Wireguard setup: Mullvad Client + Server for Android

Installing and Using OpenWrt
11

Sorry, I couldnt help you, hope somebody of the Freaks here can help you :blush:

12

I will try ask this question in the VPN PBR Forum. This really seems to be the right way. Thanks for the hint!

13

My post did not get any responses in the VPN PBR forum. Are there reasons, why people get ignored in this forum? Did I miss something?

14

LOL, unless I missed something, you're not being ignored - you just haven't found a solution yet.

To do what you desire, you have to:

  • know the SRC IP of the phone at all times - this is so you can "PBR" its IP address.
  • you could also reconfigure and setup a VLAN that uses the VPN - placing the phone's tunnel in the same firewall zone.

I saw this post the other day, I thought you would have realized that by now.

15

Hi,

alright thank you! I am new to this forum and do not know yet, how things are going here.

You mention a VLAN. So what I found here, the whole setup is a firewall issue: https://www.linksysinfo.org/index.php?threads/simultaneous-openvpn-server-client.72103/

So if I get this right, my firewall do not like to route from one interface (WAN) to another (VPN). How could a VLAN fix this? And if yes, how would be the right way, all devices in one VLAN, and only the phone in another? Thank you for explanation.

16

No problem.

I'm not sure about that link, it's not even on this site. Anyways. firewalls and routing are separate things.

You need to reconfigure your router to use 2 LANs:

  • One uses normal Internet (this exists by default)
  • One that uses your VPN via "PBR" configs (do not setup auto routes!)

You will configure your phone to be in the same Firewall Zone that the VPN VLAN/Interface uses. Therfore:

  • Your phone will connect to your WAN IP as normal
  • You VPN network interface will connect to Mullvad
  • Your phone will use the VPN network for it's Internet traffic
  • Done!
config rule
	option in 'lan2'
	option dest '0.0.0.0/0'
	option priority '2'
	option lookup '2' 

config rule
	option in 'phone_vpn'
	option dest '0.0.0.0/0'
	option priority '3'
	option lookup '2' 

config route
	option interface 'vpn'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option table '2'
17

Great, this sounds possible! I will try to find out how to create a VLAN that uses the VPN client. Until now, I have never played around with virtual LAN zones. Firewall zone should be easy, adding the rules too. I will give feedback soon (or coming back with new questions :flushed:)

18

Screenshot%20from%202019-09-10%2011-53-42

  • Add new interface
  • When done:
    • add IP routes and rules above
    • permit firewall forwarding from lan2 and phone_vpn to vpn
19

Hi, thank you, did as said, but I am stucked here and amybe missunderstood something. I thought I know what I am doing, but honestly I do not really get how these rules can work...

I have created an interface "lan2".
No I am having: LAN (Default), LAN2 (Static address, nothing changed, but physical adapter is WG_MV), WG0 ("Phone_VPN" with Wireguard), WG_MV(Mullvad Wireguard), WAN, WAN6 (Default).

Interfaces
Interfaces.png426×660 42.2 KB

So now for the Firewall:
Until nowadays, I had lan and wan zone. VPN for the phone was in the LAND zone, Mullvad VPN in the WAN zone.
No I created a lan2 zone, containing lan2, wg0, wg_mv.

Firewall1

Correct until now? What now?
I added the IP rules under /etc/config/firewall and changed the interface names.

Firewall now looks like this. Kinda strange?

Firewall_rules
Firewall_rules.png771×627 70 KB

Until now I have not added anything to the VPN PBR rules.

At the moment I surf the web with all devices without Mullvad. Adding a rule (VPN PBR) to use Mullvad with my Laptop disables internet access for my laptop. Connection to my router via Wireguard from phone fails.

20

Not correct.

  • You have to make the new lan2 interface a VLAN (e.g. eth0.3, eht0.4, etc.) and bridge it. It should be configured like LAN with a new subnet (e.g. 192.168.2.1/24).
  • The phone vpn should already exist and be added to the same zone as lan2 (done)
  • You then place traffic on this LAN (in Network > Switch
  • I see no separate firewall zone for the Mulivad VPN
21

Alright. Sorry for being that newby... Never worked with VLANs before. Really appreciating your help!

I created now a new VLAN eth0.3 under Switch. Then I recreated lan2 and have chosen eth0.3 and bridge mode. Static address, IpV4 192.168.200.1, netmask 255.255.255.0. Nothing else changed. Now it is as lan, only different IP. Activated DHCP, giving out IPs from 192.168.200.100-250
Firewall zone for mullvad created, wg_mv connected with that, removed from lan2 fw zone.

  • You then place traffic on this LAN (in Network > Switch

Like this?

VLAN
VLAN759×511 25.8 KB

Interfaces seem to work fine, only LAN2 does not show RX packages.

22

Yes, but you haven't moved traffic over yet.

  • LAN1 (eth0.1) - normal Internet
  • LAN2 (eth0.3) - VPN

Changing all VLAN1 ports to VLAN3 should switch them.

Screenshot%20from%202019-09-10%2015-26-25
Screenshot%20from%202019-09-10%2015-26-25867×317 16 KB

  • Be sure you added the IP routes and rules for LAN2 and phone_vpn
  • Your Ethernet device will loose connectivity after applying, they will need to get a new DHCP lease on LAN2!
23

Alright done. Looking the same now. Nevertheless nothing changed. It seems that still LAN is used instead of LAN2. What can go wrong here?

