Wireguard setup: Mullvad Client + Server for Android

Hi everyone,

some days ago I discovered OpenWRT and I am pretty impressed about all the possibilities! Unfortunately I could not bring my setup to run, which I dream of for some time. I am new to this forum and would appreciate any kind of help! And yes, I'm a noob (yet)!

All I want is the typical setup described in many posts here, nevertheless nobody seems to have my exact problem (it seems real problems start afterwards like here, where this setup seems to be the point of start... LAN access in Wireguard tunnel). I want a Mullvad client (Wireguard) running on the router (mine is a TL-WRD3600) and in addition a Wireguard server to be connected to my smartphone when I am not at home.

The thing is, both interfaces run absolutely flawless. I configured the Mullvad client as in their OpenWRT guide (https://mullvad.net/en/guides/running-wireguard-router/), but placed it (as suggested in some posts in this forum) in the WAN firewall zone (first WG interface) to keep it simple.

I also added the server in the LAN zone and I am able to connect to it from my phone (second WG interface).

I did not add any rules, nor firewall zones nor anything else. Nevertheless I added the adblocker module which is also working fine (also with both interfaces).

BUT: in the moment I enable the Mullvad client, I can not surf via my Android phone anymore. I can not reach my local IPs, nor the router or the internet at all. Surfing directly from LAN works perfectly nevertheless and I see that the traffic goes over Mullvad servers (by their page "Am I Mullvad").

Is there anything special I have to add? Something like: "Ongoing traffic over the Wireguard server shall be routed to the Mullvad client"?

I really appreciate your work here and thank you in advance! Please tell me if this is the wrong place for this question or if you need more information!

Best regards!

Your WireGuard server needs to communicate with the client (Android) via the WAN interface.
Meanwhile, the default route points to the WireGuard client interface (Mullvad).
To resolve it, you need to utilize policy-based routing, e.g.

Hi,

I have setup WireguardVPN with Mullvad on my OpenWRT Router, if you are connected to your Lan, or WLAN and Wireguard-Mullvad Interface is configured correctly, then you dont need the WireGuardClient software, as everything passes anyways through the WireGuardVPN Tunnel through Mullvad over your WGMullvad Interface on your router.

My iphone has also the WireguardVPN software installed, and is also setup, but only connects if I leave home and all traffic passes then through Cellular connection on the iPhone to Mullvad, asap I come home, and my iPhone "sees" my WLAN, it disables the Cellular WireguardVPN connection and connects to my WLAN/Lan and then all my INternet Traffic passes anyways through the Router through the WireGuard Tunnel that is connected to Mullvad.

I think, if your router is setup to connect to Wireguard as it is descirbed on the Mullvad website, you cant tunnel with your Android Wireguard Tunnel again through a already exsisting WireGuardTunnel that is already connected to Mullvad...

What you can do, if you not home, and you conected to Mullvad through Cellular Mullvad connection on your Android Phone, is add Manage ports and add them, to your Wireguard IP in the Manage your forwarded ports on the Mullvad Website, to forward for example SSH to your home... that is what I did, I also access through those forwarede Ports my SMB Server and VNC to reach or manage home devices

Screenshot of my setup ->

Screen Shot 2019-08-29 um 03.35.34.jpg917×994 97.6 KB

Thank you for your answer!

So basically you are saying, that the Wireguard server needs to use the WAN interface? So in this case all my traffic coming from my phone to my router would be routed over my ISP. This is not what I would like to achieve. I want my Android phone using the Mullvad tunnel from my router too. Is this not possible?

I will check Policy Based Routing of course, nevertheless I get the feeling that when I do like suggested I will not see my connection routed over Mullvad when using my phone.

Thank you also very much for your answer!

So you also tell me, that my setup is not possible, to route from my phone to my router's Wireguard server and from there only over Mullvad right?

