i cant figure out why my edgerouter wont connect to my wireguard vpn server it cant even make a handshake so its not a routing problem and the firewall zone is on the wan so i dont think its a firewall problem. please help because i have to finish doing this by sunday becausee its the last time i am at my remote location
You'll need to share your configs... otherwise we can only guess.
Starting with OpenWrt...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
thanks for the fast reply
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd20:4f68:fd02::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.50.1'
option ipv6 '0'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
option ipv6 '0'
config interface 'jared'
option proto 'wireguard'
option private_key 'redacted='
option peerdns '0'
list dns '192.168.1.2'
list dns '8.8.8.8'
option nohostroute '1'
list addresses '10.6.0.29/24'
config wireguard_jared
option description 'router.conf'
option public_key '3evZ98cJ0DmdCdi2ECHgt1Gp5m3vANcavrwbZSWj5X0='
option preshared_key 'redacted='
option endpoint_host '37green2.home.dyndns.org'
option endpoint_port '51820'
list allowed_ips '192.168.1.0/20'
list allowed_ips '0.0.0.0/0'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'jared'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wireguard'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.50.2'
option enabled '0'
This appears to be the 'client' side, but your description didn't make that entirely clear... from the original post, it seems to suggest that the edgerouter is the 'client' since you're talking about your edgerouter not connecting to your server.
Can you confirm that the OpenWrt side is the 'client'?
remove all 3 of the dns related lines -- they have no function here.
Also remove the nohostroute
The first list allowed_ips isn't necessary since 0.0.0.0/0 covers all IPv4 addresses
Since the OpenWrt side is the 'client', this can be removed (it's not currently enabled, but remote it since it is unnecessary)... unless you have another wireguard 'server' behind the OpenWrt router.
The jared network is being treated as an untrusted network because it is in the wan zone. Is that the intent? Is there a need for the other side to be able to initiate connections back to OpenWrt router and it's network?
Yes the edgerouter is the client side it is supposed to connect to my main location i have a wireguard server at my main location and i tested the file i used for the router on a pc and it works fine
I'm just realizing that I was thinking you were using EdgeOS on your Edgerouter and a different device with OpenWrt.... lol.
Did you make the changes I suggested? If so, after a reboot, provide the output of the following:
wg show
interface: jared
public key: rasCLNQAmsPtesEE2Twzjr/EFyp4eA5tawFYJUy+uSU=
private key: (hidden)
listening port: 55451
peer: 3evZ98cJ0DmdCdi2ECHgt1Gp5m3vANcavrwbZSWj5X0=
preshared key: (hidden)
endpoint: 96.224.49.61:51820
allowed ips: 192.168.0.0/20
it appears that the vpn still isnt working i made all the changes you suggested but it still doesnt handshake with my server
also i set the vpn firewall to wan because its the same way i made my home server communicate with my vpn server in my remote site( the vpn server runs on vmware and is port forwarded)
You said that you have tested the config on your computer directly... have you verified that:
- the computer's WG connection has been disabled (you cannot run 2 instances of the same peer config)
- the config was properly imported into your OpenWrt router. Often, a lack of handshake is related to an issue with the keys or the interface address.
Thanks I’ll review this and get back to you tomorrow thanks for the help so far
the pcs vpn is disabled the server doesnt detect the connection frim the router either. what is the proper way to import it i just used the gui config for the interface and on the general page on the bottom i used import config then put the config file there
That method of import should be fine, but it is worth verifying that the configs are identical on your PC and the OpenWrt router -- check the keys in particular.
Is the time correct on your OpenWrt router?
date
While your PC is on the same network as the OpenWrt router, disable the OpenWrt WG interface and then verify that the connection is indeed working as expected when initiated from the PC. Then stop the PC's WG connection and try with OpenWrt.
I checked the dates the time zones were off i made them the same and no luck connecting to wireguard
I tried openvpn which works i also tried connecting to a different wire gurard server no luck
date and time is critical (time zone is not).
Have you done these things:
and
The keys match and the time matches
My service provider is xfinity the xfinity router that i have is set to bridge mode
Does xfinity block wireguard its the only thing left i could think of
But i cant imagine how my pc would work then
I use xfinity as well... and I have no issues with Wireguard. So it's unlikely to be a problem with the ISP (but we can't yet rule that out).
How have you verified that it is working? From the same network as your OpenWrt ER-X, try connecting via wireguard to the 'server' and verify that you can access the server itself (such as via ssh) and/or that you can reach other resources behind the server. If you're directing all traffic through the tunnel, you can do a traceroute to verify that it is indeed all going through the server.
While you are connecting to the wireguard 'server' on ubuntu, grab the WG config file and post it here (as always, redact the keys and anything personally identifiable)
at this point i have given up on wireguard because i have to be done by tommorow. but you seem incredibly knowledgeble so i was hoping you could help me with routing my openvpn connection.
so i made an openvpn tunnel it works fine but i need to route with these parameter
i need my local network to reach the devices on my remote network. i need all the devices on my network to reach 192.168.1.0/20 on my remote network but i want the rest of my connection like internet to go through the normal wan interface
can you help
on the server, add this line:
list push 'route 192.168.1.0 255.255.240.0'
and make sure you do not use the redirect-gateway def1 argument