In addition: LAN2 is a bridged devices, but which elements should be included in the bridge? Am I right that the Mullvad interface should be included? Because otherwise my new VLAN would not be used for VPN right? Or is this only done via the rules?

24

If you use WiFi, you have to move it.

Wrong. I stated:

It should be in its own firewall zone, so you can allow forwarding from LAN2 to VPN.

Correct!

25

Switching WIFI did the trick. I got a new Ip from the new range, and LAN stopped sending packages, LAN2 became active. Unfortunately internet access stopped for everyone in the nework. Mullvad seems to work nevertheless (VPN PBR shows me valid IPs for all interfaces) and I also see packages in the interface view. So I think this is a routing rule issue.

In etc/config/firewall I added:

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

as you wrote. My Phone Wireguard interface is called wg0, so I replace phone_vpn. The fw zones are: Lan contains lan interface (eth0.1), wan contains eth0.2, wg_mv contains wg_mv interface, lan2 contains eth0.3 and wg0.

Here again a screenshot from the new firewall view. I added forwarding from LAN2 zone to Mullvad zone and accepted forwarding.

firewall3
firewall3.png766×243 20.1 KB

26

These go in /etc/config/network !!!

(Apologies for not specifying this - they are routing rules, NOT firewall rules.)

2 Likes
27

Alright, thanks for correction! I will try tomorrow! Thank you a lot!

28

Holy sh*t!!! It works!!! Connecting over WLAN in my network:mullvad says it is connected Connecting via LTE: Mullvad say connected. Also can access my devices over LTE! Man, thank you so much!

There are two things I have to find out now: how to let some devices not use the tunnel (this already worked with VPN PBR plugin for me, but I am not sure if this can be combinated with your rules easily) and then I really need some time and maybe explanation, why this works.

See: in different forums (like in the one from my link) it's said the firewall don't like to route from WAN to VPN. So now all my devices are part of a new virtual LAN (eth0.3). Why this helps here? Also, my new firewall rules only say, that routing from LAN2 to VPN is fine, but why the routing from the VPN server Phone) works? Can you explain this to me in some simple words? Especially the routing rules. "Option in", and "dest" are clear, but what does "lookup" and "table"? I would really love to understand this and avoid asking noob questions next time.

I will also write down everything I did following your guide in a small structured text to allow others to found it and post my config files.

1 Like
29

Here is what I did:

So what did I do:

1: add a Wireguard tunnel to your phone like described here. My interface name is wg0.


Rboot and figure out that the tunnel works. There are many differnt tutorial for that. Let's say read on when it works.

2: add a Wireguard interface for Mullvad following this guide:


Important: do not acctivate "Route Allowed IPs", ignore DNS stuff for the beginning. Coming to DNS leaks is something for later.
Interface name for me is wg_mv.

3: add a new VLAN (Network/Switch) by clicking on "Add". Set eth0 on tagged, rest off

4:add new interface "lan2", configured as "lan", with different IPv4 range (for example my LAN starts at 192.168.100.1, lan2 at 192.168.200.1).
Configure DHCP that both ranges do not collide (when using my IPs let it as it is, since it will give addresses from 100 to 250).
Under Physical settings: set "bridged interface", choose new VLAN eth0.3 as interface.

5: add following rules in /etc/config/network

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

Change interface names fitting to yours, when not using mine. "wg0" is the "phone tunnel" (server), "wg_mv" the one for mulvlad (client).

6: configure firewall like this:

lan: lan -> wan; accept, accept, accept
wan: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on
lan2: lan2 -> wg_mv; accept, accept, accept
wg_mv: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on

lan zone contains: lan
wan zone contains: wan, wan6
lan2 zone contains: lan2, wg0
wg_mv zone contains: wg_mv

7: now switch traffic from eth0.1 to 0.3. You do this under Network/switch by setting all untagged port in eth0.1 to off, and all off port (besides WAN) on eth0.3 to untagged. Leave WAN as is in eth0.3 and also CPU.

8: now move your WIFI interfaces from lan to lan2.

9: reboot and check am.i.mullvad.net. It should show green (maybe not DNS) from phone and from LAN.

Errors I made:

  • for switching traffic you must also move WIFI interfaces. Only switching traffic when there are connected devices in WLAN does nothing.
  • make sure to add the rules under /etc/config/network, nowhere else!
  • make sure to have a firewall zone for mullvad (wg_mv), and one new for lan2, containing lan2 AND wg0 (phone tunnel).
  • do not play around with VPN PBR before. This should also work somehow, but with this steps I could make it work, not before!

After all it should look like this (or similar):
Switch_Final

Interfaces-Final
Interfaces-Final.png333×571 31.6 KB

FW_Final
FW_Final.png764×232 20.1 KB

1 Like
30
  • Just move an Ethernet switch port back to VLAN1 (or an SSID on LAN1) - that's why I suggested you setup the LAN2 leaving the original LAN intact. :smiley:
  • You can also make individual rules per IP (being sure to change the priority number in increasing order).

Simple:

They're wrong then. And it's not WAN, it's a VPN interface to VPN. :smile:

Not sure what you're asking since I don't know what needed "help".

Phone <-> Tunnel <-> WAN
Simple.

Lookup and table refer to the routing table. The rules:

  1. created a route to the Internet via the Mullvad on Table No. 2; and
  2. told all traffic using phone_vpn and lan2 those interfaces to use it. The special VPN route was added to Table No. 2.

See: