Can someone help me set up my rpi4 as a wireguard server on openwrt

running into firewall errors setting up wireguard on wulfy23 openwrt build for rpi4. I have changed interfaces from stock making lan eth1 and wan eth0
get these errors dont know how to solve

[root@d83add / 57°]# VPN_PORT="51820"
[root@d83add / 57°]# VPN_ADDR="192.168.9.1/24"
[root@d83add / 57°]# umask go=
[root@d83add / 56°]# wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
[root@d83add / 57°]# wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
[root@d83add / 56°]# wg genpsk > wgclient.psk
[root@d83add / 57°]# VPN_KEY="$(cat wgserver.key)"
[root@d83add / 58°]# VPN_PSK="$(cat wgclient.psk)"
[root@d83add / 57°]# VPN_PUB="$(cat wgclient.pub)"
[root@d83add / 56°]# uci rename firewall.@zone[0]="lan"
[root@d83add / 58°]# uci rename firewall.@zone[1]="wan"
[root@d83add / 57°]# uci del_list firewall.lan.network="${VPN_IF}"
[root@d83add / 57°]# uci add_list firewall.lan.network="${VPN_IF}"
[root@d83add / 57°]# uci -q delete firewall.wg
[root@d83add / 56°]# uci set firewall.wg="rule"
[root@d83add / 56°]# uci set firewall.wg.name="Allow-WireGuard"
[root@d83add / 57°]# uci set firewall.wg.src="wan"
[root@d83add / 57°]# uci set firewall.wg.dest_port="${VPN_PORT}"
[root@d83add / 56°]# uci set firewall.wg.proto="udp"
[root@d83add / 56°]# uci set firewall.wg.target="ACCEPT"
[root@d83add / 57°]# uci commit firewall
[root@d83add / 56°]# /etc/init.d/firewall restart
Warning: Section 'lan' cannot resolve device of network 'vpn'
Warning: Section 'wan' cannot resolve device of network 'wan6'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv4 raw table
 * Flushing IPv6 filter table
 * Flushing IPv6 nat table
 * Flushing IPv6 mangle table
 * Flushing IPv6 raw table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-WireGuard'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'Allow-WireGuard'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 nat table
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_lan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_wan_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'prerouting_rule'
Warning: fw3_ipt_rule_append(): Can't find target 'postrouting_rule'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 raw table
   * Zone 'lan'
     - Using automatic conntrack helper attachment
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'```

The script assumes certain thigns exist in your network and firewall configuratios, as you can see. If you have removed/renamed those things, the script must be adjusted accordingly. Or, you could perform all the same general tasks without using a script... setting up WG is actually quite easy to do.

But, if you'd like to use the script, we need to see your config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

And we also need to see the script you are running (if it is one from the WG wiki pages here on the forum, please just provide a link) -- since there may be other similar scripts, it's necessary to make sure we're all on the same page.

2 Likes

also im pretty sure my isp doesnt support ipv6 and i do not know how to disable it sorry in advance

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd02:a756:b4b3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'
	option reload '1'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

oh yeah the script my bad

The errors you're seeing, from what I can tell, are just related to the fact that the network configuration had not been adjusted yet (i.e. step 4 in the script of the wiki). I'm actually not sue why the network config is step 4 (I'd think it'd be better at step 3). But I don't think you ran step 4 (or it didn't execute properly) because I don't see the respective entries in your config.

Go ahead and run the scripts again -- just do step 2 and then 4. Then reboot your device and it should hopefully work.

ill give it a shot, just one question do you think there is any possibility my firewall config is messed up after this?

I'm not worried about your firewall being messed up, but post it after you are done with the scripts and we'll review to verify.

should i post with uci show firewall or cat /etc/config/firewall like before?

Personally, I find the cat method more readable (others may prefer the UCI method). Both are valid, but since I'm the one reading for now, please post using the cat command. Thanks!

1 Like

huh in the middle of step 4 got this

uci set network.${VPN_IF}="interface"
uci: Invalid argument

Run this line (from step 1)

VPN_IF="vpn"

and then try again.

1 Like

does this mean anything at the end I know my wireless radio is disabled but i do not know why it tells me this after /etc/init.d/network restart

forgot to put the message "/etc/init.d/network restart
'radio0' is disabled" guessing it is cause the network restarted

This doesn't affect the radio, except for the network restart.

seems to not be working on the peer but i do not know how to diagnose this further :cry:

let's take a look at your config again (network and firewall files; be sure to redact the keys from the network file). We also need to see your remote peer's configuration (a screenshot is fine if you can't easily copy/paste the text; again, redact the keys).

here

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd02:a756:b4b3::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'oDzXI'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fd00:9::2/128'
	option description 'jesus christ himself'
	option public_key 'CcW1'
	option private_key 'UPBc'
	option preshared_key '8NWy'
	option route_allowed_ips '1'
	option endpoint_port '51820'
config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'
	option reload '1'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'


endpoint should be my public ip + port 51820 correct

Remove the IPv6 address since you don't have IPv6 setup for your WAN.

Likewise, remove the IPv6 allowed_ips here, and also remove the endpoint port.

In the peer config screenshot, you need to add the interface address (192.168.9.2/24), and dns (it could be 192.168.1.1 or a public dns server like 8.8.8.8).

Then try again.

lol stupid question how do i remove the ipv6

depends on how you are accessing the files... I often use the vi text editor (which is installed by default). You can also do this with the web interface, or UCI commands.