route. Currently, when I connect with Haze, I have internet connection (but obviously it's not routed through vpn).

trendy · November 28, 2022, 1:51pm

Remove the gateway and the device from gate interface.

Remove this from gate zone.
Create a new g0 zone covering g0 network and use masquerade. Also make a forwarding from gate to g0.
Last, to enable traffic via VPN, you need to route_allowed_ips at the g0 peer.

psherman · November 28, 2022, 1:55pm

remove this gateway definition from the lan.

What is the purpose of the gate network? It currently is connected to one of the SSIDs, but it is not associated with a firewall zone.

ahm:

config wireguard_g0
	option description 'Imported peer configuration'
	option public_key 'adsfdsaf='
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '102.165.16.66'
	option endpoint_port '1337'

you need to enable the 'route allowed IPs' option.

Your 'g0' network is not associated with firewall zones. You should create one like this and then allow forwarding from the lan zone (unless lan is supposed to be non-VPN'd):

config zone
	option name 'vpn'
	list network 'g0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

ahm · November 28, 2022, 3:41pm

@trendy Feels like i'm almost there . As you suggested, I have made following changes (Pasting my configs).

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'gate'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'gate'
	option forward 'ACCEPT'

config zone
	option name 'g0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'g0'
	option masq '1'
	option forward 'ACCEPT'

config forwarding
	option src 'gate'
	option dest 'g0'

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd28:714c:ff0d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '50:e3:f4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.120'
	list dns '8.8.8.8'
	option gateway '192.168.178.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'gate'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

config interface 'g0'
	option proto 'wireguard'
	option private_key '='
	option peerdns '0'
	list dns '10.0.0.243'
	list dns '10.0.0.242'
	list addresses '10.27.150.105/24'

config wireguard_g0
	option description 'Imported peer configuration'
	option public_key '='
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host '102.165.16.66'
	option endpoint_port '1337'
	option route_allowed_ips '1'

Nothing changed in wireless confing, Secure SSID is pointing to gate interface.

Currently when i connect with Secure SSID I have no internet connection.

psherman · November 28, 2022, 3:55pm

I recommend making forward and input both REJECT.

what is the output of the following command:

wg show

ahm · November 28, 2022, 4:03pm

@psherman

I have made the firewall change:

wg show

interface: g0
  public key: yCO7qyJFrtaU/asdfdasf=
  private key: (hidden)
  listening port: 53496

peer: adsfdasfadsfadsf=
  endpoint: 102.165.16.66:1337
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 30.64 KiB sent
  persistent keepalive: every 25 seconds

psherman · November 28, 2022, 4:07pm

Your wireguard tunnel is not actually connected. it should show a latest handshake, but that is missing.

Often this issue is caused by an issue with the keys.

trendy · November 28, 2022, 4:09pm

Let's see them all together.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

ahm · November 28, 2022, 4:23pm

trendy:

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip6tables-save -c; nft list ruleset; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

@trendy

following is the output:

All i got

{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7620A ver:2 eco:6",
	"model": "Asus RT-AC51U",
	"board_name": "asus,rt-ac51u",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "ramips/mt7620",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd28:714c:ff0d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'eth0.1'
	option macaddr '50:e:f4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.178.120'
	list dns '8.8.8.8'
	option gateway '192.168.178.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'gate'
	option proto 'static'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

config interface 'g0'
	option proto 'wireguard'
	option peerdns '0'
	list dns '10.0.0.243'
	list dns '10.0.0.242'
	option defaultroute '0'
	option private_key 'mI6ZW+'
	list addresses '10.16.130.189/24'

config wireguard_g0
	option description 'Imported peer configuration'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_port '1337'
	option route_allowed_ips '1'
	option public_key 'Y8rZh+Ow0Y'
	option endpoint_host '138.199.10.17'

package wireless

config wifi-device 'radio0'
	option type 'mac801'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac811'
	option path 'platform/10180000.wmac'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Haze'
	option encryption 'sae'
	option key 'b$'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Secure'
	option encryption 'sae'
	option key '@#$'
	option network 'gate'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'gate'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'gate'
	option forward 'ACCEPT'

config zone
	option name 'g0'
	option output 'ACCEPT'
	list network 'g0'
	option masq '1'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'gate'
	option dest 'g0'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
-ash: ip6tables-save: not found
table inet fw4 {
	chain input {
		type filter hook input priority filter; policy accept;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback"
		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
		iifname "eth0.2" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
		iifname "wlan0-1" jump input_gate comment "!fw4: Handle gate IPv4/IPv6 input traffic"
		iifname "g0" jump input_g0 comment "!fw4: Handle g0 IPv4/IPv6 input traffic"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0.2" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		iifname "wlan0-1" jump forward_gate comment "!fw4: Handle gate IPv4/IPv6 forward traffic"
		iifname "g0" jump forward_g0 comment "!fw4: Handle g0 IPv4/IPv6 forward traffic"
		jump handle_reject
	}

	chain output {
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
		oifname "eth0.2" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
		oifname "wlan0-1" jump output_gate comment "!fw4: Handle gate IPv4/IPv6 output traffic"
		oifname "g0" jump output_g0 comment "!fw4: Handle g0 IPv4/IPv6 output traffic"
	}

	chain prerouting {
		type filter hook prerouting priority filter; policy accept;
		iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
		iifname "eth0.2" jump helper_wan comment "!fw4: Handle wan IPv4/IPv6 helper assignment"
		iifname "wlan0-1" jump helper_gate comment "!fw4: Handle gate IPv4/IPv6 helper assignment"
	}

