So, I have no idea what I am doing wrong. I install wireguard-tools (that installed kmod-wireguard) and luci-proto-wireguard.
I set up the connection, I then give it the tested working config file generated on the wireguard "server" and I have no connection to it, and no transmission/receiving (0 bytes)
I am happy to provide any additional information you may with, but because I obviously don't know what I am doing, you will need to tell me what information to provide.
Install luci-proto-wireguard and restart router, then use web UI to add connection?
What is your goal? Do you want a home VPN for remote LAN access, an internet tunnel for improved privacy, or something else?
Please also post relevant configuration files and device info by executing the following commands using ssh:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
And then post all outputs here using the "Preformatted text" button, remember to redact sensitive info like MAC/IP addresses and WireGuard keys:
1 Like
It is to permit the access of a remote access LAN over the network. I have already set the allowed ip's to 10.1.1.1/17 (Lets not get into the 17, okay, lol. I know its unusual) 192.whatevertheWG ip address is/24.
I don't have remote access to the computer configuring this system, as it is being set up offline before going live, but I will later this evening, and will post the requested files.
ubus call system board
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "ASUS TUF-AX4200",
"board_name": "asus,tuf-ax4200",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '<redacted>'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '<redacted>'
config device
option name 'lan2'
option macaddr '<redacted>'
config device
option name 'lan3'
option macaddr '<redacted>'
config device
option name 'lan4'
option macaddr '<redacted>'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.1.1.5'
option netmask '255.255.128.0'
option delegate '0'
list dns '10.1.4.10'
list dns '10.1.4.11'
config device
option name 'eth1'
option macaddr '<redacted>'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wireguard'
option proto 'wireguard'
option private_key '<redacted>'
list addresses '10.192.1.6/24'
config wireguard_wireguard
option description 'openwrt.conf'
option public_key '<redacted>'
option preshared_key '<redacted>'
list allowed_ips '192.168.1.0/24'
list allowed_ips '10.192.1.0/24'
option endpoint_host '<redacted>'
option endpoint_port '51820'
10.1.4.10 is an IP address not reachable by the router during this inital setup phase, however I manually add "nameserver 1.1.1.1" to etc/resolv.conf after each change (if missing) and after every reboot. I am able to resolve the host name of the endpoint host.
wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '11'
option band '2g'
option htmode 'HE40'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid '<redacted>'
option encryption 'sae-mixed'
option key '<redacted>'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
Yes, some things are open, and not enabled. Just in the inital setup phase.
DHCP:
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '513'
option limit '254'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
There are a LOT of reserved IP addresses in the 10.1.1.1/17 subnet. I just removed them for this post.
Firewall:
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Zabbix Forward'
option src 'wan'
option src_dport '10050-10051'
option dest_ip '10.1.4.1'
option dest_port '10050-10051'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Wierguard'
option src 'wan'
option src_dport '51820'
option dest_ip '10.1.4.10'
option dest_port '51820'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nginx80'
option src 'wan'
option src_dport '80'
option dest_ip '10.1.4.1'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'nginx443'
option src 'wan'
option src_dport '443'
option dest_ip '10.1.4.1'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeAssistant'
option src 'wan'
option src_dport '8123'
option dest_ip '10.1.51.1'
option dest_port '8123'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'jellyfin'
option src 'wan'
option src_dport '8096'
option dest_ip '10.1.4.1'
option dest_port '8096'
config redirect
option dest 'wan'
option target 'DNAT'
option name 'vnctest'
option src 'wan'
option src_dport '1244'
option dest_ip '10.1.3.1'
option dest_port '1244'
option enabled '0'
I hope this information helps.
If you want to access 192.168.1.0/24, you'll need to enable "Route allowed ips" or assign a subnet to the interface(beware of address collision), and ensure the other side's "allowed_ips" is also set up correctly.
10.192.1.0/24 is not a part of 10.1.1.1/17. CIDR Calculator
If handshake fails(LuCI > Status > WireGuard), the other side's firewall might have blocked the connection.
You can use the built-in dnsmasq as a forwarder, and set it to resolve only the WG peer's domain through 1.1.1.1.
Disable "Use DNS servers advertised by peer" in the WAN interface if you don't want to use upstream(ISP) DNS.
I am confused, is this the router which is setup as the WireGuard server side, so that you connect from outside to this router?
It looks like it as there is a WireGuard interface and an attempt to open up a port (which is not done correctly)
On the other hand the WireGuard interface does not have a listen port and the peer has an endpoint address which should indicate a "client" side
The missing of Route Allowed IPs is already mentioned.
But whether Client or server side the WireGuard interface is not bound to any firewall zone.
1 Like
I am afraid I am going to need to ask where the "Route allowed ips" setting is. I would have assumed it is in the wireguard interface, but it doesn't appear to be in there..
EDIT ever mind, found it...
(LuCI > Status > WireGuard) shows nothing
as far as the adding 1.1.1.1 manually, I only need to do that during the testing and setup before it goes live. Right now I have this routers WAN port, connected to the LAN port of the router I am replacing, just to get it set up. Once this router is live, 10.1.4.10 is what it will use.
However, now I can seem to connect (ping) from the terminal in the router, but not on connected computers.
The reason why the port is forwarded is because I do things the other way as well. Allow connection from outside to here.
As far as the rest, I am sorry, it is a bit greek to me.
I basically have a config file generated from my other network (At work) and I have plugged that config file into the wireguard interface. When I plug that config file into the wireguard app I have for windows, it works.
In LuCI, it is in the wireguard interface > peers. It is an option within the peer config section.
Yep, I ended up finding it. Thank you.
However, now I can ping those IP addresses from the router, but not on the computers connected to the router.. Which was the point.
You didn’t fix the other issue:
The interface must be assigned to a firewall zone and then forwarding must be allowed from the lan to that zone.
This is kinda greek, sorry. I am used to "Import config, click connect"
I tried googleing, but got questions about binding it to a specific port and other htings that won't help.
Well, figured out how to bind it to a zone.. No idea what zone I should bind it to.. And then the forward part...
Either the wan or a new zone. Wan will be easiest for now.
That is a different animal. You’ll need to do a bit more advanced stuff to get the forward to work - policy based routing is required unless the port is actually coming through from your vpn provider.
What kind of advanced stuff.
Again, please remember, my world is "Import config, click connect, works"
Policy based routing.
https://openwrt.org/docs/guide-user/network/routing/pbr
With the flexibility of OpenWrt, there is more complexity and more to learn.
1 Like
Actually.. I did a stupid, lol.. I seem to have forgotten to click "Apply" lol.. After clicking "Apply" and setting the zone to wan.. I can connect.
Oh, and thank you. And thank you to lunar_rover as well.
1 Like
Glad it is working
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.