Cannot connect to WireGuard over cell, but can on wifi

My current home network exists as a NetGear C6230, which is a modem/router combination. One WAN port is connected to a switch hosting various servers, all on 192.168.0.x. I have just added a GL-MT6000 router and flashed OpenWRT (version below) to it. I have plugged this into the second WAN port of the C6230.

I have installed WireGuard on the GL-MT6000 and while connected to its networks, traffic is going to my VPN provider. However, I wish to add the ability to connect while away from home. After following the steps to configure WireGuard on my phone, I can complete the handshake only while on my network, but not when using cellular networks. The GL-MT6000 was initially using IP 192.168.1.1.

I decided to move the GL-MT6000 to an IP on 192.168.0.x in the hopes port forwarding as NetGear won't let me forward to anything other than a 192.168.0.x address. I’m looking for what could be a better approach to what I’ve tried so far.

I really would like to leave the existing NetGear (and network) in place as is for it’s needed for working at home and many other devices are connected and working fine. I simply want to access the GL-MT6000 while away from home using WireGuard and potentially have these separate networks, one dedicated to VPN/WireGuard and the other as a normal network. I have attached a diagram as well.

Firmware:
OpenWrt SNAPSHOT r25346-043da3fe5a / LuCI Master git-24.052.52717-06c0fbb

Do you need or specifically want to run snapshot? If not, usually running a stable release is best.

Also, you have a netgear device in the center of the picture -- is that your main router? Is it running OpenWrt? And what is the purpose of the OpenWrt device on the left? Why do you have a separate network behind it (what is the intent)? Finally, where is Wireguard running (the Netgear in the center, or the OpenWrt device on the left)?

Meanwhile, let's see your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Thanks for the quick reply!

I tried selecting a few of the latest stable release, but they didn't have a package for me to install, so I opted for the snapshot and haven't touched the version of the firmware since I install 2-3 weeks ago.

Yes, this is what existed before the GL-MT6000. It's a modem and router. It does not have OpenWrt installed.

This is the new router, GL-MT6000, where I just installed OpenWrt. Before I moved this router to the 192.168.0.x network, it was initially installed on 192.168.1.x ( I believe this is the default ).

WireGuard only exists on the GL-MT6000.

output:

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.1.79",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r25346-043da3fe5a",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r25346-043da3fe5a"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9c:7a70:7603::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key '[redacted]'
	list addresses '10.65.150.226/32'
	list addresses 'fc00:bbbb:bbbb:bb01::2:96e1/128'
	list dns '10.64.0.1'
	option mtu '1412'

config wireguard_WireGuard
	option description '[redacted]'
	option public_key '[redacted]'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host '[redacted]'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '[redacted]'
	option listen_port '51123'
	list addresses '10.14.0.1/24'

config wireguard_wg0
	option public_key '[redacted]'
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'Pixel'
	option private_key '[redacted]'
	option endpoint_port '51123'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WireGuard'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WireGuard'

config forwarding
	option src 'lan'
	option dest 'WireGuard'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51123'
	option dest_ip '10.14.0.1'
	option dest_port '51123'

This may not be the only problem, but it is likely a major one...

Is this wireguard interface active? It appears to be a connection to another VPN endpoing -- presumably a commercial VPN.

If this is active, you need to use policy based routing to ensure that the inbound wireguard connection (from your phone) gets returned via the regular wan and not via the tunnel. Currently, it is likely being sent out the tunnel and then dropped later.

Can you confirm or clarify the above VPN purpose?

Yes, it is a separate interface I created so devices connected to it would be connected to a commercial VPN endpoint. Not sure if that's a flawed idea or plan.

My thought was a phone could turn on the WireGuard connection and connect to the internal network while away, but also make use of the commercial VPN endpoint. Additionally, any box, laptop connected internally could also benefit.

It's not a flawed idea, just requires PBR to ensure the traffic flows in the right places.

This seems a bit silly to me, unless your VPN provider only allows you to use a single connection to their services. Instead, it makes more sense to connect your phone directly to their services.

There are three main reasons for setting up an inbound/road-warrior type VPN:

  1. gain remote access to your network while away. This is good for resources on your network that you might need to access and/or for network maintenance/support.
  2. While away, connect back through your home internet connection to make it appear that you are home. This is often really helpful for accessing geo-ip based services while you are away/abroad. For example, if you want to watch a streaming service you normally watch at home but while on an international trip, this makes it look like you're watching from home.
  3. Gain some modest security/privacy benefit when using public/other wifi. Your connection is encrypted from wherever you are through to your home... it's unencrypted (from the VPN perspective) as it goes out your home internet connection. Your home ISP could still get an idea of what sites your visiting and such, but the cafe/hotel/etc. cannot see anything useful about your traffic while you're using their connection.

If #3 is your primary consideration, simply connecting directly to your commercial VPN service makes more sense than tunneling through your home network > VPN service. And for #2, you'd either use your commercial VPN's server selection options to appear to be in the right place, or bypass the commercial VPN provider entirely, so again, it doesn't make a lot of sense to tunnel through your home to ultimately have that traffic tunneled to the VPN provider.

So... with all that in mind, do you still want/need the inbound connection you are trying to setup?

