follow-up: I installed Wireguard now, and got it running relatively painlessly. I have a connection between server and client, but the thing is the public IP is still not that of the VPN server on the router. Any ideas?
(Should I post configuration here or start a new thread?)
Post your configs (from both devices) here.
1 Like
From the client end:
interface: wg0
public key: yz0/DKgpkxo/CKr8kzK/1pqEinEbZH0k=
private key: (hidden)
listening port: 33496
peer: A6otktvt4fBL23lcavh1zNYSMp2ZL136W4=
endpoint: 192.168.0.129:4712
allowed ips: 10.0.0.0/29
latest handshake: 21 seconds ago
transfer: 764 B received, 820 B sent
the configuration file is in /etc/wireguard, but this is all there is in it, really.
On the router:
in /etc/config/network
config wireguard_ 'wgclient'
list allowed_ips '.0/'
list allowed_ips '/'
config interface 'wg'
option proto 'wireguard'
option private_key 'UFU1Ss+5dzth54yh4_GkQ6a1eHHlae4tAbu3qUGw='
option listen_port '4712'
list addresses '10.0.0.1/29'
config wireguard_wg
option public_key 'yz0/DKcingpkxo/CKrT/0ZS8kzK/1pqEiGULnEbZH0k='
option description 'somepeer'
list allowed_ips '10.0.0.0/29'
option route_allowed_ips '1'
option persistent_keepalive '25'
in /etc/config/firewall
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
config zone
option network 'wg'
option input 'ACCEPT'
option forward 'REJECT'
option name 'wg'
option output 'ACCEPT'
I'm not sure if I have to enable somehow enable Ip masquerading or what.
What are you using as the end client? Are you intending for the client to connect from outside your network? Have you set an address in the client config file?
If you're wanting the 'client' to connect to the internet through your router then you should set allowed ips to 0.0.0.0/0.
You'll need to add "option dest_port 'XXXX'" to your rule. And you'll need to add a forwarding from wireguard to wan (or you could just add the wg interface to the existing LAN zone).
1 Like
brilliant. Everything's working now. All I had to do was set the allowed Ips to 0.0.0.0/0., like you said.
I'm using a laptop running ubuntu to connect, and I was already doing it from outside the network by having it connected to a hotspot set up on my phone, which is connected to mobile internet.
And yes, I have a configuration file on the client side, but it's just like in the output above, 4 or five lines.
[Interface]
PrivateKey = cJE345JK81ysbzDr43t434i1OKrd4343T1E=
Address = 10.0.0.2/29
[Peer]
PublicKey = A6otJktvt4fBL4et4tiN2m0lh1z43Nt4Mp2ZL136W4=
Endpoint = 46.105.69.214:4712
AllowedIPs = 0.0.0.0/0 #changed it now; before it was 10.0.0.0/29
(no worries about the private keys posted, they're not the actual ones, of course).
Thanks a lot!! 
By the way, what's 0.0.0.0/0 supposed to mean/do here? As far as I can tell, it signifies -any- addresses, regardless of subnet mask, so everything is allowed. But that can't be/ why does that result in the traffic originating from the client and onto the VPN server actually going through my router's WAN interface onto the internet, and before it wasn't?
This means that all ip addresses are allowed through the tunnel.
Would you mind posting your latest wg config from your openwrt side? I have some recommendations based on what I see above, but not sure if it is current/relevant.
P.S. you should remove all keys (public and private) and public ip addresses from your posts for security (unless those are not there current keys and addresses).
1 Like
The keys posted are not the actual ones, of course
/etc/config/network:
config wireguard_ 'wgclient'
list allowed_ips '.0/'
list allowed_ips '/'
config interface 'wg'
option proto 'wireguard'
option private_key 'UFUwerdz0jlAa2w22zvb323r1eHHlaTAbu323de23='
option listen_port '4712'
list addresses '10.0.0.1/29'
config wireguard_wg
option public_key 'yz0/DKwagpk1o/C23KrT/0ZS8kzK/1p6erULnEbZH0k='
option description 'somepeer'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
config wireguard_wg
option public_key '/7kh34vgf+N1Tm2p3V5GJ1F88jpCLNC234cdWbl4='
option description 'Phonepeer'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option persistent_keepalive '25'
Firewall:
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
config zone
option network 'wg'
option input 'ACCEPT'
option name 'wg'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'wan'
option src 'wg'
config forwarding
option dest 'wg'
option src 'wan'
config forwarding
option dest 'subnet2'
option src 'wg'
Thanks. My recommendations follow:
Remove this:
> config wireguard_ 'wgclient'
> list allowed_ips '.0/'
> list allowed_ips '/'```
It should go without saying that the WireGuard network address specified below must not overlap with your LAN or any other networks defined on your OpenWrt router. I am assuming that there is no overlap (but that is just an assumption since I don't know what else is in your /etc/config/network file), but if there is, change the subnet of all WG interface and allowed IPs to ensure no overlap
config interface 'wg' option proto 'wireguard' option private_key 'UFUwerdz0jlAa2w22zvb323r1eHHlaTAbu323de23=' option listen_port '4712' list addresses '10.0.0.1/29'
Change your allowed IPs (0.0.0.0/0 is not the correct use for the allowed IPs for the remote peers). They should be /32 addresses. I ran some experiments and reported my findings here.
It should look something like this (and adjust your remote peer configurations such that their interface IP matches the allowed IPs as defined in the OpenWrt config:
config wireguard_wg option public_key 'yz0/DKwagpk1o/C23KrT/0ZS8kzK/1p6erULnEbZH0k=' option description 'somepeer' option route_allowed_ips '1' option persistent_keepalive '25' list allowed_ips '10.0.0.2/32' config wireguard_wg option public_key '/7kh34vgf+N1Tm2p3V5GJ1F88jpCLNC234cdWbl4=' option description 'Phonepeer' list allowed_ips '10.0.0.3/32' option route_allowed_ips '1' option persistent_keepalive '25'
1 Like
thank you, I'll also take a look at the post you linked
The wireguard network address on the router can be removed entirely.
This isn't the case. As long as they don't overlap they can be whatever you please. Nothing wrong with using a /29 as was previously the case.
Based on my experience (Including lots of experimentation) and all the official documentation I could find, /32 is the recommend setup.
Given that /32 always works, it is a safe setup and is what I recommend.
Recommending is one thing. However, telling people that it should be a /32 when that simply isn't the case is a different thing entirely.
I'm unsure why your testing failed to work with anything other than a /32 but it will have been something else in your setup rather than a requirement within wireguard.
/32 also appears to be the consensus among the vast majority of the contributors here - Afaik, you may be the only contrary view (which is okay, of course 
)
I get it that in case of /32 you allow only one IP. And this should be the case in a RoadWarrior scenario. If there is a router and behind it is another lan you'll add it with a /24 prefix for example. But is it valid to say here 10.0.0.3/29 and not 10.0.0.0/29 directly? In both cases I presume that it will accept every IP from 1-6
On the other hand I don't understand the use of route_allowed_ips in peer config, especially for the /32. There is already a route directly connected on the wg interface that covers all the single host peers. It is not wrong and it works, but it is not necessary. The route_allowed_ips on the peer configuration would matter if there was another network behind the peer and we would like to have a static route created automatically.