Hello everyone,
A few days i m trying to install wireguard but i can't login remotely with the VPN. I seeany video on YouTube but I can't understand what i do wrong.
I have static ip all my preshare and public key are correct. I have open the default port as udp protocol to router and to openwrt .
Im trying to connect by phone
Do you have any video that works properly
No. OpenWrt has a Wiki: https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Let's also see the other peer config (from your phone).
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'some mac'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.30.1'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device
option name 'wlan0'
config device
option name 'wlan1'
config interface 'WireGuard'
option proto 'wireguard'
option private_key 'sOmJjLcpZFIei0hbyfe/gEdlp04FI0hylzSszIsEzWs='
option listen_port '51820'
list addresses '10.0.0.1/24'
config wireguard_WireGuard
option route_allowed_ips '1'
option preshared_key 'Y3mYGtryMYz5ahMc+3+IJjlYhdOXdkj08F1cDzS6GdA='
option public_key 'BNZfQ5S1U9KnFtl8Kr3BN9XwXonNS6zhJaAAmS8JNlM='
list allowed_ips '10.0.0.2/32'
firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'WireGuard'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config redirect
option dest 'vpn'
option target 'DNAT'
option name 'wg'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.10.10.1/32'
option dest_port '51820'
So I see a few things here. Going in order of the files:
Remove these. They don't belong in your network file. They're not the cause of your issues, but should be removed.
I hope that the keys in your WG config are obfuscated in some way (such as removing a few characters)... if they're not, you should change your keys since these are no longer guaranteed secure (you can get things running first and then change the keys... just be sure to do it ASAP).
Your wan zone currently has input = ACCEPT. This is dangerous. I'd recommend that you change this to REJECT.
If you want to be able to reach your lan from your remote peer, add this:
config forwarding
option src 'vpn'
option dest 'lan'
Delete this next section... you should be using a traffic rule. Beyond that, this is redirecting to an address that doesn't exist in your network.
Add this rule to allow inbound WG connections.
config rule
option name 'Allow-WG'
option src 'wan'
option proto 'udp'
option dest_port '51280'
option target 'ACCEPT'
I see that the tx working but rx still to 0
The port 51820 is open on openwrt on Xiaomi router (second router)
i checked the port 51820 on my zte F670L if it is open but i see is closed even i have opening (main router)
Why don't you create a VAP (an additional wireless network)? This is how I do it on my network, avoid using apps
I see I made a typo in my rule above, so please make sure you used 51820 (and not 51280 as I accidentally typed above).
Which router is directly connected to the internet? How are the two routers connected to each other (lan > wan, or lan > lan).
From this, I'm assuming the Xiamoi router is the one connected to the internet.
Let's see the port forward rule you have setup on that one (a screenshot is fine).
WG will not respond to port scans. This is entirely expected.
We'll go through some additional troubleshooting once we have the info requested here.
I want to connect from outside
Xiaomi is connected with lan->wan
Zte router is isp
Xiaomi is openwrt
So the ZTE device is directly connected to the ISP. And the lan port on that device connects to the Xiaomi (running OpenWrt) WAN port, correct?
On the ISP router (ZTE), did you forward UDP port 51820 to the address that the OpenWrt Xiaomi device has on that network? Please post a picture of that port forward rule.
does the ZTE have a public IP ?
Zte have static public ip
This is wrong as hes says. The post below write the port 51820
missed it, will delete post ...
Ok. So the next two things we can check are your keys and your actual isp issued ip address.
To test the keys - connect your phone directly to the openwrt router. Then change the endpoint ip on your phone wg config to 192.168.30.1. Try connecting and see what happens. After that, let’s see the output of wg show
Next, we need to k ow if you actually have a public ip issued by your isp. I don’t know how to find that info on your isp facing router, but it should have some indication of the wan ip. Please post the first two octets of that address. (In bold: aaa.bbb.ccc.ddd)
Hey i have static ip that begins 81.2.x.x
The wan ip doesn't exist in router so i didn't know it
I speaking with isp and he tells me that i m not at cgnat network
Btw we see that maybe zte have problems to opens ports. I m wait to change my router and try again with the port
I have preinstall wireguard and i m trying to testing
I have scan the qr for add peer to my phone
This is correct, assuming that your ZTE router's wan is actually 81.2.x.x based on what you just said. So that's good.
If you can remove the ZTE device entirely and just use OpenWrt, thigns may be easier. I don't know if there is a specific requirement for you to have that ZTE unit, though (sometimes a specific router is required by the ISP for customized connection methods and/or physical hardware interfaces and/or other services like VOIP or TV).
On your phone, you should be able to edit the endpoint address without needing a QR code.
