WireGuard VPN not working

Hi

I have recently setup a openwrt router on an intel x86/64 platform (OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a).
I have configured WireGuard as per Surfshark instructions here - https://support.surfshark.com/hc/en-us/articles/7091559595666.

My Lan interface is eth1 and wan is eth0 and wg0 is the one I have created for wireguard config. I am using PBR to test this so have not checked the Route Allowed IP checkbox in the peer configuration

image897×1004 45.2 KB

I know the pbr does work as the DNS servers are allocated to my test client from surfshark wg0 interface but there is not traffic flowing through the interface. If I go into the Status-Wireguard I don't see anything there either. Assuming I should see something ...

image938×548 12.7 KB

I have provided below output of the config files as per another thread. Please not I am not very technical so can follow instructions but my CLI skills are very limited. Thanks in advance for any assistance in troubleshooting this issue.

ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.*
/tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.10.176",
        "hostname": "ArmOpen16",
        "system": "Intel(R) N100",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "x86/64",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf5:78dd:d6d8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'lan2'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'

config interface 'lan3'
        option proto 'static'
        option device 'eth3'
        option ipaddr '192.168.3.254'
        option netmask '255.255.255.0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth0.10'

config device
        option name 'eth0.10'
        option type '8021q'
        option ifname 'eth0'
        option vid '10'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '2KXknd4sin5AkDAFSgY+2UtyW9acQw4uTwimr8VVGUE='
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config wireguard_wg0
        option public_key 'sDDS1f/+IqVljMN7GzMFeAbNescQUTLIt0xio0W61Q0='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'us-sjc.prod.surfshark.com'
        option endpoint_port '51820'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dns_service '0'
        option start '105'
        option limit '234'
        option leasetime '40h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'homeassistant'
        option ip '192.168.1.229'
        option mac '7C:D3:0A:31:D2:BE'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lan2'
        list network 'lan3'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'vpn'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul                                                                                                                                                                                                                                             t qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group                                                                                                                                                                                                                                              default qlen 1000
    inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
       valid_lft forever preferred_lft forever
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group                                                                                                                                                                                                                                              default qlen 1000
    inet 192.168.3.254/24 brd 192.168.3.255 scope global eth3
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro                                                                                                                                                                                                                                             up default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state                                                                                                                                                                                                                                              UP group default qlen 1000
    inet 121.74.232.127/22 brd 121.74.235.255 scope global eth0.10
       valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN gro                                                                                                                                                                                                                                             up default qlen 1000
    inet 10.14.0.2/16 brd 10.14.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 121.74.235.254 dev eth0.10 table pbr_wan
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 table pbr_wan proto kernel scope link src 192.168.2.254                                                                                                                                                                                                                                              linkdown
192.168.3.0/24 dev eth3 table pbr_wan proto kernel scope link src 192.168.3.254                                                                                                                                                                                                                                              linkdown
default via 10.14.0.2 dev wg0 table pbr_wg0
192.168.1.0/24 dev br-lan table pbr_wg0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 table pbr_wg0 proto kernel scope link src 192.168.2.254                                                                                                                                                                                                                                              linkdown
192.168.3.0/24 dev eth3 table pbr_wg0 proto kernel scope link src 192.168.3.254                                                                                                                                                                                                                                              linkdown
default via 121.74.235.254 dev eth0.10 proto static src 121.74.232.127
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.2