My endgame is to accomplish accessing the network while away. Specifically to allow the ability to connect to services like Jellyfin, Plex, or Immich. I'd really like to understand what is required to make that a reality.

Ok... sounds good.

The first things that need to happen are:

  1. verify that you have a public IP address on the wan of the main router
  2. port forwarding needs to be setup from the main router to the address that the OpenWrt router uses on the 192.168.0.0/24 network.

Have those things already been done?

I believe those two items have been accounted for as seen in the NetGear screenshots. whatsmyipaddress.com and similar have confirmed the same IP. I provided those in the second screenshot and have it being forward onto the internal IP of the OpenWrt router. However I don't see much to really confirm this is working.

Ok... so that should theoretically work.

So to make things simple, stop/disable the VPN connection to the commercial VPN, reboot, and then try connecting from your phone using cellular.

I stopped and disabled the VPN connection/interface from within the OpenWrt router and restarted. The phone is not currently using the commercial VPN, but when enabling from the wireguard app, I still don't get the handshake.

Remove the endpoint port from here:

Remove this redirect and create a similar traffic rule:

Then restart and try again. If that doesn't work, please post the updated files as well as the config from your phone. Also, be sure that your phone's endpoint host setting matches the wan address you checked earlier.

I removed the port from the config wireguard_wg0 > option endpoint_port

I removed the WireGuard port forward from Network > Firewall > Firewall - Port forwards, but not sure what creating a similar one is supposed to look like. Are we just not using the port 51123 here either?

Updated firewall and network files:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9c:7a70:7603::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key '[redacted]'
	list addresses '10.65.150.226/32'
	list addresses 'fc00:bbbb:bbbb:bb01::2:96e1/128'
	list dns '10.64.0.1'
	option mtu '1412'
	option disabled '1'

config wireguard_WireGuard
	option description ''
	option public_key '[redacted]'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host '193.32.249.66'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '[redacted]'
	list addresses '10.14.0.1/24'

config wireguard_wg0
	option public_key '[redacted]'
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'Pixel'
	option private_key '[redacted]'

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WireGuard'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WireGuard'

config forwarding
	option src 'lan'
	option dest 'WireGuard'

You need a listen port specified in the interface (but endpoint port in the peer section did need to be removed) for a 'server' configuration... it's missing from here:

Add this line to the above stanza:

	option listen_port '51123'

You'll add a firewall rule that looks like this:

config rule
	option name 'AcceptWG'
	list proto 'udp'
	option src 'wan'
	option dest_port '51123'
	option target 'ACCEPT'

Then reboot and try agian.

ok, I added the option listen_port '51123' to the config interface 'wg0' stanza and added the config rule you mentioned above. I noticed you asked for the option src to be set to wan.

I wonder if that is my problem because I have that disabled in favor of the lan. I believe I thought to do this so that the OpenWrt router would be forced to reside on the 192.168.0.x IP range.

I still can only connect to wireguard on my network when using the mobile app.

Currently the only way I can get a connectable IP is when plugging the Ethernet into one of the LAN ports; the WAN port won't allow me to connect via ssh or the luci gui.

Current mobile app configuration and enabled while on Cellular data only.

Actually, I had noticed this.

Your diagram indicates that you have a lan > wan connection (netgear > openwrt). And it shows a device (NAS?) with an address of 192.168.1.x and your phone with another address on that same subnet -- distinctly different than your 192.168.0.0/24 network from the netgear.

However, your lan is shown as a DHCP client, which means your 192.168.1.0/24 network wouldn't work... (unless you have an alternate DHCP server, but it's usually a very bad idea to make a network's gateway a DHCP client rather than static.

So... I'm not surprised that there are issues here...

Do you want/need an independent subnet for the nas/phone (and other devices) behind the OpenWrt router for outbound VPN purposes? Or do you want to simply make it a VPN endpoint for inbound connections?

To be clear... based on your current config and your latest description of the lan-lan connection, I would expect that WG would not be working, just as you've described.

Sorry for all the confusion - I drew the diagram in a way to show the phone on the 192.168.1.x network because I thought I needed to specifically connect to this network for it to work. That extra NAS/box might as well be ignored as it would be a potential future state.

Is there a possibility for an independent subnet to accomplish both your questions? Could it be configured for devices like remote phones and laptops to connect via inbound connections, but also let internally hosted servers use outbound VPN connections to a commercial VPN?

The preferred method here is to setup the OpenWrt router as your primary router... then the rest becomes much easier.

But based on the current topology, you have two main choices:

  1. configure a lan behind the OpenWrt router that will be used for outbound VPN connections. This topology makes it such that devices connected to the lan of the Netgear router and devices connected to the OpenWrt router will not easily be able to connect to each other. It's not impossible for them to communicate, but it's not trivial either. But getting an outbound VPN connection like this is trivially easy. The inbound VPN connection is possible, but again, requires a bit of extra work.

  2. Use the router as 'just another lan device' and setup as your inbound VPN endpoint. This configuration would (mostly) preclude the use of an outbound VPN connection (if you want to know more about that, there is a thread here that will cover it, but it's far from ideal).

What direction do you want to go?