I am facing a problem setting up a Wireguard VPN on my Openwrt Router. I want to use the Wireguard interface with pbr. Here are the scenarios:
-
Pbr disabled. I setup the interface using the config file that also works on other devices, add it to a firewall zone configured the same as wan. After restarting everything, the interface has 0 traffic and no handshake works. This seems to be because of the option "Route Allowed IPs" in the peer's settings.
-
If I enable "Route Allowed IPs", the handshake works and I get traffic. However none of my devices have internet access anymore and when I enable the pbr service, the wg0 interface is used by default for routing and I cannot change that back to wan.
Am I overseeing something? I have followed the offcial OVPN Wireguard tutorial, however I simply cannot get it to work.
Thank you!
Use OpenVPN with TCP instead. UDP can not be configured in PBR.
The transport protocol of the VPN (UDP vs TCP) has nothing to do with PBR and the tunnel created by the VPN. You can continue to use Wireguard without issue. In fact, Wireguard is preferred -- it is significantly faster than OpenVPN.
Post your configuration:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
and also your PBR config, too.
I'm not an expert on PBR, but I can help ensure the WG config is correct.
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde6:f3dc:fa4f::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 2t 3t 4 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '1 6t'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
list ports 'eth1.3'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option device 'br-guest'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option description 'Guest'
option ports '0t 2t 3t'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth1.4'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '4'
option description 'IOT'
option ports '0t 2t 3t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '5'
option description 'VPN'
option ports '0t 2t 3t'
config device
option name 'br-vpn'
option type 'bridge'
list ports 'eth1.5'
option bridge_empty '1'
config rule 'guest_to_vpn'
option in 'guest'
option lookup '123'
config interface 'server'
option proto 'static'
option device 'br-server'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '6'
option description 'Server'
option ports '0t 2t 3t'
config device
option type 'bridge'
option name 'br-server'
list ports 'eth1.6'
config interface 'HomeServer'
option proto 'static'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option device 'br-homeserver'
config switch_vlan
option device 'switch0'
option vlan '7'
option vid '7'
option description 'HomeServer'
option ports '0t 2t 3t'
config device
option type 'bridge'
option name 'br-homeserver'
list ports 'eth1.7'
config interface 'WG0'
option proto 'wireguard'
option peerdns '0'
option force_link '1'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list addresses '172.18.178.248/32'
list addresses 'fd00:0000:1337:cafe:1111:1111:53de:d996/128'
list dns '217.64.148.33'
list dns '192.165.9.157'
list dns '2a07:a880:4601:12a0:adb::1'
list dns '2001:67c:750:1:adb::1'
config wireguard_WG0
option description 'buh45-adb.conf'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'vpn45.prd.bucharest.ovpn.com'
option endpoint_port '9929'
Here is the firewall config. The last two entries seem to come from pbr, even though I disabled the service.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config zone
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config zone
option name 'wan_vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option input 'REJECT'
option mtu_fix '1'
list network 'WG0'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'guest'
option dest 'iot'
config zone
option name 'server'
option output 'ACCEPT'
option forward 'REJECT'
option input 'ACCEPT'
list network 'server'
config forwarding
option src 'server'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'guest'
config forwarding
option src 'lan'
option dest 'server'
config forwarding
option src 'iot'
option dest 'server'
config zone
option name 'homeserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'HomeServer'
config forwarding
option src 'homeserver'
option dest 'iot'
config forwarding
option src 'homeserver'
option dest 'lan'
config forwarding
option src 'iot'
option dest 'homeserver'
config forwarding
option src 'lan'
option dest 'homeserver'
config forwarding
option src 'server'
option dest 'homeserver'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option input 'REJECT'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'homeserver'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'guest'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'Forward NTP'
list proto 'udp'
option src 'server'
option src_dport '123'
option dest_ip '192.168.10.1'
option dest_port '123'
config forwarding
option src 'guest'
option dest 'homeserver'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option src 'lan'
option dest 'wan_vpn'