121.74.232.0/22 dev eth0.10 proto kernel scope link src 121.74.232.127
156.146.54.72 via 121.74.235.254 dev eth0.10 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 linkdown
192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 linkdown
broadcast 10.14.0.0 dev wg0 table local proto kernel scope link src 10.14.0.2
local 10.14.0.2 dev wg0 table local proto kernel scope host src 10.14.0.2
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.                                                                                                                                                                                                                                             2
broadcast 121.74.232.0 dev eth0.10 table local proto kernel scope link src 121.7                                                                                                                                                                                                                                             4.232.127
local 121.74.232.127 dev eth0.10 table local proto kernel scope host src 121.74.                                                                                                                                                                                                                                             232.127
broadcast 121.74.235.255 dev eth0.10 table local proto kernel scope link src 121                                                                                                                                                                                                                                             .74.232.127
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0                                                                                                                                                                                                                                             .1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168                                                                                                                                                                                                                                             .1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1                                                                                                                                                                                                                                             
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.1                                                                                                                                                                                                                                             68.1.1
broadcast 192.168.2.0 dev eth2 table local proto kernel scope link src 192.168.2                                                                                                                                                                                                                                             .254 linkdown
local 192.168.2.254 dev eth2 table local proto kernel scope host src 192.168.2.2                                                                                                                                                                                                                                             54
broadcast 192.168.2.255 dev eth2 table local proto kernel scope link src 192.168                                                                                                                                                                                                                                             .2.254 linkdown
broadcast 192.168.3.0 dev eth3 table local proto kernel scope link src 192.168.3                                                                                                                                                                                                                                             .254 linkdown
local 192.168.3.254 dev eth3 table local proto kernel scope host src 192.168.3.2                                                                                                                                                                                                                                             54
broadcast 192.168.3.255 dev eth3 table local proto kernel scope link src 192.168                                                                                                                                                                                                                                             .3.254 linkdown
0:      from all lookup local
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Apr 28 08:28 /etc/resolv.conf -> /tm                                                                                                                                                                                                                                             p/resolv.conf
-rw-r--r--    1 root     root            47 Jul 21 12:57 /tmp/resolv.conf
-rw-r--r--    1 root     root           219 Jul 21 12:53 /tmp/resolv.conf.d/reso                                                                                                                                                                                                                                             lv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           219 Jul 21 12:53 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 203.109.191.1
nameserver 203.118.191.1
# Interface wan6
nameserver 2407:7000:2100:5300::1
nameserver 2407:7000:ff00:5300::1
# Interface wg0
nameserver 162.252.172.57
nameserver 149.154.159.92
root@ArmOpen16:~# ^C
root@ArmOpen16:~# cls
-ash: cls: not found
root@ArmOpen16:~# clear
root@ArmOpen16:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.10.176",
        "hostname": "ArmOpen16",
        "system": "Intel(R) N100",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "x86/64",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf5:78dd:d6d8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'lan2'
        option proto 'static'
        option device 'eth2'
        option ipaddr '192.168.2.254'
        option netmask '255.255.255.0'

