Wireguard setup: Mullvad Client + Server for Android

Alright done. Looking the same now. Nevertheless nothing changed. It seems that still LAN is used instead of LAN2. What can go wrong here?

In addition: LAN2 is a bridged devices, but which elements should be included in the bridge? Am I right that the Mullvad interface should be included? Because otherwise my new VLAN would not be used for VPN right? Or is this only done via the rules?

If you use WiFi, you have to move it.

Wrong. I stated:

It should be in its own firewall zone, so you can allow forwarding from LAN2 to VPN.

Correct!

Switching WIFI did the trick. I got a new Ip from the new range, and LAN stopped sending packages, LAN2 became active. Unfortunately internet access stopped for everyone in the nework. Mullvad seems to work nevertheless (VPN PBR shows me valid IPs for all interfaces) and I also see packages in the interface view. So I think this is a routing rule issue.

In etc/config/firewall I added:

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

as you wrote. My Phone Wireguard interface is called wg0, so I replace phone_vpn. The fw zones are: Lan contains lan interface (eth0.1), wan contains eth0.2, wg_mv contains wg_mv interface, lan2 contains eth0.3 and wg0.

Here again a screenshot from the new firewall view. I added forwarding from LAN2 zone to Mullvad zone and accepted forwarding.

These go in /etc/config/network !!!

(Apologies for not specifying this - they are routing rules, NOT firewall rules.)

2 Likes

Alright, thanks for correction! I will try tomorrow! Thank you a lot!

Holy sh*t!!! It works!!! Connecting over WLAN in my network:mullvad says it is connected Connecting via LTE: Mullvad say connected. Also can access my devices over LTE! Man, thank you so much!

There are two things I have to find out now: how to let some devices not use the tunnel (this already worked with VPN PBR plugin for me, but I am not sure if this can be combinated with your rules easily) and then I really need some time and maybe explanation, why this works.

See: in different forums (like in the one from my link) it's said the firewall don't like to route from WAN to VPN. So now all my devices are part of a new virtual LAN (eth0.3). Why this helps here? Also, my new firewall rules only say, that routing from LAN2 to VPN is fine, but why the routing from the VPN server Phone) works? Can you explain this to me in some simple words? Especially the routing rules. "Option in", and "dest" are clear, but what does "lookup" and "table"? I would really love to understand this and avoid asking noob questions next time.

I will also write down everything I did following your guide in a small structured text to allow others to found it and post my config files.

1 Like

Here is what I did:

So what did I do:

1: add a Wireguard tunnel to your phone like described here. My interface name is wg0.


Rboot and figure out that the tunnel works. There are many differnt tutorial for that. Let's say read on when it works.

2: add a Wireguard interface for Mullvad following this guide:


Important: do not acctivate "Route Allowed IPs", ignore DNS stuff for the beginning. Coming to DNS leaks is something for later.
Interface name for me is wg_mv.

3: add a new VLAN (Network/Switch) by clicking on "Add". Set eth0 on tagged, rest off

4:add new interface "lan2", configured as "lan", with different IPv4 range (for example my LAN starts at 192.168.100.1, lan2 at 192.168.200.1).
Configure DHCP that both ranges do not collide (when using my IPs let it as it is, since it will give addresses from 100 to 250).
Under Physical settings: set "bridged interface", choose new VLAN eth0.3 as interface.

5: add following rules in /etc/config/network

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

Change interface names fitting to yours, when not using mine. "wg0" is the "phone tunnel" (server), "wg_mv" the one for mulvlad (client).

6: configure firewall like this:

lan: lan -> wan; accept, accept, accept
wan: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on
lan2: lan2 -> wg_mv; accept, accept, accept
wg_mv: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on

lan zone contains: lan
wan zone contains: wan, wan6
lan2 zone contains: lan2, wg0
wg_mv zone contains: wg_mv

7: now switch traffic from eth0.1 to 0.3. You do this under Network/switch by setting all untagged port in eth0.1 to off, and all off port (besides WAN) on eth0.3 to untagged. Leave WAN as is in eth0.3 and also CPU.

8: now move your WIFI interfaces from lan to lan2.

9: reboot and check am.i.mullvad.net. It should show green (maybe not DNS) from phone and from LAN.

Errors I made:

  • for switching traffic you must also move WIFI interfaces. Only switching traffic when there are connected devices in WLAN does nothing.
  • make sure to add the rules under /etc/config/network, nowhere else!
  • make sure to have a firewall zone for mullvad (wg_mv), and one new for lan2, containing lan2 AND wg0 (phone tunnel).
  • do not play around with VPN PBR before. This should also work somehow, but with this steps I could make it work, not before!

After all it should look like this (or similar):
Switch_Final

1 Like
  • Just move an Ethernet switch port back to VLAN1 (or an SSID on LAN1) - that's why I suggested you setup the LAN2 leaving the original LAN intact. :smiley:
  • You can also make individual rules per IP (being sure to change the priority number in increasing order).

Simple:

They're wrong then. And it's not WAN, it's a VPN interface to VPN. :smile:

Not sure what you're asking since I don't know what needed "help".

Phone <-> Tunnel <-> WAN
Simple.

Lookup and table refer to the routing table. The rules:

  1. created a route to the Internet via the Mullvad on Table No. 2; and
  2. told all traffic using phone_vpn and lan2 those interfaces to use it. The special VPN route was added to Table No. 2.

