Configuring Wireguard endpoints?

@feffer777 The forum software keeps a log of your edit so you better ask a mod to remove that single post altogether. People can still click the pencil to the right for history and see what edits you made, if they contain sensitive information.

I have hidden the revisions of the revealing posting now.

2 Likes

Would be safer and not too complicated to create new pairs.

1 Like

I just wouldn't use any address at all, the WG interface doesn't require one to operate. Leaving it blank works just fine as long as you use 'route_allowed_ips' in the peer configs.

That's fine, still I prefer to have an IP with the proper mask on the wg interface and not route allowed IPs unless necessary.

Good idea. I installed on my iPhone using minimal config entries...only required ones...new keys as suggested by others. It seemed to create the interface and when activated showed the vpn "connected" icon at the screen top. How would I test this though? I don't think I can ping in an iPhone.

Try accessing the internet or your internal network resources. You can download some network utility apps that can do pings and trace route among other things which will allow you to do more quantitative tests to know exactly what it happening.

1 Like

Got a simple iPhone app "pingify" All it does is ping a destination IP thru wireless and vpn. No other network tools. Wireless is fine as expected. No connection thru vpn in any of a few trial and error tests. I think the vpn interface on the phone is working because the icon appears at the screen top, but I'm not completely sure it's configured correctly. I used minimal required setting. My last OpenWrt wg & firewall settings follow. I tried to impliment psherman's firewall Option_1...hope I did it correctly. I tried a couple of server "endpoints" neither worked.

root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru;

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0d:70f2:8a95::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'ASDFASDF......='
	option listen_port '51820'
	list addresses '192.168.2.1'

config wireguard_wg0
	option public_key 'DFGHDFGHDFH.....='
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.2.2/24'
	option endpoint_port '51820'
	option description 'iphoneron'
	option endpoint_host 'xxxxx.dynu.net'  # No ping from iphone to router
	#option endpoint_host '192.168.2.1'  # also tried this. No ping from iphone to router

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '22'
	option src 'wan'
	option name 'ssh'
	option src_dport '222'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.1.XXX'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 24.7.101.128/22 brd 24.7.103.255 scope global eth0.2
       valid_lft forever preferred_lft forever
16: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.2.1/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 24.7.100.1 dev eth0.2 proto static src 24.7.101.128 
24.7.100.0/22 dev eth0.2 proto kernel scope link src 24.7.101.128 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
broadcast 24.7.100.0 dev eth0.2 table local proto kernel scope link src 24.7.101.128 
local 24.7.101.128 dev eth0.2 table local proto kernel scope host src 24.7.101.128 
broadcast 24.7.103.255 dev eth0.2 table local proto kernel scope link src 24.7.101.128 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.2.1 dev wg0 table local proto kernel scope host src 192.168.2.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

Remove the endpoint host from the peer config. Either remove the address for the wireguard interface or change it to 192.168.2.1/24.

What is your config on the iPhone?

1 Like

The iOS VPN indicator will be on when the VPN is switched on, but not necessarily actually working. So it is not an indicator of a properly functioning VPN, just that it is activated.

I like an app called NiceTrace for doing traceroute testing on iOS. There a bunch of other apps that can do ping and/or traceroute and other tasks, too. Search for "traceroute" or "network utility" or similar on the app store and you'll see a bunch of options.

As @krazeh said, we need to see the iPhone WG config (don't forget to redact the keys).

Your OpenWrt peer config needs to be fixed (@krazeh already caught one issue, I saw a few others) ...
I removed the endpoint_host and endpoint_port, and I fixed your allowed IPs to be /32.

fixed WG stanzas
config interface 'wg0'
	option proto 'wireguard'
	option private_key 'ASDFASDF......='
	option listen_port '51820'
	list addresses '192.168.2.1'

config wireguard_wg0
	option public_key 'DFGHDFGHDFH.....='
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '192.168.2.2/32'
	option endpoint_port '51820'
	option description 'iphoneron'

iphone cofig;
[Interface]
PrivateKey = UOch......=
ListenPort = 51820
Address = 192.168.2.2/32