config interface 'lan3'
        option proto 'static'
        option device 'eth3'
        option ipaddr '192.168.3.254'
        option netmask '255.255.255.0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth0.10'

config device
        option name 'eth0.10'
        option type '8021q'
        option ifname 'eth0'
        option vid '10'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '2KXknd4sin5AkDAFSgY+2UtyW9acQw4uTwimr8VVGUE='
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config wireguard_wg0
        option public_key 'sDDS1f/+IqVljMN7GzMFeAbNescQUTLIt0xio0W61Q0='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'us-sjc.prod.surfshark.com'
        option endpoint_port '51820'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dns_service '0'
        option start '105'
        option limit '234'
        option leasetime '40h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'homeassistant'
        option ip '192.168.1.229'
        option mac '7C:D3:0A:31:D2:BE'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lan2'
        list network 'lan3'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'vpn'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    qlen 1000 inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft forever
4: eth2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group 
   default qlen 1000 inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
   valid_lft forever preferred_lft forever
5: eth3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default
   qlen 1000 inet 192.168.3.254/24 brd 192.168.3.255 scope global eth3 valid_lft forever
   preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
   qlen 1000 inet 192.168.1.1/24 brd 192.168.1.255 scope global br-la valid_lft forever
   preferred_lft forever
7: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group 
   default qlen 1000 inet 121.74.232.127/22 brd 121.74.235.255 scope global eth0.10
   valid_lft forever preferred_lft forever
8: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default
   qlen 1000 inet 10.14.0.2/16 brd 10.14.255.255 scope global wg0 valid_lft forever
   preferred_lft forever
default via 121.74.235.254 dev eth0.10 table pbr_wan
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 table pbr_wan proto kernel scope link src 192.168.2.254 linkdown
192.168.3.0/24 dev eth3 table pbr_wan proto kernel scope link src 192.168.3.254 linkdown
default via 10.14.0.2 dev wg0 table pbr_wg0
192.168.1.0/24 dev br-lan table pbr_wg0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 table pbr_wg0 proto kernel scope link src 192.168.2.254 linkdown
192.168.3.0/24 dev eth3 table pbr_wg0 proto kernel scope link src 192.168.3.254 linkdown
default via 121.74.235.254 dev eth0.10 proto static src 121.74.232.127
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.2
121.74.232.0/22 dev eth0.10 proto kernel scope link src 121.74.232.127
156.146.54.72 via 121.74.235.254 dev eth0.10 proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 linkdown
192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.254 linkdown
broadcast 10.14.0.0 dev wg0 table local proto kernel scope link src 10.14.0.2
local 10.14.0.2 dev wg0 table local proto kernel scope host src 10.14.0.2
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.2
broadcast 121.74.232.0 dev eth0.10 table local proto kernel scope link src 121.74.232.127
local 121.74.232.127 dev eth0.10 table local proto kernel scope host src 121.74.232.127
broadcast 121.74.235.255 dev eth0.10 table local proto kernel scope link src 121.74.232.127
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.2.0 dev eth2 table local proto kernel scope link src 192.168.2.254 linkdown
local 192.168.2.254 dev eth2 table local proto kernel scope host src 192.168.2.254
broadcast 192.168.2.255 dev eth2 table local proto kernel scope link src 192.168.2.254 linkdown
broadcast 192.168.3.0 dev eth3 table local proto kernel scope link src 192.168.3.254 linkdown
local 192.168.3.254 dev eth3 table local proto kernel scope host src 192.168.3.254
broadcast 192.168.3.255 dev eth3 table local proto kernel scope link src 192.168.3.254 linkdown
0:      from all lookup local
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
30001:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0
32766:  from all lookup main
32767:  from all lookup default
lrwxrwxrwx    1 root     root            16 Apr 28 08:28 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 Jul 21 12:57 /tmp/resolv.conf
-rw-r--r--    1 root     root           219 Jul 21 12:53 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           219 Jul 21 12:53 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 203.109.191.1
nameserver 203.118.191.1
# Interface wan6
nameserver 2407:7000:2100:5300::1
nameserver 2407:7000:ff00:5300::1
# Interface wg0
nameserver 162.252.172.57
nameserver 149.154.159.92
root@ArmOpen16:~#

Could you go back and edit your post, please, to put the copied/pasted extracts into separate ``` fixed-width blocks for each extract? It'll make it much easier for your audience to read and parse.

For future reference, unless that private key is from a private lab/test instance and you don't care about it, you should really redact it. Private keys must always remain private; they're private for a reason.

(Exception: I often post working private keys in my examples, because they expressly are from a lab/test instance and it's more helpful to show a working key than it is to preserve any privacy of a key that only exists for the purpose of that test)

It's too late now for this key; you've already compromised it by posting it publicly. I suggest generating a new private key/public key pair as soon as you get a chance.

Thanks, I had changed the characters in the private key after pasting it in post

you should also use the </> button for all preformatted code you paste.

anyway, just the other day I followed this guide (starting at chap II)
to set up access to my home server, on a small portable router running openwrt.
It worked out of the box, but I did skip the kill switch feature.

The connection to the server could not be established.

Are you sure you should use the default port?
From the surfshark guide:

image783×303 25.9 KB

Thanks I checked and I did put the port in. I am not sure what I have changed but I have made progress as I am getting the handshake.

Initially I added "::/0" in the Allowed IP and thought that is what caused the connection to work but I removed it and just left "0.0.0.0/0" and it was still working

image820×154 10.1 KB

I also needed to stop the Wan.6 interface (IPV6 as I found that Surfshark Wiregurad VPN does not support that).

My next issue is that I am trying to leverage PBR to only route a certain local IP address via the Wireguard VPN. That seems to be working as I can my external IP address is defualting to the VPN location but I am still getting DNS leak issue.

Below is a screenshot of the DNS config in the WG interface.

