i have been trying to setup my openwrt with wiregurd peer, so that i can surf the net via vpn with the following assumptions:
wireguard peer is needed instead of wg server
the wrouter is behind the main router for ease of setup, and i assume what i need to do later is to remove the gw, which is currently points to the main router
clients connected to the wireless network will go out via the vpn
i have read many posts in this forum and guides from other vpn sites, and i finally made it (vpn peer setup successfully - by reading the stats from wireguare in luci)
unfortunately, when i plug the broadband cable back to the router's wan port and removed the main router's ip from lan's gw, all traffic go thru the wan directly and not via wg as expected, including local out traffic and client connected via the wireless network. can anyone give me a hand pls?
here is my current setup with dnscrypt proxy listening at 5053:
ubus call system board
{
"kernel": "5.15.146",
"hostname": "router",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05-SNAPSHOT",
"revision": "r0-cd265bb",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05-SNAPSHOT r0-cd265bb"
}
}
#cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdee:xxxx:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
list dns '192.168.1.2'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'no'
option auto '0'
option disabled '1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'vpn_warp'
option proto 'wireguard'
option private_key 'KEY'
option force_link '1'
option defaultroute '0'
option listen_port '51820'
list addresses '1xx.xxx.xxx.xxx/32'
list dns '192.168.1.2'
config wireguard_vpn_warp
option description 'Imported peer configuration'
option public_key 'KEY'
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
option private_key 'KEY'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
# cat dhcp
config dnsmasq 'lan_dns'
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '0'
option readethers '1'
option leasefile '/tmp/dnsmasq.d/lan/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d/lan'
list interface 'lan'
list address '/wrouter.lan/192.168.1.2'
option noresolv '1'
option localuse '1'
list server '192.168.1.2#5053'
config dhcp 'lan'
option instance 'lan_dns'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option force '1'
list dhcp_option '6,192.168.1.2'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# cat firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option family 'ipv4'
list device 'br-lan'
option mtu_fix '1'
config zone
option name 'wan'
list network 'wan'
list network 'vpn_warp'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'nss_ecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option name 'Divert-DNS, port 53'
option src 'lan'
option src_dport '53'
option dest_port '5053'
option dest 'lan'
option family 'ipv4'
config rule
option name 'Reject-DoT,port 853'
list proto 'tcp'
option src 'lan'
option dest 'wan'
option dest_port '853'
option target 'REJECT'
config zone
option name 'vpn_warp'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vpn_warp'
option masq '1'
option masq6 '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'vpn_warp'
note that since it was being set up behind the main router, there is no wan info available which i think it doesnt matter
so what is missing? and what about my assumptions? are they correct?
So the router on the same subnet connected LAN<>LAN and no WAN?
If so please setup correctly with DNS and gateway pointing to the main router (192.168.1.1?)
Furthermore remove list device 'br-lan' and option mtu_fix in:
Remove list network 'vpn_warp'
That should hopefully take care of the settings.
But even will all that in place and corrected there is nothing using your WG tunnel as all traffic just passes this router on its way to the main router.
You can setup a guest wifi on its own subnet on this router that will use the WG tunnel or point your LAN clients gateway to this router (192.168.1.2) either by manual altering the gateway on the LAN clients or using DNSMasq to handout a different gateway (192.168.1.2)
true, it's behind the main router without wan, coz i don want to lose the network in case something went wrong, and its easier to work with
and yes, my ultimate goal is to create a guest network for the vpn. i just removed it before i started this topic and it was working
i have removed the lines you mentioned, but at the same time i re-created the a new guest network for the vpn. at first it would connect (the wireless connection) but then got disconnected almost immeduately and startover again and looped. i then tried to fix it but now it wont connect at all so i cant tell if the vpn network is working or not with your fix, together with the newly created guest network and wireless connection
btw i noticed that dnsmasq complained about somethlng like:
line 1 in /tmp/dnsmasq.d/vpn/dhcp.leases is invalid
which it held a lease info actually. so i edited dnsmasq under /etc/init.d and added a line to rm the file every time it starts. it worked before with my previous extra guest network. but now, with the same trick, it complains:
cannot create /tmp/dnsmasq.d/vpn/dhcp.leases, read only file system
and i have to touch the file manually
Everything in /tmp is in RAM, so it is deleted on any restart and then rebuilt as various scripts and services start up. If you're using the router as a LAN device, bridged into another LAN which already has a DHCP server, you need to disable the DHCP service on the lan network. But do not disable the dhcp process entirely, as you will need it to assign IPs to users of your VPN'd guest network.