[Peer]
PublicKey = Nvt.......=

Concerning the OpenWrt config, I fixed it to match psherman's stanzas

One lingering confusion about how vpn works: as I understand wg recognizes the public key from the server and peer to know who to connect to. And the IP of the server, 192.168.2.1 and the IP of the client 192.168.2.2 are allowed to make those connections. But if the peer is on another remote network how does it "find" the server unless it knows the DDNS name of the server or it's (changing) IP?

in the iPhone interface config:

  • remove the listen port
  • add a dns server (192.168.1.1 will work for this)

in the iPhone peer config section:

  • add the endpoint ip_address:port or fdqn:port (where the ip_address is your OpenWrt router's WAN IP address, or a domain name if you have one setup that resolves to that IP address)
  • add allowed IPs 0.0.0.0/0 (if you want everything to go through the tunnel)
  • add persistent keep alive for 25 seconds (this is the generally recommended value)

If it doesn't work, check your keys -- the public key from the OpenWrt router goes into the iPhone's peer public key field, and vice versa.

1 Like

Also, to answer your question about how the VPN works... I'll oversimplify...

The remote peer (your iPhone, for example) finds the server by either knowing the public IP address, or by using a domain name that gets resolved to an IP address (or for most residential connections with dynamic IPs, a dynamic dns service can be used to ensure that the dns resolution is up-to-date as the IP address changes).

Once the remote peer knows where to send the packets, the rest is crypto magic. Actually, in all seriousness, I was about to try to explain, but I think that the wireguard site does a better job explaining than I could, anyway.

One really cool thing about WG is that it is not 'chatty' -- if the keys don't match the expected values for each peer, there is no response at all -- only if the keys are correct and authenticated will the communication commence. This makes it impossible to detect WG by probing (like the way that a port scanner would) and it would be rather challenging to know that there is anything listening at a given address at all (unless the peer is already authorized).

1 Like

After doing these changes, ping to the server worked! WG config in the iphone wanted to add the port to the IP name so I did that: xxxxxxx.dynu.net:51820 -- then all good. Thx for the explanation about "how" vpn works...I thought that the DDNS IP name had to be used to construct the tunnel in the first place, so that now makes sense.

@Borromini thx for letting me know that 'edits' are kept and can be recovered. I did not know that. Useful for here and other forums.
@tmomas thx for being an alert mod and hiding my indiscretions.
@trendy & @krazeh thx for your several catches and additions especially the code to output my wg, firewall and network config
@psherman thx for sticking with me over 2+ days until the ping finally worked!
Even tho I'm still working on the laptop wg issues, and still need to actually test wg is a real situation, I'm going to mark this solved. Hopefully it can help some others. I gave psherman the solution check in his post, but really the solution was built thru that and many other posts -- so if you're looking to this thread for help, read thru it all.

3 Likes

Glad it is working. Good luck with the laptop!

Just an addendum to the thread. Installed wg to my wife's iPhone as well...easily done now that I understand the process. For someone new to VPN and Wireguard, a few things to consider. I'm a fairly experienced linux user and had even played a bit with a simple "test vpn" script years ago, but really got into trouble with this Wireguard installation. First of all, there are a few different Wireguard tutorials out there. The one on the Wireguard site was my starting point, but it really does not fit well for OpenWrt. Some others can confuse you even more. Add to that, as was pointed out by @psherman, wg doesn't give you any feed back if you make a mistake -- it either works or it doesn't! So the best advice to anyone trying to install wg is to use the instructions in the wiki as pointed out by @trendy.

For an install on an cell phone, download the Wireguard app and use the info in this thread to configure it. To test it, @psherman advised using a traceroute app. I started by using a simple ping app, but it was inadequate. A ping can be successful even if your vpn is configured improperly...as I learned. However, with a traceroute app going to say google.com, you will see if the connection is successful and also if the vpn tunnel is being used! The first entry in the route will be the IP of the endpoint on your router! Then you know your cell phone browser is going thru the wg vpn!

Solution for wg on my laptop. I have a 2010 MacBook Pro converted to full linux. I'm not using the latest LTS install of Ubuntu which should support wireguard as an auto-built kernel module. And it's in the repo as @psherman mentioned. But this version does not play well with my laptop-- suspend and resume do not work. So I'm using the previous LTS version and this kernel needs installation of wireguard-dkms to build the module as well as wireguard-tools (which I think is brought in by the initial wireguard installation). After this, wg config worked successfully on the lappy.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.