Client can't to Wireguard

Can anybody please help me. These are my config. I can't connect to the Wireguard on OpenWRT. Thank you in advance.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7f:9c8f:e4a5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '100.0.0.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth2'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'eth2'
        option peerdns '0'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'CNZxp'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:7610:d152:3a9c::1/64'

config wireguard_wg0 'wgclient'
        option preshared_key 'Gelxa'
        option private_key 'sEcg'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.9.18/32'
        option public_key 'LumvbY'
        option description 'Pixel 4a'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        list network 'wan'
        list network 'wan6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

Client:

[Interface]
Address = 192.168.9.18/32
PrivateKey = sEcgJH1

[Peer]
AllowedIPs = 0.0.0.0/0, ::/128
Endpoint = 112.200.xx.xx:51820
PreSharedKey = Gelxa
PublicKey = ENHAZ

@psherman, may I ask for your advice regarding this? Thank you

You should be using RFC1918 ranges... this is a publically routable IP and may cause problems.

Aside from that, I'm not seeing anything immediately obviously wrong about your WG config, assuming that the keys here are redacted (which they should be) and that you have valid keys.

What is the output of wg show?

interface: wg0
  public key: ENHAZ
  private key: (hidden)
  listening port: 51820

peer: LumvbY
  preshared key: (hidden)
  allowed ips: 192.168.9.18/32
  persistent keepalive: every 25 seconds

So should I change the 100.0.0.1 to the following?

10.0.0.0 – 10.255.255.255  (10/8 prefix)
172.16.0.0 – 172.31.255.255  (172.16/12 prefix)
192.168.0.0 – 192.168.255.255 (192.168/16 prefix)

so it looks like there has never been a handshake.

Let's verify that your IP address is indeed public. Please check the main LuCI status page for the "IPv4 Upstream section" -- does it report the same address you have in your client's config (112.200.x.x)?

Yes, you can use anything in those ranges. It can be good to avoid the most common ones, so maybe use somethign like 10.4.6.1/24 as your router's address (which gives you the 10.4.6.0/24 subnet for your lan).

image929×189 5.11 KB

By the way, if it helps, my topology is like this:

Fiber Internet -> Openwrt x86 -> Managed Switch -> Clients

It seems weird that I can only see the public ip through whatsmyip but it is not seen on the ipv4 Upstream Section. Only 192.168.1.2.

It appears that whatever is upstream of your OpenWrt device is actually a router. Do you have the ability to control/configure that device?

It is actually a modem/router from the Fiber Company and it has limited feature. It is accessible from 192.168.1.1 and these are some of the features I can change:

image945×374 16.5 KB

I'm guessing that it is an additional barrier, maybe blocking the connection before it goes through OpenWRT.

However, can Wireguard penetrate this additional barrier?

Look for a port forwarding option... if that exists, you'll be able to forward your WG port through to your OpenWrt router and then it should work.

I'll try this if I can manage to access the Admin features.

However, if I can bridge this modem to Openwrt, will the portforwarding needed still?

Thanks!

This would be the ideal option... this would disable the routing on the box they have given you, and pass the public IP directly to your OpenWrt device.

no, if you can setup the bridge mode.

Do you need the “fiber modem” (which isn’t a modem to begin with)?

It is a DHCP connection and you have the VLAN you are connected to, if they need a specific mac you can spoof it…

So for an update, I can now connect to Wireguard and these are the steps that I did:

1. Asked my ISP to de-CGNAT and Bridge Mode the router
2. Install fresh OpenWRT x86 and configure Wireguard.

Thanks for the help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.