Wireguard setup: Mullvad Client + Server for Android

Installing and Using OpenWrt
29

Here is what I did:

So what did I do:

1: add a Wireguard tunnel to your phone like described here. My interface name is wg0.


Rboot and figure out that the tunnel works. There are many differnt tutorial for that. Let's say read on when it works.

2: add a Wireguard interface for Mullvad following this guide:


Important: do not acctivate "Route Allowed IPs", ignore DNS stuff for the beginning. Coming to DNS leaks is something for later.
Interface name for me is wg_mv.

3: add a new VLAN (Network/Switch) by clicking on "Add". Set eth0 on tagged, rest off

4:add new interface "lan2", configured as "lan", with different IPv4 range (for example my LAN starts at 192.168.100.1, lan2 at 192.168.200.1).
Configure DHCP that both ranges do not collide (when using my IPs let it as it is, since it will give addresses from 100 to 250).
Under Physical settings: set "bridged interface", choose new VLAN eth0.3 as interface.

5: add following rules in /etc/config/network

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

Change interface names fitting to yours, when not using mine. "wg0" is the "phone tunnel" (server), "wg_mv" the one for mulvlad (client).

6: configure firewall like this:

lan: lan -> wan; accept, accept, accept
wan: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on
lan2: lan2 -> wg_mv; accept, accept, accept
wg_mv: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on

lan zone contains: lan
wan zone contains: wan, wan6
lan2 zone contains: lan2, wg0
wg_mv zone contains: wg_mv

7: now switch traffic from eth0.1 to 0.3. You do this under Network/switch by setting all untagged port in eth0.1 to off, and all off port (besides WAN) on eth0.3 to untagged. Leave WAN as is in eth0.3 and also CPU.

8: now move your WIFI interfaces from lan to lan2.

9: reboot and check am.i.mullvad.net. It should show green (maybe not DNS) from phone and from LAN.

Errors I made:

  • for switching traffic you must also move WIFI interfaces. Only switching traffic when there are connected devices in WLAN does nothing.
  • make sure to add the rules under /etc/config/network, nowhere else!
  • make sure to have a firewall zone for mullvad (wg_mv), and one new for lan2, containing lan2 AND wg0 (phone tunnel).
  • do not play around with VPN PBR before. This should also work somehow, but with this steps I could make it work, not before!

After all it should look like this (or similar):
Switch_Final

Interfaces-Final
Interfaces-Final.png333×571 31.6 KB

FW_Final
FW_Final.png764×232 20.1 KB

1 Like
30
  • Just move an Ethernet switch port back to VLAN1 (or an SSID on LAN1) - that's why I suggested you setup the LAN2 leaving the original LAN intact. :smiley:
  • You can also make individual rules per IP (being sure to change the priority number in increasing order).

Simple:

They're wrong then. And it's not WAN, it's a VPN interface to VPN. :smile:

Not sure what you're asking since I don't know what needed "help".

Phone <-> Tunnel <-> WAN
Simple.

Lookup and table refer to the routing table. The rules:

  1. created a route to the Internet via the Mullvad on Table No. 2; and
  2. told all traffic using phone_vpn and lan2 those interfaces to use it. The special VPN route was added to Table No. 2.

See:

31

Alright thank you! :smiley:
There are some things I do not really understand at the moment but like I said, I need some time for it.

I think I will move one WLAN interface to LAn1 and one to LAN2 so everyone in the network can decide which variant to use. So far I really like the idea of the two VLANs, and yes, maybe I just connect my TV to one port mapped to LAN1.

BUT:
if I get this right, this is all not about the VLANS right? So this would also be possible without the new LAN interface.
I will not try this out, since this is working but am I right, that this would also be possible to realize, by putting the phone wg interface in the lan zone, skip the vlan and switch traffic part, then just add the traffic rules, and we end in a setup where everyone uses Mullvad, also the phone?

32

Your phone would stop working!

You have to have a default (normal) Internet rule so the phone works (uses WAN to reach your phone and not VPN). Otherwise the router would send the reply traffic to Mullvad and not on the ISP; and it therefore fails. This is why I suggested creating the second network/rules that use VPN.

33

Okay got it!

So i guess by adding a specific Ip NOT to use Mullvad, but connected on the same port (lan2) I would add in addition :

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option src '192.168.100.238'
option priority '4'
option lookup '3'

config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '3'

  • increased priority
  • add new table
  • add new rule
  • set specific src ip

Got this right? otherweise I will try VPN PBR again...

34

No, leave lookup and table at 2, your syntax incorrectly creates a table no. 3. Also, you don't need to make another route, it already exists at Table No. 2.

Next, if this IP is already on LAN2, the rule is ineffective anyways. Remove the option in 'lan2' - you would use this method for an IP in LAN1 to use VPN:

config rule
	option dest '0.0.0.0/0'
	option src '192.168.100.238/32'
	option priority '4'
	option lookup '2'

This is VPN PBR! :wink:

Also, this already exists on the main table; but your syntax is incomplete anyways - as a Layer 2 interface needs a gateway IP specified to work.

