EA8300 - Wireguard server configuration on 22.03.5 OpenWRT release

Installing and Using OpenWrt
1

Hi guys!

As I already did for my AC57U (Asus AC57U - Wireguard server configuration on 22.03.5 OpenWRT release), now I'm trying to set the same Wireguard server into the EA8300, running 22.03.5, as on the Asus.

I have always the same situation as before with Asus: ISP router on 192.168.1.1 (dyndns service working on it) and the Linksys is in DUMB AP mode, on 192.168.1.97.

As for the Asus, I've followed this page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

I'm always using my Android phone as client. I can't reach the Wireguard server using the .conf generated.

I've found that there is a slight difference in the switch section between Asus and Linksys, I hope I've set it well.

What else could I check?

Thanks in advance for the reply!

2

Before spending lots of effort on this, please upgrade to 23.05.2 first (at the very least the ea8300) - as doing so implies the DSA transition for ipq40xx (as in, you will lose all settings over the sysupgrade, so get that out of the way first, rather than having to do the setup twice).

wireguard is pretty much a mere software feature, it works the same on all devices (actually 23.05.x will make ipq40xx much more like mt7621, as then you have both using DSA) - and 22.03.x vs 23.05.x are compatible in regards to wireguard as.

2 Likes
3

I haven't updated it to 23.05.2 because of a couple of posts in which I read that the "older" releases were more stable and fast for this unit.
Well, I'll update to 23, I believe I need 3-4 days to do it, because I will not be at home because of the job :pensive::pensive:

4

Nope
Use 23.05.2, it's the most stable you can get. Wifi coverage and routing are almost the same. The differences you may noticed are not worthy.

5

Ok, updated to 23.05.2!

Configured the Linksys just like the ac57u, but again I can't connect the client to the server.
It seems that I did everything in the right way, using this post as guide: Asus AC57U - Wireguard server configuration on 22.03.5 OpenWRT release - #7 by psherman

Here's network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd54:560b:fb1b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'lan1'
	option macaddr '30:23:03:6a:5c:93'

config device
	option name 'lan2'
	option macaddr '30:23:03:6a:5c:93'

config device
	option name 'lan3'
	option macaddr '30:23:03:6a:5c:93'

config device
	option name 'lan4'
	option macaddr '30:23:03:6a:5c:93'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.97'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'

config device
	option name 'wan'
	option macaddr '30:23:03:6a:5c:92'

config interface 'wg'
	option proto 'wireguard'
	option private_key 'REDACTED='
	option listen_port '51820'
	list addresses '10.14.0.1/24'

config wireguard_wg
	option description 'eawg'
	option public_key 'REDACTED='
	option private_key 'REDACTED='
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'

Firewall:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg'

config forwarding
	option src 'wg'
	option dest 'lan'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src '*'
	list src_ip '192.168.1.1'
	option src_port '51820'
	option dest '*'
	option dest_port '51820'
	option target 'ACCEPT'
	list dest_ip '192.168.1.97'

wg show command:


interface: wg
  public key: REDACTED=
  private key: (hidden)
  listening port: 51820

peer: REDACTED=
  endpoint: 93.150.208.80:26444
  allowed ips: 10.14.0.3/32
  latest handshake: 14 minutes, 17 seconds ago
  transfer: 245.93 KiB received, 396.67 KiB sent
6

You don’t need this stanza. It doesn’t cause any issues, but is not doing anything and is unnecessary.

Otherwise everything looks good.

Is it working as expected? If so, you’re done. If not, we will help figure out the issues.

1 Like
7

Ok, I'll remove that rule.

With this configuration, unfortunately I can't be able to navigate on my android client. It ex/tx counter on the phone starts to count, but no page can be reached.

Like I said and as you can see, the configuration is almost identical on the ac57u. With the Asus, I'm able to get the wireguard server working fine.

I've noticed that the command "wg show" shows a public IP in the peer endpoint (the public IP of my android phone LTE connection) while on the Asus I had a local IP in the same line.

8

Let’s see the configuration from your phone.

1 Like
9

May I post a picture instead of attaching the configuration?

10

Could be DNS issue.
On your phone in the WG interface set a public DNS ip address e.g. 9.9.9.9

For starters you can post a screenshot.

1 Like
11

Here's a screenshot of my client config (btw, it's the same I used for the ac57u, except for the keys:

Screenshot_20231128_094501_WireGuard
Screenshot_20231128_094501_WireGuard1080×2400 131 KB

12

That looks OK to me.
Did you reboot the router?
I trust you connect form outside e.g. with your phone on cellular?

What exactly is the problem?

Can you not browse the internet?
Can you not browse the router?

Start with simple network tools like doing ping and traceroute.

I use Fing on my android phone to do simple network testing

1 Like
13

It looks ok to me, too.

With the same configuration, I have no issues using ac57u, while using ea8300 I can't browse internet from the android client.

I rebooted the router and yes, I'm using the data 5g connection on my cellular phone.

Haven't tried to browse the router address.

14

@egc I restored the router to factory defaults and then I reconfigured it.

Now Wireguard works! :star_struck:

I don't know if I need to configure something else on ea8300, on this release, to improve the performances, but I've noticed that speedtest with wireguard on is around 50% faster on AC57u.

15

Great to hear you got it working :slight_smile:

I do not have your router so can only share the experience with my routers (R7800, EA8500 DL-WRX36)

I use irqbalance, not sure if that is enabled and present by default but that helps my throughput so is recommended.

You can consider enabling flow offloading (Firewall > General Settings) can be helpful if you have a fast pipe to the ISP.
But off loading is not compatible with some things like SQM and Network monitoring, I have 500 Mb/s connection so I do not need/use it

1 Like
16

I have a 100mbit ISP connection, so I believe I can enable offloading.

I'll try later!