So what you suggest is using a Wireguard connection directly to Mullvad from my phone. Using port forwarding then allows access to my LAN devices. This sounds like a compromise, but is not really what I would like to achieve. I really would love to route my data over my home router, especially because of the adblocker installed there. Would this setup be maybe possible with an additional device, like a raspi as an VPN gateway or anything else?

No, only encrypted traffic between the client and the server.
Traffic inside the tunnel should be routed via the WG interface.

Okay, sorry, guess I'm too nooby here!

I try to change the question for better understanding of your answer:
if I use this routing will I be able to surf via Mullvad, if I connect my smartphone with my router? So if I am connected to the Wireguard server on my router from my smartphone and open "am.i.mullvad.net" will it tell me that I am connected with their server? Or will I still see my ISPs IP? So basically I want to have ALL outgoing traffic from my router to the internet to go over Mullvad, also the sites to be visited from my smartphone.

So I want:

Phone(Wireguard Client) -> Wireguard Server (Router) -> Wireguard Client Mullvad (Router) -> Mullvad -> Internet

OpenVPN requires this method, so something similar should work for WireGuard as well.

What you can do, when you not home for example, and your Phone is connected to MullvadVPN via Wireguard, as your Router too is connecetd to MullvadVPN Wireguard, is what I do. I connect to my homedevices via a SSHTunnel Socks5 Proxy, can access SMB, VNC , Terminal all through a Socks5 SSHTunnel that runs on my Iphone. But, you must login to your MullvadVPN account, and add Port forward to your WireGuardVPN Tunnel that is setup with a WG Key on your Router, now, they dont give standard Port numbers, for example...if you add a forward, you might see a Port that get opened like 48714 or something similar...so, when you make a SShTunnel Socks5 connectetion, you must pass it through the Tunnel they gave you, in my example here 48714 and that it comes out, on the other side of the Tunnel, your Router...to for example to SSHPort 22 or anything where you have your Port set up for SSh Connections...

Best is, you use SSH Key authentication, I use id_ed25519 Keys and login through Socks5 SSH Tunnel via my iPhone to the port WireguardVPN gave me (in my example, 48714) ..then you can browse webservices, that are locally running in your lan, VNC, smb ..terminals ...

This works for me perfect, the thing is, you must see it globally this way, your Router is connected via MullvadVPN, your normal puplic ISP IP is there, but practicly disabled, so you can only come into your home lan through the WireGuard VPn Tunnel IP from your Router, and then...second device, your phone, also connected to WireGuard Mullvad VPN, connect to your Router through the WireguardVPN IP you have. AS Mullvad has no reverse DNS, you need to go to Mullvad Website, and add a forward port (48714) as I mentioned in above example...for you can pass traffic to your router, and so access lan services via Socks5 SSH Proxy Tunnel, thats the way I did it. Works wonderfull, is secure..as Traffic is tunneled SSH through WireguardVPN Tunnel from your phone to your Router that is also connected to MullvadVPN. I use OpenSSh on my router, as it allows me to setup and finetune exactly what I want...forward Ports, etc ect... Short said, you tunnel SSH through the two exsiting MullvadVPN Wireguard Tunnels, so the connection is protected by Wireguard, and inside Wireguard also travels then SSH Socks5 traffic...really a very secure setup!

For this works, you also must add in your router a Traffic rules, lets call it SSHExtern, then choose your WireGuardMullvad Interface, in my case called WireGMull ->

From any host in WireGMull with source port 48714
To IP 192.168.1.1, port 22 in lan

and also you need a Firewall - Port Forwards rule ->
From any host in WireGMull
Via any router IP at port 48714

to->

IP 192.168.1.1, port 22 in lan

By the way, ADBLOCK I have also activated and its Trigger is the MullvadVPN INterface, in my example called WireGMull ...works great too

My Firewall setup looks this way, WGMULL is my MullvadVPN Interface ->

491015×927 87.5 KB

Thank you for the explanation, nevertheless this is not the wished setup. Really I see what you are doing, but my target is to route from my phone directly to the router and afterwards to Mullvad. You described the other way around.