35

AAAAH! Correction (I realized you use the wrong subnet and I got confused):

config rule
	option dest '0.0.0.0/0'
	option src '192.168.200.238/32'
	option priority '4'
	option lookup 'main'

This will make a single IP on LAN2 use WAN.

Be sure to go to the firewall and allow forwarding from LAN2 to WAN!

1 Like
36

Alright! Perfect! Thank you so much. Will try this asap.

I am really, really happy you could help me! I bow before people like you, who share their knowledge and keep open source projects alive!

2 Likes
37

One new interesting thing is happening now. My adblocker is not longer used. I use the adblock addon for OpenWRT. With using the phone tunnel before this worked perfectly. I had no adds on my phone browser. With the new VLAN and access to mullvad it seems not to work anymore. So I activated my old PiHole again, and changed settings in "DHCP and DNS" (DNS Forwarding) and also added "Force" Option and 6,192.168.100.2 (my Pihole IP) in LAN2 DHCP-Options (Advanced Settings).

Intersting thing is, that from that moment the traffic coming from my LAN/WLAn clients is using the pihole, but not the phone. I can give a DNS server in the Wireguard app, which is set to the mullvad on, which is not blocking. Without the VLAN this was used (I guess) to find my DynDNS IP, and then the DNS from Adblock/Router/PiHole. Now it seems to keep using the mullvad one.

Do I have to change more reagrding the firewall zones/interfaces/vlans for DNS/Adblock?

38

:man_facepalming:

Wow...you didn't mention a router-based DNS adblocker...

No. You should just assign the router's IP as you DNS server (like normal). DNS requests from the router will use WAN though.

This is your problem with the phone! Set this to your router's IP. Of course blocking stops if you configure another DNS server without adblock.

39

I am sorry. Okay, I should emphasize this more often. :flushed: But well, this goes already beyond the question itself.

It is a little weird but it is working. Using the pihole as a DNS in LAN works fine, as mentioned. It is used when using "Use custom DNS servers" with the pihole ip in LAN2 interface. The Wireguard tunnel on my phone on the other hand MUST use the router's ip as you said. I do not really understand why I cannot use directly the pihole ones's, since it also should be seen in the network, but the setup now is alright I think. So Wireguard asks router asks pihole. Interesting is also, nevertheless, that the blocking only works when the pihole is used. If I do not change the DNS config in the router (so it should use the internal adblocker, not the pihole), only the LAN2/WLAN clients block, not the phone. But seriously, this does not matter for me.

40

For clarity, where is your adblock installed?

That should be your DNS server issued to clients.

41

Adblock is installed as open-wrt plugin (adblock 3.5.5-3) via lucid. Pihole runs independently on a pi with a fixed ip. So this is why i like the pihole, I know where it is. The adblocker inside the router works with routing, a thing, how you saw, which is new for me. :smiley:

The REALLY funny thing is, that the blocking on my phone only works when te pihole runs, on the other hand the queries from my phone are not seen in the pihole. So it seems, the phone uses the adblocker from openwrt, but can only do so, when setting the pihole as custom DNS server. :open_mouth:

I disabled the adblock functionality now. Result: adblocking still working, so it seems to be the PI! Now Mullvad also do not say I have DNS leaks. All request go to the pihole now! I guess before I had two DNS servers running in parallel.

UPDATE: after reboot blocking was gone again. So it seems the pihole is not used from my phone!

42

You router IP rotates??? Wow.

That would make [more] scene.

1 Like
43

Please tell me if I should open a new ticket, since the original question was answered. Nevertheless it is with focus on my system now, described above.

I found a new issue (might be the same as with the DNS things):
when connected to my router with the new fancy setup of two VLANs and two tunnels I can not reach my nextcloud anymore. This is just a raspi with DynDNS and port forwarding. I connected it to the VLAN without Mullvad. Reaching it from outside (Phone LTE, no tunneling) works perfectly. But I can not reach it anymore from the inside. Since it is in another VLAN it is clear that I can not reach it by IP. But why I can not go from my PC/Phone over Mullvad, use their DNS, look for my DynDNS IP and come back over the internet into the WAN port? All I found online was to activate NAT loopback, this is enabled for the port forwardings. Anything more to consider?

I guess this is the same problem as with the PiHole. After some more research I found out, that I can only use/ping it when I am in the LAN/WLAN, not when I am coming from the phone tunnel. So this the reason, why I can not choose it as an DNS server and have to chose the router as DNS and also see no adbocking on the phone when I disable the openwrt adblocking (since all DNS request from the phone run NOT over the pihole).

Of course not. Just no understand the routing.