I have defined the custom DNS is there any other setting I need to specify?
Also asides from doing a external DNS leak test from the surfshark website how do I test on Windows 11 that I am indeed using the DNS servers assigned from the VPN interface? I have done an ipconfig /all and the DNS server allocated is still the openwrt router IP

image1339×813 59.2 KB

That directive only controls routing through the VPN; it does not affect whether or not the VPN gets created correctly.

::/0 means "every IPv6 address"
0.0.0.0/0 means "every IPv4 address"

If you don't use IPv6 then "::/0" isn't required, but its presence or absence won't affect the VPN encryption and handshake.

Thanks for the description on using ::/0.

Any suggestions on why my Window Client (using WIFI) is not leveraging the VPN DNS servers ?

First thing to check would be to verify that the DNS traffic is going through the tunnel towards the intended destinations. tcpdump can help with this; it's an optional package which you can install with opkg.

Assign the VPN nameservers to this particular client using the mac classifier.

uci set dhcp.wg='mac'
uci set dhcp.wg.mac='AA:BB:CC:DD:EE:FF' #correct client MAC address here
uci set dhcp.wg.networkid='vpn'
uci add_list dhcp.wg.dhcp_option='6,162.252.172.57,149.154.159.92'
uci commit dhcp
service dnsmasq restart

Don't forget to reconnect the client.

Thanks tried this and the client still gets the DNS of 192.168.1.1 from the DHCP scope I am assuming on the LAN interface (I had setup a static IP for this MAC to test). However the DNS was not working when I did a nslookup. The only way I can get this to work is to manually assign DNS servers on the client and have a static DHCP entry for the client and then use PBR to route traffic over the VPN wiregurad tunnel. This seems a very manual process.

Just an update on this. I looked at several other threads and DNS leak seems to be a known issue with VPN. To summarize the problem I was trying to solve was using PBR ensure all traffic for a specific IP address is routed over the WireGuard VPN tunnel. The issue I was seeing is traffic was going through the VPN (when I added the routing policy for the ip address in PBR LUCI interface) however it was not getting the DNS servers specified on the WireGuard interface instead it was using the DNS server on the LAN interface (which defauluts tto the ethernet IP of the routers LAN interface). The only way to force the IP client to use the DNS servers of the WireGuard VPN provider was to use DCHP Option 6 tag (see example below )

config host
	option name 'LAPTOP-PH3AFI'
	option ip '192.168.1.161'
	option mac '88:D6:2E:C4:F8:9C'
#	option tag 'tag1'

#config tag 'tag1'
#	list dhcp option '6,162.252.172.57,149.154.159.92'

You could also set the DNS server you are entered in the WG interface in the Allowed IP's.
Provided you have enabled "Route allowed IPs" then it will be routed via the tunnel.
Then everybody should use that DNS server and it is routed via the tunnel so that you do not have a DNS leak, although it probably relies on DNSMasq "strict order" which is not very reliable, I would prefer if the WG DNS server replaces the existing DNS servers in resolv.conf.

For my Broadcom routers which do not have OpenWRT support I use DDWRT.
The DNS servers you enter when using WG on DDWRT are used exclusively and are standard routed via the tunnel so you will never have a DNS leak.
Furthermore when using PBR you can just enable/tick "Split DNS" then only clients using the tunnel will use DNS via the Tunnel and other clients use the LAN DNS (it uses iptables rules to redirect port 53).

When I have some more time this winter I am going to try to add this also to OpenWRT, will be a nice challenge

Note the OpenVPN client also just ignores pushed DNS servers by default, of course you can add a script to deal with this but that is also something which it would be nice if it was present by default in OpenWRT

Thanks. I do have the DNS servers specified on the WG interface however in the Peer config option as per screenshot I left the "Route Allowed IP" tickbox unchecked because if I do then it become the default route in the PBR instaed of WAN. I am not sure if I specify IP address then what would happen to the rest of the clients i.e. will they default to routing via WAN interface. Something to test I guess but for my scenario there are limited number of clients I want to route via WG.

image1350×267 18.9 KB

You can always enter a static route for the WG DNS server via the tunnel.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.