Wireguard vpn on dumb AP to single lan port not WI-FI

xal3xhx · December 8, 2022, 10:57pm

Hello everyone,

i have a dumb-ish AP setup and im trying to get a direct vpn connection to run on it and only be accesed on one of the lan ports. ive gotten the vpn running and the computer thats connected to the lan port and the router communication on 10.10.10.0/24 but cant access the internet let alone the vpn.

the vpn is running on vpn_IF and the server is connected on truenas_IF

i cant have the wireless AP going through the vpn at all, Here are the current configs (keys/ip redacted)

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd50:f086:d64f::/48'

config device
	option name 'lan1'
	option macaddr '28:d0:f5:56:4e:43'

config device
	option name 'lan2'
	option macaddr '28:d0:f5:56:4e:43'

config device
	option name 'lan3'
	option macaddr '28:d0:f5:56:4e:43'

config device
	option name 'lan4'
	option macaddr '28:d0:f5:56:4e:43'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.170'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option device 'br-eth'

config wireguard_vpn
	option description 'windscribe'
	option public_key '9#########UE='
	option preshared_key 'V#########vE='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '64.188.16.132'
	option endpoint_port '443'

config interface 'vpn_IF'
	option proto 'wireguard'
	option private_key 'E#########XQ='
	list addresses '100.100.68.72/32'
	list dns '10.255.255.1'

config wireguard_vpn_IF
	option description 'Windscribe-StaticIP (1).conf'
	option public_key '9#########UE='
	option preshared_key 'V#########vE='
	option endpoint_host '64.188.16.132'
	option endpoint_port '443'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '10.10.10.0/24'

config interface 'truenas_IF'
	option proto 'static'
	list ipaddr '10.10.10.1/24'
	option defaultroute '0'
	list dns '10.255.255.1'
	option dns_metric '1000'
	option delegate '0'
	option device 'lan4'

config device
	option name 'eth0'

config device
	option type 'bridge'
	option name 'br-eth'
	list ports 'eth0'
	list ports 'wan'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'truenas_IF'
	option interface 'truenas_IF'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '10.255.255.1'
	option ignore '1'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'truenas_FW'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'lan2'
	list device 'truenas_IF'

config zone
	option name 'vpn_FW'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list device 'vpn_IF'
	option mtu_fix '1'
	list network 'vpn_IF'

config rule
	option name 'vpn1'
	option dest 'vpn_FW'
	option target 'ACCEPT'
	option src 'truenas_FW'

config forwarding
	option src 'truenas_FW'
	option dest 'vpn_FW'

/etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/18000000.wmac'
	option band '2g'
	option cell_density '0'
	option country 'US'
	option channel 'auto'
	option htmode 'HT20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option cell_density '0'
	option channel '36'
	option htmode 'HE20'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option key '#########'
	option ssid 'MotherOfDragons-5G'
	option network 'lan'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id '8f81761c77d3'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option key '5ae87543003d'
	option network 'lan'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'MotherOfDragons'
	option encryption 'psk2'
	option key '#########'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id 'fc5a4b6f5fea'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option key '5ae87543003d'
	option network 'lan'

Thanks for your help

xal3xhx · December 8, 2022, 10:59pm

more info, screenshots on web ui

trendy · December 9, 2022, 6:20am

You need to do Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for each internet connection.
In your case the PBR would be the easiest.

xal3xhx · December 9, 2022, 7:20pm

using pbr im still unable to get traffic routed and working..

xal3xhx · December 9, 2022, 7:35pm

Even following a suggestion on reddit i still can not get anything functioning correctly: https://www.reddit.com/r/openwrt/comments/zghgbx/comment/izjct3l/?utm_source=share&utm_medium=web2x&context=3

trendy · December 10, 2022, 2:22pm

PBR needs to see default gateway in the routing table from the interfaces participating. So add

route_allowed_ips '1'

in wireguard_vpn_IF and assign a metric on the wireguard interfaces so that the gateway from lan interface is primary.
2.

truenas_IF is a network, not device.
3. post the pbr configuration as well.

xal3xhx · December 10, 2022, 5:04pm

as ive messed around with a lot of settings im going to repost my full config.

/etc/config/network: https://pastebin.com/4tAQt2L2
/etc/config/firewall: https://pastebin.com/ECsFmkDy
/etc/config/pbr: https://pastebin.com/DdD2W1V8

with this setup i can now see some packets coming through on vpn_IF but like before no internet connection is present

trendy · December 10, 2022, 6:10pm

option route_allowed_ips '1' belongs to wireguard peer interfaces, not local networks.
Assign higher metric to the vpn interfaces than the lan.
Don't use list dns '10.255.255.1' in truenas_IF , instead use the dhcp option 6 to advertise it to the clients.
The firewall is empty and it will not work, as you need at least masquerade on the packets egress vpn interfaces.
pbr configuration is also wrong, truenas_IF should not be a supported interface and the policies are not correct. You need to define the source addresses as 10.10.10.0/24, forward (or prerouting) chain and vpn_IF as interface. The rest remain as default.

xal3xhx · December 10, 2022, 6:59pm

i have made the changes you have said but its still not working.. i feel like im bashing my head against the wall here

/etc/config/network: https://pastebin.com/BFLsaXHQ
/ect/config/pbr: https://pastebin.com/WZZDJtuZ
/etc/config/firewall: https://pastebin.com/M0iL99xP
/etc/config/dhcp: https://pastebin.com/BLC838Xa

thank you for all the help you have provided thus far, i have a better understanding of how something like this should work thanks to you!

I feel like its just one little thing away from working..

trendy · December 11, 2022, 9:32am

The nas firewall zone doesn't need masquerade.
What is not working?
Is the host connected to truenas interface getting correct ip and other settings?
Can it ping the gateway? Can it ping 8.8.8.8? Can it ping dns.google ?

xal3xhx · December 11, 2022, 1:34pm

i have corrected the masquerade on the nas zone

openwrt has a working connection
ping google.com

the vpn is working corrently as i can ping directly using the interface
ping google.com -I vpn_IF
ping dns.google.com -I vpn_IF

the nas can ping the gateway
ping 10.10.10.1 -I enp3s0 where enp3s0 is the adaptor connected to openwrt

trying to ping to google through that connection just hangs

checking tcpdump on vpn_IF shows the there is no traffic at all.

xal3xhx · December 11, 2022, 1:58pm

it apperas to be working, for some reason truenas would not ping but going through a vm is working correctly and thats all i need!

system · December 21, 2022, 1:58pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.