can you show a screenshot of your android setup.
Right. This is where the ddns address should go.
you can put any valid domain name in there for the purpose of showing us that it is not parsing. For example, wireguard.ddns.com (a bogus address, at least AFAIK), but valid in syntax.
For some reason its not letting me do a screenshot.
I added the port number and it took it.
Meanwhile, I blocked the guy hammering me and he told all his friends and now they are hammering my SSH port. So I'm going to try to shut them down and may lose connectivity myself.
Although I don't like PPTP, if you can still use that, you'll be able to make further adjustments (as needed) until the WG interface is working.
But does the WG interface connect now?
It doesn't give any errors but it doesn't work either. No connections through the vpn. Remember, pptp didn't work either.
I got the guys friends blocked for now, but its only a matter of time before he switches VPNs and starts hammering again.
Nothing is showing up in the logs when I connect and disconnect on the app. Seems like it would say something. I'm using logread, is there a better one?
oh... ok. Forgot about that.
This doesn't show up in the log... I assume because of the log spam this would cause due to the stateless interface.
wg show will tell you what you need.
So, since you said you were going to regenerate keys, now would be a good time to do this.
It is really easy to mix up the keys since it is not possible to distinguish a private key from a public one at a human level.
And verify that the preshared key has been removed from both sides (for now anyway).
After seeing that guy hammer me, I am now unwilling to use PPTP. I will use wireguard or nothing at all.
I used "wg show" and there is no reference to psk there or in the phone.
The public key on the router matches the peer key on the phone, however the peer key on the router is not the same as the public key on the phone.
I can regenerate the keys with no problem, but I cannot use the QR code feature to load them.
As I said above, the key exchange can get messed up fairly easily. Work with one set at a time as I described to make sure you get the correct keys in the right places.
I generated the following new keys:
wgclient.key
wgclient.pub
wgserver.key
wgserver.pub
I moved them around but probably not correctly. Could you say which specific key goes where?
The android app does have log files and active ones.
The android app log says that its trying to handshake, but that it did not complete, and then it repeats.
I'm going to share some (throwaway) keys here. Feel free to use them for the purposes of testing only. Once you know that this works, generate your own keys. Obviously these keys are no longer secure because they have been shared in a public forum.
wg genkey | tee private.key | wg pubkey > public.key
This generates two keys -- one private and one public. They are related to each other (the public key is derived from the private key).
This is the private key: uEgOza1DFx/FxfWCKRr6gWTrsHWnPHmG03WIYFKgp2w=
so it belongs in the WG interface configuration:
config interface 'vpn'
option proto 'wireguard'
option private_key 'uEgOza1DFx/FxfWCKRr6gWTrsHWnPHmG03WIYFKgp2w='
option listen_port '51820'
list addresses '192.168.9.1/24'
The related public key is: 8amswSNMkhFECgkDnpALk9GRG49RVqVASOOIPN3sMRU= -- this one must be transferred to the Android WG config, and it will be placed in the public key field for the peer config.
Running the command again, I get another set of keys.
private: wIlbhzVWo5zff1lMvmbdaHiqvBnmcsgQjL3J1SUHJGw=
public: gvupHx4oCFPb6VqrjRslCnl3IBZjNYSraW8KSYfMeH8=
This private key from this second set goes into the private key field of the Android WG interface definition.
The public key goes into the OpenWrt side in the peer config file public key section:
config wireguard_vpn 'wgclient'
option public_key 'gvupHx4oCFPb6VqrjRslCnl3IBZjNYSraW8KSYfMeH8='
list allowed_ips '192.168.9.2/32'
Also, I noticed that you are missing a directive in the OpenWrt peer config...
option route_allowed_ips '1' should be added to the peer config to look like this:
config wireguard_vpn 'wgclient'
option public_key 'gvupHx4oCFPb6VqrjRslCnl3IBZjNYSraW8KSYfMeH8='
list allowed_ips '192.168.9.2/32'
option route_allowed_ips '1'
So we have....
wgclient.key - Goes to the private key interface section of the app.
wgclient.pub - Goes to the 'config wireguard_vpn' section of /etc/config/network under public_key.
wgserver.key - Goes to the 'interface 'vpn' ' section of the network file under "Private_key".
wgserver.pub - goes to the app peer config public key field.
OK, this seems to work. The problem is that the app seems to want to generate its own private key. If the <^v> button is hit accidentally, it will change the private and public key to a random value. Might be easier to just copy the public key from the phone into the network file on the router. I'll just have to be sure not to touch that button.
So at this time, it lets me access the openwrt web page of the wired router from the android phone. WhatsMyIp.com reports the wired OpenWrt server's IP address.
So thanks for all your help, it seems to work now. I will take the remaining PPTP stuff off the router next time I am there. I don't think it will hurt anything for the time being since it doesn't work anyway.
The openwrt instructions at https://openwrt.org/docs/guide-user/services/vpn/wireguard/server does not seem to have anything that would generate the line...
option route_allowed_ips '1'
I'm not sure how big of a problem its absense caused, but it doesn't seem to be there. They mess with the EEPROM storage directly rather than just putting it in the file. That makes it a bit more confusing.
I removed all references to pptp using the luci->system->software menu. Rebooted and for some reason, the wireguard tunnel never kicked me off. It did kick me off the SSH channel.
So thanks again. Now I need to find a way to properly secure SSH. Looks like I might be able to enable and disable it using the wireguard tunnel.
You can safely remove this rule now (more to the point, as you have been observing, this should not be enabled anyway).
You will be able to access the router via wireguard because wireguard accepts input based on the firewall zone. When you are connected via the WG tunnel, you will be able to access the router's admin interface using the LAN IP of the router (192.168.1.1)
I noticed a typo in the firewall zone declaration for the vpn that I had provided earlier. It should look like this:
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
Are you sure that 'vpn' should be removed? The others, like 'lan', have it named in the 'config zone' line. What is the difference?
I forgot about the following lines added to /etc/firewall.user that were added when attempting to make pptp work. Should these be removed now? What about other references to ppp+?
iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT
# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
I will soon be experimenting with the 4G modem to see how it performs with the wired VPN. I saw that wireguard has an option for how far apart the keepalive pings are. I need to test that.
You can probably leave it there, but I'd fix the option name match... you don't want to be redefining the lan zone accidentally.
you can remove these ppp+ lines, for sure. And you've probably already removed the pptp firewall rule. You can also delete the pptp related config file.
You'll want to create a new peer on your wired ISP side. When you setup WG on the 4G network, you'll create a new key pair -- the private key will stay on the 4G side, and you'll transfer the public key to the new peer you configure on the wired network. Then you'll create a peer on the 4G side and set it up just like you did with the Android config (public key from the wired peer and most of the other settings will be the same except for the interface IP).
The original config zone header has 'vpn' appended like all the other config zones. However, I just noticed that you were likely referring to the Option Name with 'lan' instead of 'vpn'. I changed it to 'vpn'.
I deleted the ppp lines in firewall.user and one in config/firewall.
What is the general procedure for setting up rules to make the 4G OpenWrt client selectively put certain devices on the VPN and leave others untouched?
Thanks for helping out. Configuring a vpn is not trivial when you have to do it manually.
To recap, OpenVPN does have a better OpenWrt interface. Wireguard would be much easier to configure if it had a similar gui interface. The QR code thing was handy, but that only works if everything on the server side is already configured. Generating the keys only does just that and the keys must be added to the correct router config files manually. Perhaps one day the OpenWrt developers will add a bit more automation to the process. It does seem that Wireguard is the way to go. Its a shame it is currently handicapped like this.