Wireguard problem

hi, I've installed wireguard following this guide:

once I set the DNS server in the last step ie 3. Add Static DNS server, for the WAN interface, I cannot access any websites......if I set it back to 'Use DNS servers advertised by peers' it starts working again
Any ideas what the problem is or how to troubleshoot?
Thanks!

Letā€™s start by looking at your config files. In addition to those, please check the output of wg status

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

Try to use a public DNS provider:
https://en.wikipedia.org/wiki/Public_recursive_name_server

3 Likes

thanks that's solved the DNS issue
I think it's actually working but that maybe I need to route traffic through it somehow?
if I go to ipleak.net it still sees me in Europe
what I'm actually trying to do is get a PS4 to be recognized in the UK; if I could set up 1 LAN port which was always on wireguard or one of the wireless channels to be on wireguard that would be ideal!

1 Like
1 Like

from this image I'd say wireguard is up BUT methinks the traceroute should be going to a 10.x.x.x address but it isn't? :confused:
Screenshot_2021-10-31_09-33-43

traceroute to openwrt.org (139.59.209.225), 30 hops max, 38 byte packets
 1  80.x.x.x  4.891 ms
 2  193.x.x.x  9.292 ms
 3  81.x.x.x  8.362 ms
 4  193.x.x.x  12.008 ms
 5  *
 6  62.115.118.62  24.205 ms
 7  62.115.123.12  23.830 ms
 8  62.115.114.89  23.396 ms
 9  80.x.x.x  24.526 ms
10  *
11  *
12  *
13  *
14  139.59.209.225  23.833 ms

do I need a VPN zone in my firewall? a bloke on youtube has one :crazy_face:

here's my firewall config


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'VPNUn1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

fwiw, you may wish to read my guide for HH5a.

https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=1215

Suggest you return Openwrt settings to defaults before following the steps in the guide.

I have Keepsolid VPN Unlimited. Unfortunately, their wireguard service is not reliable. The keys seem to expire after a few days use. I turn off the openwrt router overnight. Other users have reported similar issues. I've gone back to using Keepsolid OpenVPN which has always been 100% reliable for many years.

Good luck !

1 Like

hi bill, thanks for your input. I read your docs and decided to add the VPN_zone to the firewall but then I couldn't browse again so had to revert it. What does that bit do?
the router is connected direct to the ISP although it looks like I'll get fttp in the near future at which point the WAN port comes in but knowing my luck I'll have a problem with the plusnet HH5a coping with 400meg and I'll have to buy another router lol :crazy_face:

haha progress! I decided to delete all the wireguard stuff and have a go with openvpn...
well at first it wasn't working, same as before, could ping stuff but no luck browsing, kept looking at DNS settings, then I tried a browser refresh and it redirected to vpnunlimited saying my subs had expired!
well I've got a forever sub but I had accidentally put in the details for another device....
redid the info and it works! now the stuff I put in for the wireguard was defo the right settings sooooo methinks the vpn provider are doing some weird things here and it's not an openwrt issue
got signed into ps now too, wey hey!
thanks for everyone's input and happy playing with your routers! :upside_down_face:
:stuck_out_tongue_closed_eyes:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.