Can't connect to Wireguard on Openwrt from remote machine

Hello there,
I have been brushing up this whole forum seeking for answers but it seems I am getting desperate with this issue. Networking is my biggest weakness in IT.

Here is my network model :
MACHINE 2 SERVER WITH RDP ON (10.10.20.23/26)
----> ROUTER ARCHER C7 (OpenWRT 10.10.20.1/26)
---> INTERNET BOX (192.168.1.254 accessible via a static public IP)
---> REMOTE MACHINE

I would like to connect from my remote machine using WG VPN access into my LAN (10.10.20.1/26) and be able to ping MACHINE 2 but I can't even get a handshake.

  1. I have installed Openwrt on my router Archer C7 and it went all good
  2. I have changed router IP range with 10.10.20.1/26 to avoid conflict with public wifi network (192.168.X.X etc..)
  3. WG on Openwrt router is listening to port 51820
  4. I have set port forwarding on my internet box 443 to 51820 (443 due to other ports being blocked by public wifi in some cases)
  5. I have generated public and private key and have filled up "general settings" and "peer" sections
  6. I have qrencoded this and imported the QR into my WG client on my phone.

This is absolutely not working and I have tried many things explained in this very forum.
If anyone would be so kind and guide me through this, I'd greatly appreciate.

Please kindly see below my files /etc/config/network + firewall :

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd27:6f4c:ef42::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.10.20.1'
	option netmask '255.255.255.192'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'd8:0d:17:c0:0f:6e'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'sD86SV+sTMKMzEt2oLJi4mObpl7S/OP3lKX7xiuHAFs='
	option listen_port '51820'
	list addresses '10.0.10.1/24'

config wireguard_wg0
	option description 'WGconn'
	option public_key 'vFybX/KkoL8fOLfxp75CSsWBetq6Ejg2k2q1vk3x1Qk='
	option private_key 'yDkWr7DLTG/rfYLdoaJJVAO3RLnweuZUiRzcaY+1G1E='
	option preshared_key 'HIDDEN KEY'
	option endpoint_host 'HIDDEN PUBLIC ISP IP'
	option endpoint_port '443'
	option persistent_keepalive '25'
	list allowed_ips '10.0.10.2/32'

and then firewall :

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wg0'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'VPN forward'
	list proto 'udp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '10.10.20.1'
	option dest_port '51820'

You've got a few things going on here...

First, remove the endpoint host and endpoint port from the WG peer config on the OpenWrt side:

Then, add option route allowed_ips '1' to the stanza above.

Next, this should be a traffic rule, not a redirect... delete this and make it a rule instead:

And since the WG network here is trusted/inbound, you need it in a trusted firewall zone. Remove it from the wan zone:

And add it to the lan zone.

Finally, you have a static public IP on the "internet box" which is good... but you must also enable port forwarding from the "internet box" to your OpenWrt router:

UDP 51820 > C7's wan IP (which will be in the 192.168.1.0/24 network) port 51820

Try those out and let us know what happens.

2 Likes

In the ISP router, confirm that its own WAN IP matches what a "what's my IP" test run from a lan PC reports. If the ISP is using CGNAT, your "public" IP is not actually present on the Internet, and incoming connections will not be possible.

A good test is to install tcpdump on the OpenWrt router then see if any packets from the phone are reaching it on port 51820.
tcpdump -i eth0.2 port 51820
If you see UDP coming in but not being acknowledged it is likely because the keys don't match.

4 Likes

Thanks to both for your reactivity. I will try that this afternoon.
It seems I had to reset my router due to bad settings, so I will restart from scratch and keep you updated.

Hey there,

Thank you very much. I finally get it working.

  1. I have created one WG interface + one peer, QR-encoded it.
  2. Tcpdump successfully received packets when my phone connected to WG using the conf file.
  3. Therefore, I have added one port forwarding rule on OpenWrt with both external and internal port : 51820.
  4. On my internet box, I have checked if my port forwarding rule was still enabled : with 443 forwarding to 51820
  5. I have amended my WG client file replacing the endpoint data with my public IP + 443 port
  6. I can access to my LAN and ping other devices but I am also able to navigate to the internet. GREAT !

Two last questions for psherman :

A) When you do mention :
And since the WG network here is trusted/inbound, you need it in a trusted firewall zone. Remove it from the wan zone and add it to the lan zone

Do you mean like this :

config zone
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'
	option name 'wg0'

B) As I reconfigured everything using GUI interface this time, I noticed in /etc/config/firewall :

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HomeVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.8.8.1'
	option dest_port '51820'

(10.8.8.1 is now my new WG interface IP)

How come this works as is, and no traffic rule has been created ?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.