See:

Alright thank you! :smiley:
There are some things I do not really understand at the moment but like I said, I need some time for it.

I think I will move one WLAN interface to LAn1 and one to LAN2 so everyone in the network can decide which variant to use. So far I really like the idea of the two VLANs, and yes, maybe I just connect my TV to one port mapped to LAN1.

BUT:
if I get this right, this is all not about the VLANS right? So this would also be possible without the new LAN interface.
I will not try this out, since this is working but am I right, that this would also be possible to realize, by putting the phone wg interface in the lan zone, skip the vlan and switch traffic part, then just add the traffic rules, and we end in a setup where everyone uses Mullvad, also the phone?

Your phone would stop working!

You have to have a default (normal) Internet rule so the phone works (uses WAN to reach your phone and not VPN). Otherwise the router would send the reply traffic to Mullvad and not on the ISP; and it therefore fails. This is why I suggested creating the second network/rules that use VPN.

Okay got it!

So i guess by adding a specific Ip NOT to use Mullvad, but connected on the same port (lan2) I would add in addition :

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option src '192.168.100.238'
option priority '4'
option lookup '3'

config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '3'

  • increased priority
  • add new table
  • add new rule
  • set specific src ip

Got this right? otherweise I will try VPN PBR again...

No, leave lookup and table at 2, your syntax incorrectly creates a table no. 3. Also, you don't need to make another route, it already exists at Table No. 2.

Next, if this IP is already on LAN2, the rule is ineffective anyways. Remove the option in 'lan2' - you would use this method for an IP in LAN1 to use VPN:

config rule
	option dest '0.0.0.0/0'
	option src '192.168.100.238/32'
	option priority '4'
	option lookup '2'

This is VPN PBR! :wink:

Also, this already exists on the main table; but your syntax is incomplete anyways - as a Layer 2 interface needs a gateway IP specified to work.

AAAAH! Correction (I realized you use the wrong subnet and I got confused):

config rule
	option dest '0.0.0.0/0'
	option src '192.168.200.238/32'
	option priority '4'
	option lookup 'main'

This will make a single IP on LAN2 use WAN.

Be sure to go to the firewall and allow forwarding from LAN2 to WAN!

1 Like

Alright! Perfect! Thank you so much. Will try this asap.

I am really, really happy you could help me! I bow before people like you, who share their knowledge and keep open source projects alive!

2 Likes

One new interesting thing is happening now. My adblocker is not longer used. I use the adblock addon for OpenWRT. With using the phone tunnel before this worked perfectly. I had no adds on my phone browser. With the new VLAN and access to mullvad it seems not to work anymore. So I activated my old PiHole again, and changed settings in "DHCP and DNS" (DNS Forwarding) and also added "Force" Option and 6,192.168.100.2 (my Pihole IP) in LAN2 DHCP-Options (Advanced Settings).

Intersting thing is, that from that moment the traffic coming from my LAN/WLAn clients is using the pihole, but not the phone. I can give a DNS server in the Wireguard app, which is set to the mullvad on, which is not blocking. Without the VLAN this was used (I guess) to find my DynDNS IP, and then the DNS from Adblock/Router/PiHole. Now it seems to keep using the mullvad one.

Do I have to change more reagrding the firewall zones/interfaces/vlans for DNS/Adblock?

:man_facepalming:

Wow...you didn't mention a router-based DNS adblocker...

No. You should just assign the router's IP as you DNS server (like normal). DNS requests from the router will use WAN though.

This is your problem with the phone! Set this to your router's IP. Of course blocking stops if you configure another DNS server without adblock.

I am sorry. Okay, I should emphasize this more often. :flushed: But well, this goes already beyond the question itself.

It is a little weird but it is working. Using the pihole as a DNS in LAN works fine, as mentioned. It is used when using "Use custom DNS servers" with the pihole ip in LAN2 interface. The Wireguard tunnel on my phone on the other hand MUST use the router's ip as you said. I do not really understand why I cannot use directly the pihole ones's, since it also should be seen in the network, but the setup now is alright I think. So Wireguard asks router asks pihole. Interesting is also, nevertheless, that the blocking only works when the pihole is used. If I do not change the DNS config in the router (so it should use the internal adblocker, not the pihole), only the LAN2/WLAN clients block, not the phone. But seriously, this does not matter for me.

For clarity, where is your adblock installed?

That should be your DNS server issued to clients.

Adblock is installed as open-wrt plugin (adblock 3.5.5-3) via lucid. Pihole runs independently on a pi with a fixed ip. So this is why i like the pihole, I know where it is. The adblocker inside the router works with routing, a thing, how you saw, which is new for me. :smiley:

The REALLY funny thing is, that the blocking on my phone only works when te pihole runs, on the other hand the queries from my phone are not seen in the pihole. So it seems, the phone uses the adblocker from openwrt, but can only do so, when setting the pihole as custom DNS server. :open_mouth:

I disabled the adblock functionality now. Result: adblocking still working, so it seems to be the PI! Now Mullvad also do not say I have DNS leaks. All request go to the pihole now! I guess before I had two DNS servers running in parallel.

UPDATE: after reboot blocking was gone again. So it seems the pihole is not used from my phone!

You router IP rotates??? Wow.

That would make [more] scene.

1 Like