It successfully connects (Handshake OK - I have an IP Address on the wireguard peer). The WG interface in OpenWRT is configured in the vpn firewall zone. Whenever I set the option to Route Allowed IPs on the peer in the WG configuration, it shows an IP address, but never handshakes. This is already an issue that I need to resolve I think.
The WAN interface has a private IP Address which is assigned by my ISP's Router.
My OpenWRT router is the DHCP Server, DNS Server for my home network.
My WAN DNS servers are set to the SurfShark DNS servers.
I have tried setting the LAN zone in my firewall to forward just to my vpn zone:
I have enabled and disabled masquerading on the LAN zone. I have tried everything I can think of - configuring the clients to use the VPN DNS addresses, to use the OpenWRT router's address as DNS server - to no avail.
I have spent all day yesterday and all of this morning trying different settings as suggested in different threads in this forum, but cannot for the life of me get traffic to route through the VPN. I have pbr installed - but have completely disabled / stopped the service for troubleshooting. Any ideas
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00:ab:cd::/48'
config device
option name 'eth0'
option macaddr 'xx:xx:xx:xx:xx:xx'
option ipv6 '0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option metric '20'
option peerdns '0'
list dns '149.154.159.92'
list dns '162.252.172.57'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option ipv6 '0'
config device
option name 'eth1'
option macaddr 'xx:xx:xx:xx:xx:xx'
option ipv6 '0'
config interface 'lan'
option device 'eth1'
option proto 'static'
option ip6assign '60'
list dns_search 'mydomain.local'
list ipaddr '192.168.1.254/24'
option delegate '0'
option gateway '192.168.2.1' <- the private IP of my ISP Router, also tried 127.0.0.1 - which should it be ?
option broadcast '192.168.1.255'
config interface 'wg1'
option proto 'wireguard'
option private_key 'privatekey'
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
config wireguard_wg1
option description 'London'
option public_key 'publickey'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'uk-lon.prod.surfshark.com'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
Please don't redact rfc 1918 ip addresses.
This does not provide any additional privacy, but it does make debugging more difficult.
Remove the gateway and broadcast options.
Make sure the lan and wan interfaces do not share the same ip subnet (192.168.1.0/24).
If so, set another LAN IP address in a different subnet, e.g. 192.168.2.1/24.
There are specific requirements regarding the IP address and the endpoint port used:
You are using the IP address from the example and the port is definitely wrong...
You don't need masquerading on the LAN zone.
Note that the current firewall configuration has a "killswitch" set, meaning that if there is no working wireguard connection, there is no Internet access for the LAN clients.
Hi! Thank you @pavelgl for taking the time to reply.
I have tried your suggestion (removing the gateway and broadcast options from my lan interface, and removing masquerading on the lan zone).
I have double, triple, quadruple checked my wg1 interface and peer settings. Despite appearances, what I had is correct.
Still stuck with no handshake when I enable Route Allowed IPs on the wg peer. But I do get a handshake if this option is not checked (which is further indication that my wg config is correct.
I'll keep trying.
Thanks. I have updated my post.
The LAN and WAN do not share the same subnet. I have removed gateway and broadcast options. What would be useful for novices is to understand why we should remove these options. There should be nothing wrong with what I entered - or do you see that as a potential source of problems?
What makes you say that? It a little presumptuous to assume I'm wrong. Hers is an example file generated on the SurfShark Website to configure a Wireshark connection on OpenWRT. (The keys shown in this example are not currently valid so I did not redact them.
The Surfshark wording "Enter the last 5 digits from the IP address of the configuration file" is a little misleading. Endpoint in the file shows the fqdn and the port number. The port number is indeed 51820. All my wg configuration is correct.
#
# Use this configuration with WireGuard client
#
[Interface]
Address = 10.14.0.2/16
PrivateKey = mFN8tfoNIjkurz5rwlFAFRJhaj6M/N6IMOjY3obgXEM=
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey = iBJRXLZwXuWWrOZE1ZrAXEKMgV/z0WjG0Tks5rnWLBI=
AllowedIPs = 0.0.0.0/0
Endpoint = uk-lon.prod.surfshark.com:51820
The reason why I stated that I had enabled and disabled it, was because it should not be needed, but in troubleshooting, I was trying suggestions from other threads here. I have disabled masquerading on my lan zone.
Thank you. This is to ensure that I can test a working Wireguard tunnel. This is not the desired end configuration, but not being able to handshake with the Route Allowed IPs checked on the peer is my issue. I need to get the tunnel working first before finalising any routing rules with pbr.
Probably best to test this way and remove the kill switch afterwards.
You are using the WAN interface to connect to the main router, so the default gateway should be set on that interface (in your case via dhcp).
Setting a gateway to the LAN interface is used when the device acts as a dumbAP and uses its LAN interface to access the Internet. Also, the IP address set to the interface and the default gateway must be on the same IP subnet.
The broadcast address is automatically calculated based on the IP address and subnet mask, so don't set it to avoid mistakes.
Sorry for misleading you, I don't use Surfshark.
I just read the guide you linked and it seemed unlikely to me that all clients were using the same IP address. There were also clear instructions regarding the endpoint port.
The only remaining explanation (to me) is a wrong routing table. When route_allowed_ips is enabled, there must be a dedicated route for the Surfshark server via the wan port.
Run ip -4 ro li and look for a line like this:
<Surfshark_IP> via 192.168.2.1 dev eth0 proto static metric 20
If it's there, I give up.
Also, I assume you are not using pbr or mwan3.
EDIT:
You use wg show to verify the handshake, right?
OK. I have reflashed my router with a fresh install - and have got the handshake sorted out.
Thanks that's clear.
I have now activated pbr - now that my tunnel handshake is working after reflashing
The handshake is working. With both my wan0 and wg1 interfaces in the wan firewall zone, with router weighting - I can get all trafic successfully through the tunnel without DNS leaks
What I am looking to do is get specific domains (including their respective DNS queries) to go through the tunnel. I can't get it working despite specifying hundreds of domains to forward DNS requests through the wg tunnel and setting up pbr to route trafic to the wg / surfshark DNS servers through the tunnel... Something (DNS) is leaking somewhere.
This is a more specific DNS configuration / pbr issue. Thanks for your help and replies!
OK. So now that I have got the WG tunnel working - I have set gateway and DNS metrics to a lower value on the Wireguard interface, and a high value on my wan interface. Both are in the wan FW zone.
By default, the trafic goes through the WG tunnel, without any DNS leaks.
I have set up PBR in OpenWRT to route based on DSCP Tagging, and then have set up policies on my windows machines to flag one browser that I use to navigate certain websites with DSCP tag of 1 and my main browser with a DSCP tag of 2. PBR then routes DSCP tag 2 through the wan interface, and DSCP tag 1 through the default WG interface.
I have achieved all of my goals in routing certain trafic through my WG tunnel without any DNS leaks, and can route other clients through the wan interface based on their IP address.
Happy to shar my config with anyone that is interested.