44

Oh my...another thing not mentioned...but it's OK. :smiley:

That's not clear at all. Just make another rule for 192.168.100.0/24, priority 5, lookup main (you may have to flip priorities with the more-specific 0.0.0.0/0 rule).

config rule
	option in 'lan2'
	option dest '192.168.100.0/24'
	option priority '5'
	option lookup 'main'

You're in essence leaking traffic out of your VPN by placing more rules for not using Table No. 2 - perhaps that will give you a better perspective. I wanted to highlight this because of the DNS details, wanting to reach devices in LAN1, excluding individual IPs, etc. Most people don't want VPN leaks, so just wanted to note it.

No clue why you considered that even. NAT loopback on OpenWrt is not quite like on other routers; and nonetheless, I don't think you're using the word appropriately anyways.

On OpenWrt, loopback works to test WAN access for the IP/port in question (i.e. running a personal web server on a desktop and testing loopback). You keep mixing routing and firewalling. It's OK, I did that too when I first learned policy-based routing. :smiley:

:confused:
???

  • Does Mullvad allow inbound traffic!?!?
  • Who said you can't you their DNS? You want adblocking correct? If Mullvad offers that, sure - use them!
  • If you take the routes and rules out, how would your devices send the reply traffic (e.g. the reply phone_vpn traffic) via WAN!?!? (Explain with VPN still working router-wide)
  • Why would you connect to a VPN, to go through the VPN - to then access your router...without VPN? That makes 0 sense to me...or I misunderstood the question.

Then allow it. Permit forwarding from phone_vpn to lan1. Simple. The router doesn't magically know you want to make another route then permit it through the firewall - I learned that too when first doing routes/firewalls.

You don't have to, it's the router itself - there's no routing! Any traffic to any IP arriving on the router is simple input as far as the router's concerned (as long as your have 1.) a route for that interface exists [if needed]; and 2.) you permit it in the firewall!).

45

Okay, I see your questions and confusion and try to make things a little clearer.

At the moment there are two open problems.

  1. Nextcloud things
  2. DNS things

To 1.:
I was not able to access the Nextcloud via IP from inside my network. So I thought it would be possible to access it via my DynDNS name. Both was not possible. Forget my thoughts about mullvad (the thing where you just were "???"). Basically I just want to reach it. End of story.

I added the routing rule you suggested (variated it for only allowing the one IP of my pi) and it works nice. I can reach the nextcloud from lan2. Then I added the same rule for wg0 (phone) and can also reach it via phone from inside the tunnel via IP. Nevertheless I can still not reach it via the dyndns name. This is not a MUST-HAVE but would be very nice to avoid configuration issues when changing connection or using the system outside the tunnel. Access without the tunnel goes well. The Pi does not use the tunnel (connected to lan, not lan2) what is okay for me, since I want the possibility to reach it on computers without any tunnels too. So what do I have to do to reach it via the dyndns name from my network too (the domain)? Before I created the VLANs this was not a problem and was also the thing I thought "NAT Loopback" stands for.

To 2.:
The DNS still behaves a little weird. When using the adblocker in the router (just enabled it) adblocking when using the phone works. In the router nevertheless I configured under "DHCP and DNS" on "DNS Forwarding" the IP of my pihole, which uses lan2! All devices in the network seems to use the pihole, but mullvad tells me I leak DNS, although the pihole itself uses the Mullvad DNS. When disabling the router internal adblock the leak is gone, but the phone cannot block anymore.
This tells me two things: 1. the phone cannot see the pihole, although it uses lan2 and is in the same fw zone. I think I need a new route, but I could not figure out how, since it is already in lan2. So all rules you have told me would route over the main lookup or lookup 2 to decide which interface to leave the router (mullvad or no mullvad). So how to configure here? 2. it tells me that the adblock inside the router has a DNS configure problem which is gone when I disable the internal block. I guess the best would be just always to use the pihole and also configure it inside the wireguard interface in the phone.

So I think I have to create a rule from phone_vpn to the pihole.

I tried (pihole has 192.168.200.2):

config rule
	option in 'wg0'
	option dest '192.168.200.2/32'
	option priority '4'
	option lookup '2'

but it did not work. I think I still mess things up here. I have understood that the firewall and the route/rules are different things. But nevertheless I do not get, how to allow access from one interface to a specific different. Maybe I need a new route as well (table 3) only for lan2 and then let the phone point to it?

46

Figured 2. out by myself.
I added the pihole to VLAN1, so it does not use Mullvad. Then I added the same rules as for the Nextcloud server. Now I can reach the pihole from the phone and lan2 in general. I disabled the internal adblocker and added the pihole's IP as the DNS to forward in "lan" interface, "lan2" interface and in "DHCP and DNS". I had to enable "Strict Order" under "DNS and DHCP" Advanced Settings nevertheless. By using the Mullvad DNS in the pihole I now route all DNS queris over the pihole from all members of the network, see no ads anymore and also do not get any DNS leaks from Mullvad anymore.

47

I still can not access the nextcloud and see some weird DNS behaviour sometimes. Since the original questions are all answered I will open new tickets and leave this one marked as solved. Thank you for your help again!

48

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.