Hello, I followed this guide https://openwrt.org/docs/guide-user/services/vpn/wireguard/server and have successfully setup the vpn. My main goal is to be able to access my private network resources (NAS) from anywhere and browse privately from public WIFI networks (My next step is to install adguard).
The problem that I'm having is to browse the internet from the client browser after I connect to the vpn.
The client connects using this configuration
[Interface]
PrivateKey = (hidden)
Address = 192.168.9.2/32
DNS = 192.168.1.1
[Peer]
PublicKey = (hidden)
PresharedKey = (hidden)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 47.45.196.207:51820
When I run wg on openwrt, it shows the connection was stablished
$ wg
interface: vpn
public key: xxx
private key: (hidden)
listening port: 51820
peer: xxx
preshared key: (hidden)
endpoint: xxxx
allowed ips: 192.168.9.2/32, fd00:9::2/128
latest handshake: 1 minute, 14 seconds ago
transfer: 994.25 KiB received, 2.00 MiB sent
I can ping my openwrt router, Google dns and google.com from the client:
$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=253.909 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=315.822 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=182.250 ms
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 182.250/250.660/315.822/54.579 ms
$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=115 time=157.013 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=115 time=393.595 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=115 time=144.193 ms
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 144.193/231.600/393.595/114.667 ms
$ ping google.com
PING google.com (142.250.72.78): 56 data bytes
64 bytes from 142.250.72.78: icmp_seq=0 ttl=56 time=170.233 ms
64 bytes from 142.250.72.78: icmp_seq=1 ttl=56 time=180.180 ms
64 bytes from 142.250.72.78: icmp_seq=2 ttl=56 time=257.356 ms
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 170.233/202.590/257.356/38.938 ms
I can also ping the client from a machine in my private network:
# ping 192.168.9.2
PING 192.168.9.2 (192.168.9.2): 56 data bytes
64 bytes from 192.168.9.2: seq=0 ttl=64 time=169.238 ms
64 bytes from 192.168.9.2: seq=1 ttl=64 time=484.125 ms
64 bytes from 192.168.9.2: seq=2 ttl=64 time=436.361 ms
--- 192.168.9.2 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 169.238/363.241/484.125 ms
But I cannot access the internet from the web browser, I'm using firefox and the error message NS_ERROR_NET_TIMEOUT.
My setup is an openwrt router connected to a cable modem"
+----+ +------------+ +-------------------+ +----------+
| lan | -> | openwrt | -> | cable modem | -> | internet |
+----+ +------------+ +-------------------+ +----------+
Here is the result of a ip -4 addr command
$ ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet x.x.x.x brd x.x.x.x scope global wan
valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
11: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
valid_lft forever preferred_lft forever
14: wlan1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.3.1/24 brd 192.168.3.255 scope global wlan1-1
valid_lft forever preferred_lft forever
15: wlan1-2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
inet 192.168.4.1/24 brd 192.168.4.255 scope global wlan1-2
valid_lft forever preferred_lft forever
And finally my configuration files:
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd9f:2821:4eb6::/48'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest'
option proto 'static'
list ipaddr '192.168.3.1/24'
config interface 'work'
option proto 'static'
list ipaddr '192.168.4.1/24'
config device
option name 'wlan1-1'
config interface 'vpn'
option proto 'wireguard'
option private_key (hidden)
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
config wireguard_vpn 'wgclient'
option public_key (hidden)
option preshared_key (hidden)
option private_key (hidden)
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fd00:9::2/128'
option description 'Test client'
config device
option name 'vpn'
config device
option name 'wan'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DNS-Guest'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Guest'
list proto 'udp'
option src 'guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Allow-DNS-Work'
option src 'work'
option target 'ACCEPT'
option dest_port '53'
config zone
option name 'work'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'work'
config forwarding
option src 'work'
option dest 'wan'
config rule
option name 'Allow-DHCP-Work'
list proto 'udp'
option src 'work'
option target 'ACCEPT'
option dest_port '67-68'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
Thank you very much for your help