I am tearing my hair out, having so far failed to set up a Wireguard connection from my Android client to the OpenWRT server. I have found lots of OpenWRT-specific tutorials and instructions, including the "official" one on the Wiki, but no matter what I try I seem to fail. Also, the instructions are contradictory on several points, both what configuration parameters are optional vs required and on what the values should be. Many instructions are from 2018 or 2019 and I don't know if things have changed since then; both the Luci interface in screenshots are different, and many instructions refer to directories on the file system that don't exist.
Does anyone have "the authoritative guide" for setting this up?
At the moment, this is the non-working setup:
/etc/config/network
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '51820'
option name 'Wireguard'
option proto 'udp'
Also, in your config is the DDNS address for your router? Or does the Android device have a DDNS setup? If it's the former (which seems more likely) then you should delete the two endpoint lines, i.e.:
Just to say that after updating wireguard for windows to version 0.5.1 the tunnel with OpenWrt no longer works, everything works with android and macOS instead.
If you are testing with windows use an older version.
config redirect
option target 'ACCEPT'
option src 'wan'
option dest_port '51820'
option name 'Wireguard'
option proto 'udp'
...and client has 192.168.10.2/32 as "Addresses" in the interface.
Unfortunately, it is not working.
What should I have in the OpenWRT Luci field for the peer (in the Interfaces section) for "Allowed IPs", and should "Route allowed IPs" be ticked or not?
The allowed IPs setting is definitely important as it defines what traffic is allowed into and out of the tunnel. So on the OpenWRT end, the Allowed IP setting is essentially saying that traffic destined for 192.168.10.2/32 (i.e. your android device) is allowed into the tunnel and traffic from that address is allowed out of the tunnel.
The route allowed IPs setting is less important when you have given the wireguard interface a /24 subnet and are using address from that for peers. In that case OpenWRT will already have a route because of the interface address. Where that setting is more important is if you were setting up a site to site VPN and would have the appropriate subnets for each side in the allowed IPs of the relevant peers. In that case you either need to have route allowed IPs set to 1 or set up static routing manually.
As for your current issues, are you getting a handshake yet? If not, have you restarted the WG interface since you made changes? You should also double check the keys are all correct.
let's see the latest config files to make sure everything is correct. Please provide the complete files (redact the keys and any other private info, leave all RCF1918 IP addresses intact)
Well, whaddayaknow... a reboot of the OpenWRT router solved not just the Wireguard issue, but also my non-functioning DDNS service. Lesson: don't be too afraid to reboot.
I would like to thank @krazeh for his super-quick and patient responses and @psherman for his sage advice. As a recent adopter of OpenWRT, the level of helpfulness on this forum is winning me over and making me doubt any plans to defect to e.g. RouterOS.
P.S. I still think there is a need for a definitive guide for setting up Wireguard on OpenWRT. Perhaps one day I'll write it.