I am trying to set up my OpenWRT router as a wireguard server, so I can connect to my lan while away from my home wifi. However, I can't get my devices to make any connection with the server at all. I think the issue might be with my firewall, which is the last step below if you want to skip the details. I followed the OpenWRT Wireguard page, although I used luci to set things up. Here is what I have done in luci:
First, I installed wireguard-tools, kmod-wireguard, luci-proto-wireguard, qrencode, and libqrencode
Next, I created a new interface: wg0
Protocol: Wireguard VPN
Generated a new key pair
Listen port: 51820
IP Addresses: 10.0.0.1/24
Firewall-zone: lan
Then, I added a new peer:
Generated a new key pair
Allowed IPs: 10.0.0.2/32
Endpoint port: 51820
Then, I clicked on Generate Configuration... under Configuration Export to generate a QR code and left the default settings:
Connection Endpoint: set to my public IP address
Allowed IPs: 0.0.0.0/0, ::/0
DNS Servers: set to my router's IP address (which uses unbound)
I then scanned this QR code in the wireguard app on my iPhone to import the VPN profile, deleted the private key for the peer from OpenWRT, saved and restarted OpenWRT, and enabled the VPN on my iPhone.
Finally, I went into my Firewall settings and added a traffic rule:
Name: Allow-Wireguard
Protocol: UDP
Source zone: wan
Destination zone: lan
Destination port: 51820
Action: accept
I hit save and apply, but nothing loads on my iPhone when connected to the vpn while on cellular. The Wireguard Status page on luci shows Latest Handshake as never. Any ideas what isn't working?
Hmm I'm not. This IP address worked on a different router when I was using a raspberry pi as the Wireguard server instead. I know my public IP address hasn't changed.
The firewall rule should have destination INPUT (device), not lan.
So if I want to access any device on my lan, what would I change? Remove lan as the destination zone and use any instead?
Please provide a redacted version of your /etc/config/network file containing your Wireguard configuration.
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[REDACTED]'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'sfp2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth1'
list ports 'wan'
config device
option name 'eth1'
option macaddr '[REDACTED]'
config device
option name 'wan'
option macaddr '[REDACTED]'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg0'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '51820'
list addresses '10.0.0.1/24'
config wireguard_wg0
option description 'iPhone'
option preshared_key '[REDACTED]'
list allowed_ips '10.0.0.2/32'
option public_key '[REDACTED]'
option route_allowed_ips '1'
option endpoint_port '51820'
In addition to @andyboeh's questions, let's see the OpenWrt version, firewall file, and the remote peer (iPhone) configs.
For the OpenWrt side:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
And then also the iPhone config -- that can be screenshots with the keys and endpoint address redeacted.
Nothing. You already put the Wireguard VPN into the lan firewall zone. The rule is required to open port 51820 to be accessible from the outside so that your peer(s) can connect.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[REDACTED]'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'sfp2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'br-wan'
option type 'bridge'
list ports 'eth1'
list ports 'wan'
config device
option name 'eth1'
option macaddr '[REDACTED]'
config device
option name 'wan'
option macaddr '[REDACTED]'
config interface 'wan'
option device 'br-wan'
option proto 'dhcp'
config interface 'wan6'
option device 'br-wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg0'
option proto 'wireguard'
option private_key '[REDACTED]'
option listen_port '51820'
list addresses '10.0.0.1/24'
config wireguard_wg0
option description 'iPhone'
option preshared_key '[REDACTED]'
list allowed_ips '10.0.0.2/32'
option public_key '[REDACTED]'
option route_allowed_ips '1'
option endpoint_port '51820'
cat /etc/config/firewall
config rule
option name 'Allow-Wireguard'
list proto 'udp'
option src 'wan'
option dest '*'
option dest_port '51820'
option target 'ACCEPT'
That appears to be the only relevant firewall rule regarding that port. I can post the rest if you think there's something else that would be interfering...
The wireguard interface on my phone was generated by the QR code and all of the fields match what I entered in my first post.
Leave destination zone blank to "open a port" for an internal service (which is called an input rule). If source and destination zones are both specified, it becomes a forwarding rule which is not what you want.
Also make sure you have a true public IP. The IP(v4) reported by going to a "what's my IP" site from a LAN computer must match exactly the IP held by the router's WAN interface.
Remove the endpoint_port in the peer configuration
Does it work now?
If not, the culprit is most likely the iPhone configuration that we do not really know about.
Attention: I have made the experience that you need to Restart the Wireguard interface if you change the configuration. Hitting "Save and Apply" is not sufficient.
Now it connects! However, I can't get anything to load . The Wiregaurd Status page shows that it had a handshake and transmitted a few kbs of data. But I can't seem to load any website (either external like google.com or internal IP addresses).
It is also possible that the DNS server rejects your requests as they are not coming from the LAN IP address but from a Wireguard address. But I'm not familiar with unbound, so I don't know if that's the case.
Yes I am using unbound as a recursive DNS alongside adblock-fast. It seems restarting unbound and the wireguard interface now allows me to visit external websites such as google.com before I disabled those rules, so thank you all for the help so far!
Now the final issue is I can't access my internal IP address websites, which is the primary reason I want to use wiregaurd.
Using the IP address, this should already work from the router side. Using the hostname this might not yet work due to the DNS server rejecting your request.
Just make sure that your internal services accept requests from the 10.x.x.x range of the WG interface.
. The Wiregaurd Status page shows that it had a handshake and transmitted a few kbs of data. But I can't seem to load any website (either external like 