Wireguard VPN server doesn’t work when upstream Mullvad VPN is activated

I want to remotely access my LAN on an Openwrt-router with Wireguard so that I can see IP camera video feed, while also having an upstream Mullvad VPN configured on the Openwrt-router.

First, I followed these instructions to successfully setup the upstream Mullvad VPN.

Next, I setup a Wireguard server on my Openwrt-router, with VPN_PORT=51821 to avoid conflicting with the Mullvad Wireguard interface.

When the "Openwrt -> Network -> Firewall -> Zones -> Forwardings" setting is lan => MULLVADZONE, or lan => MULLVADZONE + wan, the remote access to the LAN fails with "handshake did not complete after 5 seconds".

However, with lan => wan forwarding, the remote access works as expected (but this means that there is no connection to the Mullvad upstream VPN).

On my remote device's Wireguard client, the peer endpoint is my ISP provided static IP address.

Configs where Mullvad upstream working, and remote access VPN is not

root@OpenWrt:~# cat /etc/config/firewall                                                             
                                                                                                     
config defaults                                                                                      
        option input 'ACCEPT'                                                                        
        option output 'ACCEPT'                                                                       
        option forward 'REJECT'                                                                      
        option synflood_protect '1'                                                                  
                                                                                                     
config zone 'lan'                                                                                    
        option name 'lan'                                                                            
        option input 'ACCEPT'                                                                        
        option output 'ACCEPT'                                                                       
        option forward 'ACCEPT'                                                                      
        list network 'lan'                                                                           
        list network 'vpn'                                                                           
                                                                                                     
config zone 'wan'                                                                                    
        option name 'wan'                                                                            
        list network 'wan'                                                                           
        list network 'wan6'                                                                          
        option output 'ACCEPT'                                                                       
        option masq '1'                                                                              
        option mtu_fix '1'                                                                           
        option input 'REJECT'                                                                        
        option forward 'REJECT'                                                                      
                                                                                                     
config rule                                                                                          
        option name 'Allow-DHCP-Renew'                                                               
        option src 'wan'                                                                             
        option proto 'udp'                                                                           
        option dest_port '68'                                                                        
        option target 'ACCEPT'                                                                       
        option family 'ipv4'                                                                         
                                                                                                     
config rule                                                                                          
        option name 'Allow-Ping'                                                                     
        option src 'wan'                                                                             
        option proto 'icmp'        
        option icmp_type 'echo-request'                                                  
        option family 'ipv4'         
        option target 'ACCEPT'     
                                                  
config rule                                       
        option name 'Allow-IGMP'        
        option src 'wan'                          
        option proto 'igmp'                 
        option family 'ipv4'         
        option target 'ACCEPT'     
                                                  
config rule                                       
        option name 'Allow-DHCPv6'    
        option src 'wan'                          
        option proto 'udp'                  
        option dest_port '546'              
        option family 'ipv6'                   
        option target 'ACCEPT'               
                                                  
config rule                                       
        option name 'Allow-MLD'   
        option src 'wan'                          
        option proto 'icmp'                       
        option src_ip 'fe80::/10'                 
        list icmp_type '130/0'            
        list icmp_type '131/0'                    
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'         
        option target 'ACCEPT'     
                                                  
config rule                                       
        option name 'Allow-ICMPv6-Input'
        option src 'wan'                          
        option proto 'icmp'                 
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'           
        list icmp_type 'time-exceeded'            
        list icmp_type 'bad-header'  
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'  
        option limit '1000/sec'
        option family 'ipv6'      
        option target 'ACCEPT'
                                                  
config rule                                       
        option name 'Allow-ICMPv6-Forward'
       option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'MULLVADZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'MULLVAD'

config rule 'wg'
        option name 'Allow-WireGuard'
        option dest_port '51821'
        option proto 'udp'
        option target 'ACCEPT'
        option src 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'MULLVADZONE'

root@OpenWrt:~# cat /etc/config/network                                                              
                                                                                                     
config interface 'loopback'                                                                          
        option device 'lo'                                                                           
        option proto 'static'                                                                        
        option ipaddr '127.0.0.1'                                                                    
        option netmask '255.0.0.0'                                                                   
                                                                                                     
config globals 'globals'                                                                             
        option ula_prefix 'ula_prefix::/48'                                                      
                                                                                                     
config device                                                                                        
        option name 'br-lan'                                                                         
        option type 'bridge'                                                                         
        list ports 'eth0'                                                                            
                                                                                                     
config device                                                                                        
        option name 'eth0'                                                                           
        option macaddr 'eth0:mac:address'                                                           
                                                                                                     
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr 'eth1:mac:addr'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'MULLVAD'
        option proto 'wireguard'
        option private_key 'mullvad-wireguard-privatekey='
        option listen_port '51820'
        list addresses 'mullvad.wireguard.ip.address/32'
        list addresses 'mullvad:wireguard:ip:address/128'
        option force_link '1'

config wireguard_MULLVAD
        option description 'my-mullvad-vpn'
        option public_key 'mullvad-vpn-server-publickey='
        option route_allowed_ips '1'
        option endpoint_host 'mullvad.vpn.server.ip/32'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'remote-access-vpn-privatekey='
        option listen_port '51821'
        list addresses '192.168.9.1/24'

config wireguard_vpn 'wgclient'
        option public_key 'phone-wireguard-client-publickey='
        option preshared_key 'phone-wireguard-client-preshared-key='
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.2/32'

You need to use policy based routing to allow a client and server type configuration simultaneously.

https://openwrt.org/docs/guide-user/network/routing/pbr

1 Like