Difficulty setting up Wireguard server

Installing and Using OpenWrt
1

I am trying to set up my OpenWRT router as a wireguard server, so I can connect to my lan while away from my home wifi. However, I can't get my devices to make any connection with the server at all. I think the issue might be with my firewall, which is the last step below if you want to skip the details. I followed the OpenWRT Wireguard page, although I used luci to set things up. Here is what I have done in luci:

First, I installed wireguard-tools, kmod-wireguard, luci-proto-wireguard, qrencode, and libqrencode

Next, I created a new interface: wg0

  • Protocol: Wireguard VPN
  • Generated a new key pair
  • Listen port: 51820
  • IP Addresses: 10.0.0.1/24
  • Firewall-zone: lan

Then, I added a new peer:

  • Generated a new key pair
  • Allowed IPs: 10.0.0.2/32
  • Endpoint port: 51820

Then, I clicked on Generate Configuration... under Configuration Export to generate a QR code and left the default settings:

  • Connection Endpoint: set to my public IP address
  • Allowed IPs: 0.0.0.0/0, ::/0
  • DNS Servers: set to my router's IP address (which uses unbound)

I then scanned this QR code in the wireguard app on my iPhone to import the VPN profile, deleted the private key for the peer from OpenWRT, saved and restarted OpenWRT, and enabled the VPN on my iPhone.

Finally, I went into my Firewall settings and added a traffic rule:

  • Name: Allow-Wireguard
  • Protocol: UDP
  • Source zone: wan
  • Destination zone: lan
  • Destination port: 51820
  • Action: accept

I hit save and apply, but nothing loads on my iPhone when connected to the vpn while on cellular. The Wireguard Status page on luci shows Latest Handshake as never. Any ideas what isn't working?

2
  1. Are you sure that you have a public IP address?
  2. The firewall rule should have destination INPUT (device), not lan.

If that doesn't work:
Please provide a redacted version of your /etc/config/network file containing your Wireguard configuration.

3

Are you sure that you have a public IP address?

Hmm I'm not. This IP address worked on a different router when I was using a raspberry pi as the Wireguard server instead. I know my public IP address hasn't changed.

The firewall rule should have destination INPUT (device), not lan.

So if I want to access any device on my lan, what would I change? Remove lan as the destination zone and use any instead?

Please provide a redacted version of your /etc/config/network file containing your Wireguard configuration.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[REDACTED]'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr '[REDACTED]'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '[REDACTED]'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option description 'iPhone'
        option preshared_key '[REDACTED]'
        list allowed_ips '10.0.0.2/32'
        option public_key '[REDACTED]'
        option route_allowed_ips '1'
        option endpoint_port '51820'
4

In addition to @andyboeh's questions, let's see the OpenWrt version, firewall file, and the remote peer (iPhone) configs.

For the OpenWrt side:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

And then also the iPhone config -- that can be screenshots with the keys and endpoint address redeacted.

5

Remove the endpoint port on the peer config:

Otherwise, this file looks fine.

6

Nothing. You already put the Wireguard VPN into the lan firewall zone. The rule is required to open port 51820 to be accessible from the outside so that your peer(s) can connect.

7

ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Bananapi BPI-R3",
        "board_name": "bananapi,bpi-r3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '[REDACTED]'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'sfp2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'wan'

config device
        option name 'eth1'
        option macaddr '[REDACTED]'

config device
        option name 'wan'
        option macaddr '[REDACTED]'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '[REDACTED]'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option description 'iPhone'
        option preshared_key '[REDACTED]'
        list allowed_ips '10.0.0.2/32'
        option public_key '[REDACTED]'
        option route_allowed_ips '1'
        option endpoint_port '51820'

cat /etc/config/firewall

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest '*'
        option dest_port '51820'
        option target 'ACCEPT'

That appears to be the only relevant firewall rule regarding that port. I can post the rest if you think there's something else that would be interfering...

The wireguard interface on my phone was generated by the QR code and all of the fields match what I entered in my first post.