It is easier to understand VPN routing as an extension of lan->wan routing. If you run the router conventionally as lan->wan, standard instructions for how to set up a VPN client to route all Internet usage into a tunnel still apply even if there is another router upstream.
You should open ports 22, 80, and 443 on the wan so you can log into this router from the house network.
This is wrong. Do not put the router's own address here (if using dnscrypt, configure 127.0.0.1:5353 in /etc/config/dhcp). The list dns entries are external places that can be consulted for DNS. In a router attached to a home network it would be either the home router, or a public DNS. Make sure the DNS can be reached through the VPN tunnel.
i know its a tmp storage but the problems i mentioned regarding /tmp/dnsmasq.d/vpn/dhcp.leases cannot be resolved until i added one more line to /etc/init.d/dnsmasq as:
nevertheless, i am still having problems connecting to the wireless network. and i found that, if i add
list dhcp_option '3,172.xxx.xxx.xxx'
to /etc/config/dhcp, my phone wont connect to the wireless successfully and ends in a loop
so i have remove that line, i can connect to the wireless network, but i got no connection. i tried to connect in browser 1.1.1.1/help but it showed the site cannot be reached. ie likely a routing problem
now i plugged in the browdband cable into the router's wan port, remove the main router's gw and rebooted. suprisingly none of the wireless network has internet connection, but i can dig locally via ssh
so i removed the cable and plugged into the main router again and re-added the local gw, it now works fine except the vpn+wireless network
i will look into this again tmr
and one last question for now: where should i put the route info for the vpn+wireless? should i add it as list dhcp_option '3, 17xxxx' or else where?
If that works post your config so that we can review if all works make a backup
Next just setup a standard WireGuard client, make sure you Enable Route Allowed IPs.
Set the WG interface on its own firewall zone and just Forward from guest zone to WG zone that is all.
Some useful setup instructions can be found on Mullvads website:
yes you are right. so i looked for my backup files and restored a few of them with simple configs. interestingly i found that, with direct connection (not behind main router), none of the main wireless work but the guest wifi, i have only tested the guest wifi in the past so i didnt know the main wireless was not working at all!!
this is the config of the current backup:
# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdee:xxxx:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
# cat dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
list address '/router.lan/192.168.1.2'
option noresolv '1'
option localuse '1'
list server '127.0.0.1#5453'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
# cat firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'nss_ecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Divert-DNS, port 53'
option src 'lan'
option src_dport '53'
option dest_port '5053'
config rule
option name 'Reject-DoT,port 853'
list proto 'tcp'
option src 'lan'
option dest 'wan'
option dest_port '853'
option target 'REJECT'
# cat wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/xxxx.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'ssid'
option encryption 'sae-mixed'
option key 'key'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/xxxx.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'ssid'
option encryption 'none'
it is now connect directly via wan
i tried to see what's wrong but i didnt notice anything
also note that dnscrypt is employed and it is working without any problem at all listening ports
kindly please take a look and see where the problems lie
sorry for being noob as i am new to 23.05. many of the settings were brought forward from m 17.x
I recommend starting with a fully default configuration, starting out from lan-> wan routing then expanding to lan->vpn. Because all the instructions from VPN providers assume this. If you also want an AP that is bridged into the home network ("dumb") to bypass the VPN, that would be done by making a bridge for wan and adding the AP to it.
If your main router is also using 192.168.1.X (192.168.1.0/24) IPs, you need to change the lan to something else. In order to route in between networks, the subnets have to be different.
ok, so being known why the main wireless couldnt get internet access, i started over again with min setup, this time it is the only router in the the network
however, i am still unable to get traffic pass thru vpn. just like before, if i remove wan from the lan's allowed forwarding zone (ie only vpn is allowed), i can have no internet access. if i allow lan to forward to wan, ie both wan and vpn are allowed, all traffic go thru the wan only.
EDIT
ok, after a few saves and reboots, it finally works as i can see the vpn ip in test. i don understand why really. with the same configs it didnt work. after i editted a field and saved it twice it suddenly worked after a reboot