Wireguard setup: Mullvad Client + Server for Android

Alright. Sorry for being that newby... Never worked with VLANs before. Really appreciating your help!

I created now a new VLAN eth0.3 under Switch. Then I recreated lan2 and have chosen eth0.3 and bridge mode. Static address, IpV4 192.168.200.1, netmask 255.255.255.0. Nothing else changed. Now it is as lan, only different IP. Activated DHCP, giving out IPs from 192.168.200.100-250
Firewall zone for mullvad created, wg_mv connected with that, removed from lan2 fw zone.

• You then place traffic on this LAN (in Network > Switch

Like this?

Interfaces seem to work fine, only LAN2 does not show RX packages.

Yes, but you haven't moved traffic over yet.

• LAN1 (eth0.1) - normal Internet
• LAN2 (eth0.3) - VPN

Changing all VLAN1 ports to VLAN3 should switch them.

• Be sure you added the IP routes and rules for LAN2 and phone_vpn
• Your Ethernet device will loose connectivity after applying, they will need to get a new DHCP lease on LAN2!

Alright done. Looking the same now. Nevertheless nothing changed. It seems that still LAN is used instead of LAN2. What can go wrong here?

In addition: LAN2 is a bridged devices, but which elements should be included in the bridge? Am I right that the Mullvad interface should be included? Because otherwise my new VLAN would not be used for VPN right? Or is this only done via the rules?

If you use WiFi, you have to move it.

Wrong. I stated:

It should be in its own firewall zone, so you can allow forwarding from LAN2 to VPN.

Correct!

Switching WIFI did the trick. I got a new Ip from the new range, and LAN stopped sending packages, LAN2 became active. Unfortunately internet access stopped for everyone in the nework. Mullvad seems to work nevertheless (VPN PBR shows me valid IPs for all interfaces) and I also see packages in the interface view. So I think this is a routing rule issue.

In etc/config/firewall I added:

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

as you wrote. My Phone Wireguard interface is called wg0, so I replace phone_vpn. The fw zones are: Lan contains lan interface (eth0.1), wan contains eth0.2, wg_mv contains wg_mv interface, lan2 contains eth0.3 and wg0.

Here again a screenshot from the new firewall view. I added forwarding from LAN2 zone to Mullvad zone and accepted forwarding.

These go in /etc/config/network !!!

(Apologies for not specifying this - they are routing rules, NOT firewall rules.)

Alright, thanks for correction! I will try tomorrow! Thank you a lot!

Holy sh*t!!! It works!!! Connecting over WLAN in my network:mullvad says it is connected Connecting via LTE: Mullvad say connected. Also can access my devices over LTE! Man, thank you so much!

There are two things I have to find out now: how to let some devices not use the tunnel (this already worked with VPN PBR plugin for me, but I am not sure if this can be combinated with your rules easily) and then I really need some time and maybe explanation, why this works.

See: in different forums (like in the one from my link) it's said the firewall don't like to route from WAN to VPN. So now all my devices are part of a new virtual LAN (eth0.3). Why this helps here? Also, my new firewall rules only say, that routing from LAN2 to VPN is fine, but why the routing from the VPN server Phone) works? Can you explain this to me in some simple words? Especially the routing rules. "Option in", and "dest" are clear, but what does "lookup" and "table"? I would really love to understand this and avoid asking noob questions next time.

I will also write down everything I did following your guide in a small structured text to allow others to found it and post my config files.

Here is what I did:

So what did I do:

1: add a Wireguard tunnel to your phone like described here. My interface name is wg0.

Rboot and figure out that the tunnel works. There are many differnt tutorial for that. Let's say read on when it works.

2: add a Wireguard interface for Mullvad following this guide:

Important: do not acctivate "Route Allowed IPs", ignore DNS stuff for the beginning. Coming to DNS leaks is something for later.
Interface name for me is wg_mv.

3: add a new VLAN (Network/Switch) by clicking on "Add". Set eth0 on tagged, rest off

4:add new interface "lan2", configured as "lan", with different IPv4 range (for example my LAN starts at 192.168.100.1, lan2 at 192.168.200.1).
Configure DHCP that both ranges do not collide (when using my IPs let it as it is, since it will give addresses from 100 to 250).
Under Physical settings: set "bridged interface", choose new VLAN eth0.3 as interface.

5: add following rules in /etc/config/network

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'

config rule
option in 'wg0'
option dest '0.0.0.0/0'
option priority '3'
option lookup '2'

config route
option interface 'wg_mv'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '2'

Change interface names fitting to yours, when not using mine. "wg0" is the "phone tunnel" (server), "wg_mv" the one for mulvlad (client).

6: configure firewall like this:

lan: lan -> wan; accept, accept, accept
wan: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on
lan2: lan2 -> wg_mv; accept, accept, accept
wg_mv: wan -> reject; reject, accept, reject, Masquerading on, MSS clamping on

lan zone contains: lan
wan zone contains: wan, wan6
lan2 zone contains: lan2, wg0
wg_mv zone contains: wg_mv

7: now switch traffic from eth0.1 to 0.3. You do this under Network/switch by setting all untagged port in eth0.1 to off, and all off port (besides WAN) on eth0.3 to untagged. Leave WAN as is in eth0.3 and also CPU.

8: now move your WIFI interfaces from lan to lan2.

9: reboot and check am.i.mullvad.net. It should show green (maybe not DNS) from phone and from LAN.