8

Leave destination zone blank to "open a port" for an internal service (which is called an input rule). If source and destination zones are both specified, it becomes a forwarding rule which is not what you want.

Also make sure you have a true public IP. The IP(v4) reported by going to a "what's my IP" site from a LAN computer must match exactly the IP held by the router's WAN interface.

9

Thanks for the info! The public IP does match the IP of the wan interface.

10

So to sum up:

  1. Remove destination zone for the firewall rule
  2. Remove the endpoint_port in the peer configuration

Does it work now?
If not, the culprit is most likely the iPhone configuration that we do not really know about.

Attention: I have made the experience that you need to Restart the Wireguard interface if you change the configuration. Hitting "Save and Apply" is not sufficient.

11

Now it connects! However, I can't get anything to load :confused:. The Wiregaurd Status page shows that it had a handshake and transmitted a few kbs of data. But I can't seem to load any website (either external like google.com or internal IP addresses).

12

Did you specify dns in your phone config?

Also, let’s see the full firewall file.

13

iPhone wireguard config generated via the QR code option

  • Private key: matches what I generated for the iPhone peer on the server

  • Public key: matches what I generated for the iPhone peer on the server

  • Addresses: 10.0.0.2/32

  • Listen port: Empty aka Automatic

  • MTU: Empty aka Automatic

  • DNS servers: 192.168.2.1, which is the IP for my OpenWRT router's lan

  • Public key: matches what I generated for the server

  • Preshared key: matches what I generated for the server

  • Endpoint: <public_ip>:51820

  • Allowed IPs: 0.0.0.0/0, ::/0

  • Exclude private IPs: disabled

  • Persistent keepalive: Empty aka Off

14

It is also possible that the DNS server rejects your requests as they are not coming from the LAN IP address but from a Wireguard address. But I'm not familiar with unbound, so I don't know if that's the case.

15

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Drop-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'DROP'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS & Route to Unbound'
        option src 'lan'
        option src_ip '!192.168.2.1'
        option src_dport '53'
        option dest_ip '192.168.2.1'
        option dest 'lan'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Synology NAS Reverse Proxy 1'
        option family 'ipv4'
        option src 'wan'
        option src_dport '80'
        option dest_ip '[Redacted]'
        option dest_port '80'
        list proto 'tcp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Synology NAS Reverse Proxy 2'
        option family 'ipv4'
        option src 'wan'
        option dest_ip '[Redacted]'
        list proto 'tcp'
        option src_dport '443'
        option dest_port '443'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

config rule
        option name 'Block-Public-DNS'
        option src 'lan'
        option dest 'wan'
        option dest_port '53 853 5353'
        option target 'REJECT'

config rule
        option name 'Port-80'
        list proto 'tcp'
        option src 'wan'
        option src_port '80'
        option dest_port '80'
        option target 'ACCEPT'
        list src_ip '192.168.2.0/24'

config rule
        option name 'Port-443'
        list proto 'tcp'
        option src 'wan'
        option src_port '443'
        option dest_port '443'
        option target 'ACCEPT'
        list src_ip '192.168.2.0/24'
16

It seems you have some DNS related things happening -- did you install any DNS filtering on your router?

Try disabling the above rule, and then set your iPhone's DNS to a public server like 8.8.8.8 or 1.1.1.1

Unrelated, but delete these. They won't do anything, and should be removed to avoid issues.

17

Yes I am using unbound as a recursive DNS alongside adblock-fast. It seems restarting unbound and the wireguard interface now allows me to visit external websites such as google.com before I disabled those rules, so thank you all for the help so far!

Now the final issue is I can't access my internal IP address websites, which is the primary reason I want to use wiregaurd.

18

Using the IP address, this should already work from the router side. Using the hostname this might not yet work due to the DNS server rejecting your request.

Just make sure that your internal services accept requests from the 10.x.x.x range of the WG interface.

19

Hmm I am using the the IP address and don't see any firewall settings that have blocked other IP address ranges.

Edit: It was the firewall on my Synology NAS. Everything is working now. Thanks everyone for the help :slight_smile:

20

That's what I meant with your internal services accepting requests from the WG IP range.