Configuration problems with WireGuard

brokenpipe · December 29, 2019, 10:33am

Hi all,
I am trying to set up WireGuard on my router (netgear r7800). Wireguard is installed and i have created the interface and the port forward, i don't get any traffic on the interface. i can ping the endpoint on port 51820 and i receive the udp package on the router too, but something doesn't work. i guess the subnet assignment. would be happy if someone looks over the configs.

/etc/config/firewall

config redirect
        option dest_port '51820'
        option src 'wan'
        option name 'Wireguard'
        option src_dport '51820'
        option target 'DNAT'
        option dest_ip '192.168.1.1'
        option dest 'lan'
        option proto 'udp'

/etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '51820'
        list addresses '192.168.2.1/24'
        option private_key 'AHuKOhp..............'

config wireguard_wg0
        option route_allowed_ips '1'
        option description 'IPHONE'
        option endpoint_port '51820'
        option endpoint_host 'wg0endpoint.duckdns.org'
        option public_key 'u4r3J....................'
        option preshared_key 'U4kzZ.................'
        list allowed_ips '192.168.2.2/24'

Borromini · December 29, 2019, 11:25am

No idea if it's related to your issue, but your allowed_ips should be a /32 (you can provide a list if multiple are allowed).

lleachii · December 29, 2019, 12:26pm

Yes, that is a major problem - the peer needs to be /32.

And you can make a firewall input rule (into the router) instead of a NAT redirect rule (into the LAN's IP).

psherman · December 29, 2019, 4:45pm

I concur with @lleachii‘s advice. If that doesn’t fix the problem, share your iPhone wg config and the output of wg show From your OpenWrt router.

Don’t forget to restart after making changes. A full router reboot is the most likely way to make sure everything comes up as expected, but it is possible to restart the individual services.

vanyaindigo · December 29, 2019, 5:36pm

Set list allowed_ips '0.0.0.0/0' and there is no need make redirect config in Firewall

psherman · December 29, 2019, 5:45pm

No, do not do this. This is an incorrect use of the allowed ips field. It may appear to work, but it is not how the field is designed to be used, and it will cause serious problems is you ever try to use multiple peers.

takimata · December 29, 2019, 6:19pm

Edit: I barked up the wrong tree here.

psherman · December 29, 2019, 9:19pm

I ran some experiments on 18.06.4 and it was clear that anything other than /32 would fail if there we’re multiple peers defined.

Related thread