You do: Phone -> Mullvad -> Port Forwarding to Router -> Lan Device

I want: Phone -> Wireguard server on Router -> Mullvad

Sorry, I couldnt help you, hope somebody of the Freaks here can help you

I will try ask this question in the VPN PBR Forum. This really seems to be the right way. Thanks for the hint!

My post did not get any responses in the VPN PBR forum. Are there reasons, why people get ignored in this forum? Did I miss something?

LOL, unless I missed something, you're not being ignored - you just haven't found a solution yet.

To do what you desire, you have to:

• know the SRC IP of the phone at all times - this is so you can "PBR" its IP address.
• you could also reconfigure and setup a VLAN that uses the VPN - placing the phone's tunnel in the same firewall zone.

I saw this post the other day, I thought you would have realized that by now.

Hi,

alright thank you! I am new to this forum and do not know yet, how things are going here.

You mention a VLAN. So what I found here, the whole setup is a firewall issue: https://www.linksysinfo.org/index.php?threads/simultaneous-openvpn-server-client.72103/

So if I get this right, my firewall do not like to route from one interface (WAN) to another (VPN). How could a VLAN fix this? And if yes, how would be the right way, all devices in one VLAN, and only the phone in another? Thank you for explanation.

No problem.

I'm not sure about that link, it's not even on this site. Anyways. firewalls and routing are separate things.

You need to reconfigure your router to use 2 LANs:

• One uses normal Internet (this exists by default)
• One that uses your VPN via "PBR" configs (do not setup auto routes!)

You will configure your phone to be in the same Firewall Zone that the VPN VLAN/Interface uses. Therfore:

• Your phone will connect to your WAN IP as normal
• You VPN network interface will connect to Mullvad
• Your phone will use the VPN network for it's Internet traffic
• Done!

config rule
	option in 'lan2'
	option dest '0.0.0.0/0'
	option priority '2'
	option lookup '2' 

config rule
	option in 'phone_vpn'
	option dest '0.0.0.0/0'
	option priority '3'
	option lookup '2' 

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'

Great, this sounds possible! I will try to find out how to create a VLAN that uses the VPN client. Until now, I have never played around with virtual LAN zones. Firewall zone should be easy, adding the rules too. I will give feedback soon (or coming back with new questions )

• Add new interface
• When done:
  • add IP routes and rules above
  • permit firewall forwarding from lan2 and phone_vpn to vpn

Hi, thank you, did as said, but I am stucked here and amybe missunderstood something. I thought I know what I am doing, but honestly I do not really get how these rules can work...

I have created an interface "lan2".
No I am having: LAN (Default), LAN2 (Static address, nothing changed, but physical adapter is WG_MV), WG0 ("Phone_VPN" with Wireguard), WG_MV(Mullvad Wireguard), WAN, WAN6 (Default).

Interfaces.png426×660 42.2 KB

So now for the Firewall:
Until nowadays, I had lan and wan zone. VPN for the phone was in the LAND zone, Mullvad VPN in the WAN zone.
No I created a lan2 zone, containing lan2, wg0, wg_mv.

Correct until now? What now?
I added the IP rules under /etc/config/firewall and changed the interface names.

Firewall now looks like this. Kinda strange?

Firewall_rules.png771×627 70 KB

Until now I have not added anything to the VPN PBR rules.

At the moment I surf the web with all devices without Mullvad. Adding a rule (VPN PBR) to use Mullvad with my Laptop disables internet access for my laptop. Connection to my router via Wireguard from phone fails.

Not correct.

• You have to make the new lan2 interface a VLAN (e.g. eth0.3, eht0.4, etc.) and bridge it. It should be configured like LAN with a new subnet (e.g. 192.168.2.1/24).
• The phone vpn should already exist and be added to the same zone as lan2 (done)
• You then place traffic on this LAN (in Network > Switch
• I see no separate firewall zone for the Mulivad VPN