I'm using a FTTP/PPPoE connection (Vigor 130 --> eth0 (WAN)) with OpenWRT 22.03.0 and I can't seem to get Windscribe configured and working. I will preface this by saying I'm very new to OpenWRT.
I was following this guide but for some reason as soon as I finish the configuration I lose all internet access to whichever IPs I have listed as allowed (192.168.5.0/24). If I leave it at the default 0.0.0.0/0 I lose internet access on everything. I think the only thing I did differently was to assign a manual DNS to the wireguard interface.
I'm not entirely sure why they seem to suggest adding a public IP to the wireguard interface but regardless it seems to make no difference to my connection status.
Is anybody able to point me in the direction of how I may troubleshoot this?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
My goal is to route only traffic from my IOT zone / VLAN (br.lan95) through Wireguard; this traffic is for a specific SSID on my Ubiquiti AP.
Here are my steps for today:
Reset to previous config without Wireguard interface / config
Create a wg_zone firewall zone; reject, accept, reject, masq, clamping
Create wg_vpn interface with settings provided by Windscribe, assign to wg_zone firewall
Changed my IOT zone (196.168.5.0/24 subet) to allow forwardings to wg_zone instead of wan
The result again is no internet access for any device specified as an "allowed IP" under the wireguard interface settings (when using route allowed IPs as per OpenWRT docs).
Network
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix ***
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.91'
config interface 'wan'
option device 'eth0'
option proto 'pppoe'
option username ***
option password ***
option ipv6 'auto'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config device
option name 'eth0'
config interface 'modem'
option proto 'static'
option ipaddr '192.168.0.254'
option netmask '255.255.255.0'
option device 'eth0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '91'
option name 'br-lan.91'
config device
option type '8021q'
option ifname 'br-lan'
option vid '92'
option name 'br-lan.92'
config bridge-vlan
option device 'br-lan'
option vlan '91'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config bridge-vlan
option device 'br-lan'
option vlan '92'
list ports 'eth4:t'
config interface 'WLAN'
option proto 'static'
option device 'br-lan.92'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config device
option type '8021q'
option ifname 'br-lan'
option vid '95'
option name 'br-lan.95'
config interface 'IOT'
option proto 'static'
option device 'br-lan.95'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '95'
list ports 'eth4:t'
config interface 'wg_vpn'
option proto 'wireguard'
option private_key ***
list addresses '100.92.241.115/32'
option peerdns '0'
list dns '10.255.255.2'
config wireguard_wg_vpn
option description 'Windscribe-London-Custard.conf'
option public_key ***
option preshared_key ***
option endpoint_host 'lhr-341-wg.whiskergalaxy.com'
option endpoint_port '443'
list allowed_ips '192.168.5.0/24'
option route_allowed_ips '1'
Firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WLAN'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'modem'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'iot'
config zone
option name 'wg_zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg_vpn'
config forwarding
option src 'iot'
option dest 'wg_zone'
Am I missing something super obvious? Do I need to do anything differently whilst using PPPoE on eth0?
Cheers!
Edit: Just to confirm - The wireguard keys / config work when using the Wireguard desktop application with the config imported. It seems to be an issue as soon as the "route allowed ips" is enabled, which maybe indicates an issue with wireguard -> internet/wan?
If you want some of your networks to reach the Internet via VPN and others to go direct unencrypted to your regular ISP, you need policy routing.
Setting allowed_ips to 0.0.0.0 and route_allowed_ips will set up the default routing table to send all Internet access by VPN. If the firewall doesn't allow lan->vpn forwarding for a particular lan, that lan will have no Internet access, even if you do have a rule allowing lan->wan forwarding. The firewall rules only set what is potentially allowed, the routing table(s) determine what route will actually be tried.
I thought I may be missing something in terms of a proper way to do this - Is policy routing a better way than specifying the 192.168.5.0/24 under allowed IPs?
I discovered this late last night, which is why for testing purposes I've since been trying to only allow it on 192.168.5.0/24 as that particular subnet only affects clients connected through one SSID so it doesn't bring my entire network down whilst I'm testing.
I had created a zone for the subnet interface above called IOT and allowed access to the wg_vpn zone but that didn't seem to work last night / this morning - Is this not enough?
They are two different things. The allowed ips is not the ip addresses that initiate the traffic, but rather the destination ip addresses (such as sites on the internet).
Policy routing allows differentiation of the routes based on policies you set - in your case it would be which network, but could also be types of traffic or other criteria.
Also note that Wireguard can't handle two clients simultaneously connecting with the same keys (as it uses the public key to identify routes to a client), so be sure to disable Wireguard on the desktop before using OpenWrt with the same keys.
Well, you guys hit the nail on the head here. I was wrongly assuming that the "allowed ips" were the source IPs.
So I renewed my configuration and changed allowed ips to 0.0.0.0/0, allowed LAN/IOT zones to forward to wg_zone and ticked the route allowed IP box and it is now successfully applying to my connection.
I just need to somehow figure out how to do the policy based routing stuff for my one subnet instead of the whole connection.
Edit: I achieved what I was looking for with the VPN Policy Routing luci package.
