I previously set up wireguard on an openwrt router but as a "client" connecting to a "server", i.e. router was behind firewall with no port opened, server had a public ip address, and this worked fine.
I decided to try and do this the other way round with the router as server having a public ip address and the client being behind a firewall.
I set it up in exactly the same way with the addition of adding a port forward on the router from wan 51820 to lan 51820. No other networking settings have been changed. I set them both up using luci but here's the configuration:
endpoint: <router ip>:51820
allowed ips: 10.8.0.0/24
transfer: 0 B received, 197.43 KiB sent
persistent keepalive: every 25 seconds
Server shows peer as:
Endpoint: <client ip>:49088
Allowed IPs:
• 10.8.0.2/32
Persistent Keepalive: 25s
Latest Handshake: Never
Data Received: 215 KiB
Data Transmitted: 236 KiB
So they are sort of seeing each other but not completing a handshake and obviously I can't ping or ssh.
I know I'm missing something because when I previously set up the public "server", I had to add some iptables rules and it didn't work until I'd done this. But I'm not entirely sure how to do this on openwrt or in luci.
It's directly connected as far as I know with normal broadband: 80.44.
A port scan to that address shows 22, 80, 443 etc as open and I can ssh in. For some reason 51820 is completely closed.
Yes, this is good -- this is a normal publicly routable IP.
This is by design -- even when everything is working, wireguard will never respond to a port scan. Wireguard uses UDP which doesn't need to send ack packets (TCP does), partially for this reason. Beyond that, Wireguard only responds when it receives traffic that is cryptographically correct (i.e. the appropriate public and private keys match), otherwise the traffic is simply ignored and nothing is sent back.
Let's take a look at your latest config files in their complete form (aside from private details that should be redacted):
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
and also please provide your 'client' side peer config.
Your ‘client’ is only going to use the tunnel for the 10.8.0.0/24 network. If. You want to be able to reach devices on the ‘server’ LAN, the allowed ips on the ‘client’ side should be 192.168.1.0/24. If your intent is to send all traffic through the tunnel, that allowed ips field should be 0.0.0.0/0.
That still doesn't work. I don't want to reach devices on the server Lan, or route any traffic, I just want to be able to reach the openwrt router itself.