Can't connect to wireguard

ckatsanis · May 24, 2023, 4:38pm

You are right so.

I m trying with 192.168.2.1 that is now the gateway of openwrt after restore

i connect throw openwrt wifi

rx and tx working but i can't connect to the internet

wg show

interface: wireguard
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  preshared key: (hidden)
  **endpoint: 192.168.2.247:39257** i dont know why show 39257. on my phone the endpoint is 192.168.2.1:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 36 seconds ago
  transfer: 182.80 KiB received, 1.30 KiB sent

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wireguard'

config rule
        option name 'Allow-WG'
        option src 'wan'
        option proto 'udp'
        option dest_port '51820'
        option target 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fda5:67ee:3094::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'hidden'
        list addresses '10.0.0.1/24'
        option listen_port '51820'

config wireguard_wireguard
        option public_key 'hidden'
        option private_key 'hidden'
        option preshared_key 'hidden'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'

WireGuard Server conf

config server
    option port_start '51820'
    option port_end '52820'
    option base_prefix_ipv4 '10.0.0.1/24'
    option base_prefix_ipv6 '2002::/64'
    option wg_key '/root/wg.key'
    option wg_pub '/root/wg.pub'
    option wg_tmp_key '1'
    option timeout_handshake '600'

config babeld_hotplug
    option rxcost '1024'

config olsrd_hotplug
    option LinkQualityMult 'default 0.1'

ckatsanis · May 24, 2023, 4:40pm

Its optical fiber i cant disconnect the zte

psherman · May 24, 2023, 5:05pm

The port is random, and this is expected. Typically only the 'server' peer needs to have a port defined (which has been done properly already). Don't worry about this.

Add this and it will fix that problem.

config forwarding
        option src 'vpn'
        option dest 'wan'

ckatsanis · May 24, 2023, 5:09pm

Problem still

psherman · May 24, 2023, 5:13pm

The recommendation about adding the forwarding is not a port-forward. It is a zone forward. Go into the vpn zone and allow forward to the wan zone.

ckatsanis · May 24, 2023, 5:14pm

yes i know

but not connecting to the internet

ckatsanis · May 24, 2023, 5:22pm

i see that i was getting the ip 10.0.0.0 when i connect to the vpn is it ok?

I m trying to connect with 4g sim to vpn. i see that the status endpoint is the 4g ip i connected succesfully without needed to open any port in zte but i dont have internet connection

when i change address on phone wireguard app to 10.0.0.1 from 10.0.0.0 i see in lan scan and the ip 127.0.0.1

psherman · May 24, 2023, 5:37pm

No, this is invalid for a /24. Where are you seeing this address?

I see an error here:

ckatsanis:

config wireguard_wireguard
        option public_key 'hidden'
        option private_key 'hidden'
        option preshared_key 'hidden'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'

Change the allowed IPs to 10.0.0.2/32

I see that you don't have a DNS specified on your phone... add 192.168.2.1 to that

ckatsanis · May 24, 2023, 5:40pm

You are insame! Its working finally

Thank you so much!!!!

system · June 3, 2023, 5:41pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.