Cannot get WireGuard server working

fredski · September 3, 2021, 7:04pm

Hello. I have installed and configured WireGuard on my OpenWRT router, but I cannot get it to work. I have followed the howto on the OpenWRT wiki (https://openwrt.org/docs/guide-user/services/vpn/wireguard/server). If seems to work, in the sense that clients (MacOS, iPhone) are making connection (handshake), but it simply stops there.

Here is my data:

Model: TP-Link TL-WDR3600 v1
Architecture: Atheros AR9344 rev 2
Firmware Version: OpenWrt 19.07.8 r11364-ef56c85848 / LuCI openwrt-19.07 branch git-21.238.28320-53f59d3
Kernel Version: 4.14.241

/etc/config/network:

config interface 'vpn'
	option proto 'wireguard'
	option private_key '<KEY>'
	option listen_port '51820'
	list addresses '192.168.9.1/24'

config wireguard_vpn 'wgclient'
	option public_key '<KEY>'
	option description 'iPhonevanFred'
	list allowed_ips '192.168.9.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_vpn
	option public_key '<KEY>'
	option description 'LaptopvanFred'
	list allowed_ips '192.168.9.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

/etc/config/firewall:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Any help is greatly appreciated. If you need any extra information, pls ask and I will provide.

Thanks!

psherman · September 3, 2021, 7:16pm

Please post the config from your remote peer (client).

Do you see anything in the wireguard status? Handshakes or anything else?
Do you have a public IP address?

fredski · September 3, 2021, 7:30pm

config from my iPhone:

[Interface]
PrivateKey = <KEY>
Address = 192.168.9.3/32
DNS = 192.168.64.1

[Peer]
PublicKey = <KEY>
AllowedIPs = 0.0.0.0/0
Endpoint = <FQDN>:51820
PersistentKeepalive = 25

wg show vpn (on openwrt router):

# wg show vpn

interface: vpn
public key: <KEY>
private key: (hidden)
listening port: 51820

peer: <KEY>
endpoint: 89.201.8.177:27898
allowed ips: (none)
latest handshake: 16 minutes, 53 seconds ago
transfer: 3.63 KiB received, 4.37 KiB sent

peer: <KEY>
endpoint: 89.201.8.177:57151
allowed ips: (none)
latest handshake: 2 hours, 17 minutes, 40 seconds ago
transfer: 1.32 KiB received, 1.44 KiB sent

I have a public IP. I checked with nmap and 51820/udp is open/filtered.

psherman · September 3, 2021, 7:53pm

When your phone is connected via wireguard, can you ping 8.8.8.8 from your phone?

fredski · September 3, 2021, 7:58pm

nope, I can not

fredski · September 3, 2021, 8:04pm

OK, I think I found it. I checked the routing table on the router and there were clearly routing entries missing. I restarted the vpn interface and the routing table was now populated with more entries. And it now works.

Does make you wonder why that routing table was not corrupt. I typically restart networking and/or the whole router after changes...

fredski · September 3, 2021, 8:09pm

Thanks for getting me on the right track!

psherman · September 3, 2021, 8:22pm

One of the known issues on WG for 19.07 and earlier is that the WG interface needs to be restarted after each change to the WG configuration. I wonder if that is part of the problem you were experiencing.

But it sounds like it is working now, so that's great!

system · September 13, 2021, 8:23pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.