Zyxel LTE3301-PLUS with Wireguard

Hi - I am very new with OpenWRT :wink:

I installed OpenWRT on a Zyxel LTE3301-PLUS and WLAN (server and client) and WAN via LTE is working.

Now I wanted to install Wireguard client as well. I have an account on a server (to have IPv6 address over the mobile network) so I gave all the data in the Wireguard setup.

My question now: How to enable the data traffic now over this VPN connection? I probably forgot something - the traffic goes still directly over LTE (only IPv4).

As said - I am new with OpenWRT :wink: Thanks.

https://openwrt.org/docs/guide-user/network/routing/pbr

Thanks for that. As I see the default gateway is still on the LTE interface - I can't see how to change it to the wg0 (Wireguard) interface.

Did you enable Route Allowed IPs in the Peer section of the WG interface?

Thanks, your hint did change wg0 to the default gateway. But there there must be a other problem with Wireguard - the traffic doesn't work.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show

Here we go:
Edit: Link deleted

Please don't use external sites for your config... instead, please post them directly into the forum:

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
grafik
Please edit your post accordingly. Thank you! :slight_smile:

1 Like
root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "ZyXEL LTE3301-Plus",
	"board_name": "zyxel,lte3301-plus",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb0:39bc:4d7d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wwan'
	option proto 'dhcp'

config interface 'LTE'
	option proto 'modemmanager'
	option device '/sys/devices/platform/1e1c0000.xhci/usb2/2-1'
	option apn 'internet'
	option auth 'none'
	option iptype 'ipv4'
	option loglevel 'ERR'
	option delegate '0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '***'
	list addresses '10.66.66.2/32'
	list addresses 'fd42:42:42::2/128'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key '***'
	option preshared_key '***'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '***'
	option endpoint_port '65475'
	option persistent_keepalive '25'
	option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'LTE'
	list network 'wwan'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'wan'
	option dest 'lan'

root@OpenWrt:~# ip route show
default dev wg0 proto static scope link 
10.63.72.0/28 dev wwan0 proto kernel scope link src 10.63.72.8 
162.19.251.145 via 10.63.72.9 dev wwan0 proto static 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 
root@OpenWrt:~# wg show
interface: wg0
  public key: ***
  private key: (hidden)
  listening port: 36665

peer: ***
  preshared key: (hidden)
  endpoint: ***:65475
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 31 minutes, 43 seconds ago
  transfer: 10.30 KiB received, 355.73 KiB sent
  persistent keepalive: every 25 seconds

Hmm - apparently not so clear where the error lies...