	chain handle_reject {
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
		reject comment "!fw4: Reject any other traffic"
	}

	chain syn_flood {
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

	chain input_lan {
		jump accept_from_lan
	}

	chain output_lan {
		jump accept_to_lan
	}

	chain forward_lan {
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
		jump accept_to_lan
	}

	chain helper_lan {
	}

	chain accept_from_lan {
		iifname "br-lan" counter packets 12 bytes 1892 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain accept_to_lan {
		oifname "br-lan" counter packets 10 bytes 844 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
	}

	chain input_wan {
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
		icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP"
		meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD"
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
		jump reject_from_wan
	}

	chain output_wan {
		jump accept_to_wan
	}

	chain forward_wan {
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
		jump reject_to_wan
	}

	chain helper_wan {
	}

	chain accept_to_wan {
		oifname "eth0.2" counter packets 2 bytes 300 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
	}

	chain reject_from_wan {
		iifname "eth0.2" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain reject_to_wan {
		oifname "eth0.2" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
	}

	chain input_gate {
		jump accept_from_gate
	}

	chain output_gate {
		jump accept_to_gate
	}

	chain forward_gate {
		jump accept_to_g0 comment "!fw4: Accept gate to g0 forwarding"
		jump accept_to_gate
	}

	chain helper_gate {
	}

	chain accept_from_gate {
		iifname "wlan0-1" counter packets 7 bytes 2296 accept comment "!fw4: accept gate IPv4/IPv6 traffic"
	}

	chain accept_to_gate {
		oifname "wlan0-1" counter packets 0 bytes 0 accept comment "!fw4: accept gate IPv4/IPv6 traffic"
	}

	chain input_g0 {
		jump reject_from_g0
	}

	chain output_g0 {
		jump accept_to_g0
	}

	chain forward_g0 {
		jump reject_to_g0
	}

	chain accept_to_g0 {
		oifname "g0" counter packets 0 bytes 0 accept comment "!fw4: accept g0 IPv4/IPv6 traffic"
	}

	chain reject_from_g0 {
		iifname "g0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject g0 IPv4/IPv6 traffic"
	}

	chain reject_to_g0 {
		oifname "g0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject g0 IPv4/IPv6 traffic"
	}

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "g0" jump srcnat_g0 comment "!fw4: Handle g0 IPv4/IPv6 srcnat traffic"
	}

	chain srcnat_g0 {
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 g0 traffic"
	}

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output {
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
		iifname "eth0.2" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
		oifname "eth0.2" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
	}
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.178.120/24 brd 192.168.178.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: g0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.16.130.189/24 brd 10.16.130.255 scope global g0
       valid_lft forever preferred_lft forever
11: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.2/24 brd 192.168.2.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
default via 192.168.178.1 dev br-lan 
10.16.130.0/24 dev g0 scope link  src 10.16.130.189 
138.199.10.17 via 192.168.178.1 dev br-lan 
192.168.2.0/24 dev wlan0-1 scope link  src 192.168.2.2 
192.168.178.0/24 dev br-lan scope link  src 192.168.178.120 
broadcast 10.16.130.0 dev g0 table local scope link  src 10.16.130.189 
local 10.16.130.189 dev g0 table local scope host  src 10.16.130.189 
broadcast 10.16.130.255 dev g0 table local scope link  src 10.16.130.189 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.2.0 dev wlan0-1 table local scope link  src 192.168.2.2 
local 192.168.2.2 dev wlan0-1 table local scope host  src 192.168.2.2 
broadcast 192.168.2.255 dev wlan0-1 table local scope link  src 192.168.2.2 
broadcast 192.168.178.0 dev br-lan table local scope link  src 192.168.178.120 
local 192.168.178.120 dev br-lan table local scope host  src 192.168.178.120 
broadcast 192.168.178.255 dev br-lan table local scope link  src 192.168.178.120 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Oct 14 22:44 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Nov 28 16:16 /tmp/resolv.conf
-rw-r--r--    1 root     root            94 Nov 28 16:16 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root            94 Nov 28 16:16 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface g0
nameserver 10.0.0.243
nameserver 10.0.0.242
# Interface lan
nameserver 8.8.8.8

@psherman You was correct, i had wrong key there. I have fixed it, now handshake is happending but still no internet when i connect with Secure

root@OpenWrt:~# wg show
interface: g0
  public key:/dEsAJv7TiPkr0QK/w6UGckQ8=
  private key: (hidden)
  listening port: 53417

peer: Y8rZh+Ow0YJ=
  endpoint: 138.199.10.17:1337
  allowed ips: 0.0.0.0/0
  latest handshake: 25 seconds ago
  transfer: 368 B received, 1.17 KiB sent
  persistent keepalive: every 25 seconds

trendy · November 28, 2022, 4:41pm

There is no dhcp server for gate interface, so unless you are adding the settings manually it won't work.

psherman · November 28, 2022, 4:42pm

You do not have a dhcp server setup for your gate network. Set one up so that clients can get the ip configuration automatically.

config dhcp 'gate '
	option interface 'gate'
	option start '100'
	option limit '150'
	option leasetime '12h'

Also, if the router is connected via the lan port and operating as a dumb ap, masquerading must be enabled on the lan firewall zone.