Asus AC57U - Wireguard server configuration on 22.03.5 OpenWRT release

Hi guys!

I already configured succesfully a Wireguard server on my Raspberry 4 with its own OS onboard and I'd like to do the same on my Asus AC57U with OpenWRT onboard, but I can't understand what's wrong with the configuration.

I have an ISP router on 192.168.1.1 (dyndns service working on it) and the Asus is in DUMB AP modality (all the switch ports bridged together), on 192.168.1.99.

I've followed this page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

I've double checked all the keys, ports and ddns link, but I can't make my client (I'm using an Android phones to do tests) get connected with the WG server.

What else could I check?

Thanks in advance for the reply!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
wg show
1 Like


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd2e:58ab:7804::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'
        list ports 'wg0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.99'
        list dns '192.168.1.1'
        option gateway '192.168.1.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED='
        option listen_port '51820'
        list addresses '10.14.0.1/24'

config wireguard_wg0
        option description 'Client1'
        option public_key 'REDACTED='
        option private_key 'REDACTED='
        list allowed_ips '10.14.0.2/32'
        option route_allowed_ips '1'
cat /

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src '*'
        option src_port '51820'
        option dest '*'
        option dest_port '51820'
        option target 'ACCEPT'
        list src_ip '192.168.1.1'
        list dest_ip '192.168.1.99'


interface: wg0
  public key: REDACTED=
  private key: (hidden)
  listening port: 51820

peer: REDACTED=
  endpoint: 192.168.1.1:53457
  allowed ips: 10.14.0.2/32
  latest handshake: 2 minutes, 14 seconds ago
  transfer: 356.26 KiB received, 3.41 KiB sent

Remove wg from br-lan - it cannot be bridged since it is different network and requires L3 (routing) to function.

Since you're using your device as a dumb AP, you need to do one of two things...

  1. put the wireguard network into a different firewall zone and enable masquerading on the lan zone
    -or-
  2. set a static route on your main router for 10.14.0.0/24 via 192.168.1.99

If you go with option 1, it would look like this:
remove wg0 from the lan zone, and then enable masquradint so that the lan zone looks like this:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

Then put wg0 into its own zone and add a forwarding stanza to allow wg > lan

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'wg'
        option dest 'lan'
2 Likes

To limit exposure, I have redacted the keys from the config. I would highly recommend regenerating keys as soon as things are working because the ones you posted should be considered compromised (even though they are now redacted... just replace them).

1 Like

Thanks a lot! Now I can connect from my Android device to the Wireguard server, using the client .conf file I've made! I've also regenerated the keys, as you suggested.

I'm doing some tests right now and I've found that the download speed on my phone, with Wireguard turned on, is around 20Mbps. The ISP max speed is around 85Mbps.

Is this the fastest connection can I do with this system? I've found that Raspberry has the same performance.

Is it 85 up/85 down? Or is it more like 20 up?

I'd have to look at the SoC in that router, but it's probably going to in the neigborhood of 20-50Mbps max, maybe less. Your upload speeds on your ISP connection may be the bottleneck

ISP speed is 85 up/20 down.

Asus AC57U has MediaTek MT7621 CPU.

Yup... ISP is the bottle neck. Although I would guess that it is 85 down and 20 up since most ISPs provide either symmetric bandwidth or greater download speeds than upload.

1 Like

Ok, so it's another proof that this router is, for what I need, very solid.

Thanks again for the help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.