Errors I made:

• for switching traffic you must also move WIFI interfaces. Only switching traffic when there are connected devices in WLAN does nothing.
• make sure to add the rules under /etc/config/network, nowhere else!
• make sure to have a firewall zone for mullvad (wg_mv), and one new for lan2, containing lan2 AND wg0 (phone tunnel).
• do not play around with VPN PBR before. This should also work somehow, but with this steps I could make it work, not before!

After all it should look like this (or similar):

• Just move an Ethernet switch port back to VLAN1 (or an SSID on LAN1) - that's why I suggested you setup the LAN2 leaving the original LAN intact.
• You can also make individual rules per IP (being sure to change the priority number in increasing order).

Simple:

They're wrong then. And it's not WAN, it's a VPN interface to VPN.

Not sure what you're asking since I don't know what needed "help".

Phone <-> Tunnel <-> WAN
Simple.

Lookup and table refer to the routing table. The rules:

1. created a route to the Internet via the Mullvad on Table No. 2; and
2. told all traffic using phone_vpn and lan2 those interfaces to use it. The special VPN route was added to Table No. 2.

See:

Alright thank you!
There are some things I do not really understand at the moment but like I said, I need some time for it.

I think I will move one WLAN interface to LAn1 and one to LAN2 so everyone in the network can decide which variant to use. So far I really like the idea of the two VLANs, and yes, maybe I just connect my TV to one port mapped to LAN1.

BUT:
if I get this right, this is all not about the VLANS right? So this would also be possible without the new LAN interface.
I will not try this out, since this is working but am I right, that this would also be possible to realize, by putting the phone wg interface in the lan zone, skip the vlan and switch traffic part, then just add the traffic rules, and we end in a setup where everyone uses Mullvad, also the phone?

Your phone would stop working!

You have to have a default (normal) Internet rule so the phone works (uses WAN to reach your phone and not VPN). Otherwise the router would send the reply traffic to Mullvad and not on the ISP; and it therefore fails. This is why I suggested creating the second network/rules that use VPN.

Okay got it!

So i guess by adding a specific Ip NOT to use Mullvad, but connected on the same port (lan2) I would add in addition :

config rule
option in 'lan2'
option dest '0.0.0.0/0'
option src '192.168.100.238'
option priority '4'
option lookup '3'

config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '3'

• increased priority
• add new table
• add new rule
• set specific src ip

Got this right? otherweise I will try VPN PBR again...

No, leave lookup and table at 2, your syntax incorrectly creates a table no. 3. Also, you don't need to make another route, it already exists at Table No. 2.

Next, if this IP is already on LAN2, the rule is ineffective anyways. Remove the option in 'lan2' - you would use this method for an IP in LAN1 to use VPN:

config rule
	option dest '0.0.0.0/0'
	option src '192.168.100.238/32'
	option priority '4'
	option lookup '2'

This is VPN PBR!

Also, this already exists on the main table; but your syntax is incomplete anyways - as a Layer 2 interface needs a gateway IP specified to work.

AAAAH! Correction (I realized you use the wrong subnet and I got confused):

config rule
	option dest '0.0.0.0/0'
	option src '192.168.200.238/32'
	option priority '4'
	option lookup 'main'

This will make a single IP on LAN2 use WAN.

Be sure to go to the firewall and allow forwarding from LAN2 to WAN!

Alright! Perfect! Thank you so much. Will try this asap.

I am really, really happy you could help me! I bow before people like you, who share their knowledge and keep open source projects alive!

One new interesting thing is happening now. My adblocker is not longer used. I use the adblock addon for OpenWRT. With using the phone tunnel before this worked perfectly. I had no adds on my phone browser. With the new VLAN and access to mullvad it seems not to work anymore. So I activated my old PiHole again, and changed settings in "DHCP and DNS" (DNS Forwarding) and also added "Force" Option and 6,192.168.100.2 (my Pihole IP) in LAN2 DHCP-Options (Advanced Settings).

Intersting thing is, that from that moment the traffic coming from my LAN/WLAn clients is using the pihole, but not the phone. I can give a DNS server in the Wireguard app, which is set to the mullvad on, which is not blocking. Without the VLAN this was used (I guess) to find my DynDNS IP, and then the DNS from Adblock/Router/PiHole. Now it seems to keep using the mullvad one.

Do I have to change more reagrding the firewall zones/interfaces/vlans for DNS/Adblock?

Wow...you didn't mention a router-based DNS adblocker...

No. You should just assign the router's IP as you DNS server (like normal). DNS requests from the router will use WAN though.

This is your problem with the phone! Set this to your router's IP. Of course blocking stops if you configure another DNS server without adblock.

I am sorry. Okay, I should emphasize this more often. But well, this goes already beyond the question itself.

It is a little weird but it is working. Using the pihole as a DNS in LAN works fine, as mentioned. It is used when using "Use custom DNS servers" with the pihole ip in LAN2 interface. The Wireguard tunnel on my phone on the other hand MUST use the router's ip as you said. I do not really understand why I cannot use directly the pihole ones's, since it also should be seen in the network, but the setup now is alright I think. So Wireguard asks router asks pihole. Interesting is also, nevertheless, that the blocking only works when the pihole is used. If I do not change the DNS config in the router (so it should use the internal adblocker, not the pihole), only the LAN2/WLAN clients block, not the phone. But seriously, this does not matter for me.

For clarity, where is your adblock installed?

That should be your DNS server issued to clients.