Wireguard on TP-Link TL-WR902AC v3 help needed

Hello OpenWrt Newbie here.

Following my last post about how to change LAN to WAN, I have attempted to install Wireguard on the TL-WR902AC v3. Wifi works fine but unfortunately the VPN is still showing my home location and not that of the UK. I notice that on the VPN Interface there is no RX Pkts so I assume that this is at least one of my problems.

Hope someone can help. Thanks in advance. Below are a few screen shots of my setup:

Your network configuration is invalid since your LAN and WAN are on the same subnet. It appears that you have an upstream router, so you need to change your LAN address to a different subnet (and using a /16 is entirely necessary... I always recommend sticking to /24 for ease of use unless you have a reason to do otherwise).

The WR902AC must be in router mode and clients must be connected through it in order for this to work. So your LAN and WAN must be unique networks.

1 Like

Thanks for your reply. So sorry to ask such a basic question but how do I change the LAN to a different subnet.

Follow this tutorial.

You can use generally any RFC1918 range you like, but since you have a WAN in the 192.168.1.0/24 network, you must not use anything that overlaps with existing upstream network. You could use 192.168.10.0/24 or 10.0.4.0/24, just as some examples.

Convention (but not required) is that the router (your WR902AC) will take the first address (i.e. 192.168.10.1 or 10.0.4.1 in my examples). A subnet mask of 255.255.255.0 (or /24 in the CIDR notation) will set your network such that it is all contained within the last octet with a range of 1-254.

1 Like

So I have to change the WR902AC IPv4 LAN address interface to something like 192.168.2.1? The trouble is I can't get access to LuCI using my browsers unless I use 192.168.1.2. I've tried 192.168.2.1, 192.168.100.1, 192.168.10.1, for example, but I can't get my web browsers to open LuCI, it always defaults to my Livebox. Ethernet is OK but not the browser. I've tried turning off the Livebox wifi, clearing browser cache, and incognito mode but with no luck.

Can you draw a digram of your network and post that here. This will help me better understand how you are attempting to use this device.

You can simply take a photo of a sketch on paper and then upload that with the little picture icon in the formatting bar.

1 Like

Here is the diagram. Essentially I would like to connect the WR902AC to the LAN of my home router and send a vpn to my telly or firestick.

Ok, so based on this diagram, the WR902AC will serve as another router. This will create at double-NAT situation when the VPN isn't running, but usually that isn't much of an issue. When the VPN is running, it will function to tunnel your traffic through to your VPN provider.

To make this work, you will indeed need the WAN and LAN to be on different subnets. When properly configured, client devices will connect via Wifi directly to the WR902AC and they will be connected to the internet via the VPN connection.

If you need to administer the WR902AC from the WAN/upstream side (i.e. from the LAN on your Livebox modem/router), you can add a traffic rule to allow port 80 (LuCI web interface) and/or 22 (ssh) from the WAN [NOTE: This is okay when the upstream network is a LAN that you control; never do this if the WAN is the internet or any network that you cannot trust]. Otherwise, you can always access the admin features by connecting via wifi to the WR902AC.

1 Like

Thanks very much for the detailed reply. It's good to know that it will work as a vpn. I just need to solve the above LAN address problem.

I changed the LAN to 10.0.4.0 (I don't know how to make it 10.0.4.0/24) and now I can access LuCI via wifi! However there are still no no RX Pkts. Here are the new screen shots:

Use 10.0.4.1 as the address and 255.255.255.0 as the subnet mask.
Delete the IPv4 gateway address and let it auto populate. Delete the custom DNS servers entry, too.

Once that is done, reboot your WR902AC and check to see if you have internet access via the WR902AC.

1 Like

Here is the new screen shot (I did a new install): The IPv4 gateway address didn't auto populate. And still no RX Pkts (presumably because of the latter? Wifi works ( I can open web pages but couldn't upload these screen shots with OpenWrt).

Ok. Let’s see your configuration files.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Here is the output:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdaa:1727:34e9::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.4.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'c0:0xxxxx:a8'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t'

config switch_vlan
	option device 'switch0'
	option ports '6t 4'
	option vlan '2'

config interface 'WAN'
	option ifname 'eth0.2'
	option proto 'dhcp'
	list dns '10.100.0.1'
	option peerdns '0'

config interface 'VPNUnlimited'
	option proto 'wireguard'
	option private_key 'ELouh+rwlByPJsxxxxxxxxxxxxx+jQlc='
	option listen_port '51820'
	list addresses '10.xxxxxx/32'

config wireguard_VPNUnlimited
	option public_key 'ypphhP6MfxxxxxxxxxxxxxfIilIsaxtlE='
	option persistent_keepalive '25'
	option endpoint_port '51820'
	option endpoint_host '176.227.198.122'
	list allowed_ips '0.0.0.0/0'
	option preshared_key 'wG1YwISomxxxxxxxxxxxx1sDOqyQ='
	option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option country 'FR'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'OpenWrt 2.4'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'FR'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'OpenWrt 5'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'WAN'
	list network 'VPNUnlimited'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

root@OpenWrt:~# 

Remove these lines from your wan configuration.

Also remove this line from the wg interface configuration

Thanks for the that. I will need to learn how to edit config files, so please bear with me. I will be using a Macbook. Do you know a good place to start?

I presumably just need to delete 51820 from the wg set up?

You can often edit many of the config files via the web interface (LuCI), but this is not always true for certain things. If you want to manually edit your config files, you can simply ssh into the router and make changes, you can use UCI commands, or directly edit the files using nano or vi (text editors). You can also copy the files to your Mac using scp, edit them using a text editor on the Mac, and then scp them back into place.

Make a backup before you make manual changes so that you can restore from that backup in the event that you have to reset your entire router to recover from a mistake.

1 Like

Thanks for the pointers. I eventually worked out how to edit! In the end I used vi. However, I decoupled the VPN interface in the hope that I could install openssh-sftp-server so that I could used Cyberduck. When I reconnected nothing seemed to work and so I did another clean install (I forgot to do a backup).

Once up and running, I did your config edits and now the wifi seems to work better and I can download with OpenWrt connected. However, there are still no RX Pkts and the VPN doesn't connect to the UK.

Here is a screen shot and the new config files:


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda2:c94a:cdf4::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.4.1'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'c0:06:xxxxxc:a8'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t'

config switch_vlan
	option device 'switch0'
	option ports '6t 4'
	option vlan '2'

config interface 'WAN'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'VPNUnlimited'
	option proto 'wireguard'
	option private_key 'ELouh+rwlByPJxxxxxxxxx3+jQlc='
	list addresses '10.100.1.225/32'

config wireguard_VPNUnlimited
	option public_key 'ypphhP6MfdBGLjjsJ8NoRxxxxxxxxxxxtlE='
	option persistent_keepalive '25'
	option endpoint_port '51820'
	list allowed_ips '0.0.0.0/0'
	option preshared_key 'wG1YwISomZbxD+ZzDcbR3xxxxxxqyQ='
	option endpoint_host '176.227.198.122'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/10300000.wmac'
	option htmode 'HT20'
	option country 'FR'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'OpenWrt 2.4'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'FR'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'OpenWrt 5'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

Here is the VPN Unlimited setup instructions: