Best guide for setting up Wireguard?

I am tearing my hair out, having so far failed to set up a Wireguard connection from my Android client to the OpenWRT server. I have found lots of OpenWRT-specific tutorials and instructions, including the "official" one on the Wiki, but no matter what I try I seem to fail. Also, the instructions are contradictory on several points, both what configuration parameters are optional vs required and on what the values should be. Many instructions are from 2018 or 2019 and I don't know if things have changed since then; both the Luci interface in screenshots are different, and many instructions refer to directories on the file system that don't exist.

Does anyone have "the authoritative guide" for setting this up?

At the moment, this is the non-working setup:
/etc/config/network

config interface 'WG0'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '192.168.10.1/24'
        option private_key '<REDACTED>'

config wireguard_WG0
        option description 'My Android'
        option public_key '<REDACTED>'
        list allowed_ips '192.168.10.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host '<my DDNS address>'
        option endpoint_port '51820'

/etc/config/firewall:

config redirect
        option target 'DNAT'
        option name 'Wireguard'
        option src 'wan'
        option src_dport '51820'
        option dest 'lan'
        option dest_port '51820'

not a guide, really ...

Well that's wrong for a start.

It should be

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'
        option name 'Wireguard'
        option proto 'udp'

Also, in your config is the DDNS address for your router? Or does the Android device have a DDNS setup? If it's the former (which seems more likely) then you should delete the two endpoint lines, i.e.:

        option endpoint_host '<my DDNS address>'
        option endpoint_port '51820'

Just to say that after updating wireguard for windows to version 0.5.1 the tunnel with OpenWrt no longer works, everything works with android and macOS instead.
If you are testing with windows use an older version.

Thanks krazeh!
Now I have

config redirect
        option target 'ACCEPT'
        option name 'Wireguard'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option dest_port '51820'

and

config interface 'WG0'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '192.168.10.1/24'
        option private_key 'REDACTED'

config wireguard_WG0
        option description 'MyAndroid'
        list allowed_ips '192.168.10.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'REDACTED'

My client is set up thus:


Screenshot_20211028-151919

It's still not working. On the Luci Wireguard status page, it says that there has never been a handshake.

That's not what I said it needed changing to...

And you need to change the address in your client config to 192.168.10.2/32.

OK. Now:

config redirect
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'
        option name 'Wireguard'
        option proto 'udp'

...and client has 192.168.10.2/32 as "Addresses" in the interface.

Unfortunately, it is not working.

What should I have in the OpenWRT Luci field for the peer (in the Interfaces section) for "Allowed IPs", and should "Route allowed IPs" be ticked or not?

Getting closer, but still not what I said... You need a traffic rule, not a redirect so config redirect needs to be config rule.

Oops. Should not work in haste, and read properly. I changed from redirect to rule. No difference.

Are the settings in OpenWRT for the peer that I asked about not important – the allowed IPs and the route allowed IPs?

The allowed IPs setting is definitely important as it defines what traffic is allowed into and out of the tunnel. So on the OpenWRT end, the Allowed IP setting is essentially saying that traffic destined for 192.168.10.2/32 (i.e. your android device) is allowed into the tunnel and traffic from that address is allowed out of the tunnel.

The route allowed IPs setting is less important when you have given the wireguard interface a /24 subnet and are using address from that for peers. In that case OpenWRT will already have a route because of the interface address. Where that setting is more important is if you were setting up a site to site VPN and would have the appropriate subnets for each side in the allowed IPs of the relevant peers. In that case you either need to have route allowed IPs set to 1 or set up static routing manually.

As for your current issues, are you getting a handshake yet? If not, have you restarted the WG interface since you made changes? You should also double check the keys are all correct.

let's see the latest config files to make sure everything is correct. Please provide the complete files (redact the keys and any other private info, leave all RCF1918 IP addresses intact)

/etc/config/network
/etc/config/firewall

and the mobile peer setup

/etc/config/network

config interface 'WG0'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '192.168.10.1/24'
        option private_key 'REDACTED'

config wireguard_WG0
        option description 'My Android'
        option persistent_keepalive '25'
        option public_key '<the public key specified on the Android under Interface - Public key>'
        option route_allowed_ips '1'
        list allowed_ips '192.168.10.2/32'

/etc/firewall

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'
        option name 'Wireguard'
        option proto 'udp'

Android



The Public key under Peer corresponds to the public key I generated on the OpenWRT.

everything looks fine there, but I did want to verify that the rest of the stuff in the network and firewall files was right (and not conflicting).

Two other things:

  • as @krazeh asked -- have you restarted the WG interface (or maybe just the router as a whole) since you have made your changes
  • Have you verified that you have a public IP on the WAN of your OpenWrt router (or, if not, at least a valid IPv6 address)?

Well, whaddayaknow... a reboot of the OpenWRT router solved not just the Wireguard issue, but also my non-functioning DDNS service. Lesson: don't be too afraid to reboot.

I would like to thank @krazeh for his super-quick and patient responses and @psherman for his sage advice. As a recent adopter of OpenWRT, the level of helpfulness on this forum is winning me over and making me doubt any plans to defect to e.g. RouterOS. :clap::clap::clap::pray::pray::pray:

P.S. I still think there is a need for a definitive guide for setting up Wireguard on OpenWRT. Perhaps one day I'll write it. :wink:

There is a working and tested how-to for WireGuard server automated setup:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated
You just need to transfer the generated client profile and import it on the client.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.