WireGuard VPN is not working with ProtonVPN

HI? I tried my best to install the wireguard config from protonvpn and using it. it seems like it is not even changing the ip of my device. I've followed ivpn's guide to install the protonvpn's wireguard. The Guide.


I also set the firewall for wireguard.
DEBUG =

ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7628AN ver:1 eco:2",
	"model": "Xiaomi MiWiFi 3C",
	"board_name": "xiaomi,miwifi-3c",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt76x8",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
cat /etc/config/network
onfig interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd77:2066:a820::/48'

config interface 'wan'
	option device 'eth0.1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.0.254.3'
	option metric '30'

config interface 'wan6'
	option device 'eth0.1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2 4 6t'

config interface 'WG0'
	option proto 'wireguard'
	option private_key '2C7Fk2uPLU2xbCPQXqVpBVi1T2SuD/cW/6NMKf7XNWw='
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'
	option mtu '1412'

config wireguard_WG0
	option description 'NatherLand'
	option public_key 'bF0RahG8sdUqVt/3Q3Awy46kJ06zV0mzywelGyM/DVw='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '169.150.218.1'
	option endpoint_port '51820'
	option persistent_keepalive '20'

config rule
	option lookup '100'
	option src '10.2.0.2/32'
	option priority '1'

config route
	option target '0.0.0.0/0'
	option table '100'
	option interface 'WG0'
cat /etc/config/firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wg_fw'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WG0'

config forwarding
	option src 'lan'
	option dest 'wg_fw'
wg show
interface: WG0
  public key: 2MGj9n+Q6/ZKGmZkWbAIecbf7ox490w59vueviQhsDE=
  private key: (hidden)
  listening port: 60786

peer: bF0RahG8sdUqVt/3Q3Awy46kJ06zV0mzywelGyM/DVw=
  endpoint: 169.150.218.1:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 53 seconds ago
  transfer: 1.08 KiB received, 4.38 KiB sent
  persistent keepalive: every 20 seconds

Use this setup, here works fast:

Using this: list dns '10.0.254.3' as only DNS server is usually a bad idea this server is only available after the tunnel is up and often you need DNS (for correct time or endpoint resolving) before the tunnel is up so you might end up in a catch 22 situation.
Just use a publicly available DNS server e.g. 1.1.1.1 or 9.9.9.9

It looks like you are wanting to use PBR to only have some of your LAN clients using the tunnel?

You made a routing table 100 with default route via the wg tunnel that is fine but the rule to use this routing table is wrong:

The source should be a local LAN client e.g. 192.168.1.X and not the WG address

Furthermore you have set metrics on some interfaces which have no meaning in this case as you are already not setting the WG interface as default route (by not enabling Route Allowed IPs)

2 Likes

When starting out, don't use PBR or multiple routing tables. If you set allowed_ips 0.0.0.0/0 and route_allowed_ips, proper entries will be made into the default routing table. You can add more sophisticated routing later but it appears that you want to send everything into the tunnel anyway.

It appears that you've posted an actual private key. You need to generate new keys immediately.

1 Like

Thank you for all the details. I've reset my router and did all the things again.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd78:7645:17c7::/48'

config interface 'wan'
	option device 'eth0.1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'

config interface 'wan6'
	option device 'eth0.1'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '2 4 6t'

config interface 'WireGuard_1_NL'
	option proto 'wireguard'
	option private_key '+EtW/+2BvW8='
	list dns '10.2.0.1'
	option mtu '1412'
	list addresses '192.168.1.1/24'

config wireguard_WireGuard_1_NL
	option description 'Natherland'
	option public_key 'V0F3qTpofzp/='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '185.107.56.106'
	option endpoint_port '51820'
	option persistent_keepalive '25'

FIREWALL CONFIG

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG_NL'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WireGuard_1_NL'

config forwarding
	option src 'lan'
	option dest 'WG_NL'

It is still not working. What I am doing wrong here?

Yes, I did, Thanks.

This listaddress of the wg interface cannot be correct

Yes, But this is 10.2.0.2/32 which i got from proton, didn't work.

You need to be 10.2.0.2 since that is the IP that will originate all of your NATd traffic, and likely it is the only allowed_ip set up for you in their server. Their end of the tunnel is 10.2.0.1. Use a /24 netmask will allow you to readily ping their end (assuming it returns pings).

Tunnel addresses need to be outside the IP ranges used for any other LANs in the network, so using 192.168.1.X is definitely going to break a lot of things.

The main problem is that you didn't add option route_allowed_ips '1' to the client section.

1 Like

Thank you, That fixed my issue, but my internet becomes slow, very slow. i barely browse a website. I changed the mtu to which i got from search on google, and didn't helped to get the internetspeed. What should i do here?

You do not have a very powerful router : https://files.seeedstudio.com/products/114992470/MT7628_datasheet.pdf

I do not have one but a somewhat comparable Broadcom router does about 20 Mb/s on WireGuard.
MTU can be a deal breaker, you can either look for the right MTU:

Or try e.g. 1280 and work your way up (or down)

MTU needs to be set on the WG interface and if you are using PPPoE then @brada4 might have a patch for you

You have my permission to copy it :smiley:

It is in snapshot ( long known to goldenorb/rooter )

Save file /etc/nftables.d/mssfix.nft w!ith following content:

chain mangle_postrouting {
               type filter hook postrouting priority mangle; policy accept;
            oif $wan_devices tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu
 }

maybe @jow can wave magic wand?

1 Like