Getting Wireguard to work

Hi,
I've installed all the packages for wireguard, but just can't get it to work remotely. I think I'm getting a connection but nothing can route at that point, so I think it's firewall related. I've had this working previously but just can't get it working now and I'm at my wit's end. The phone I'm trying to connect it a Pixel Pro 7 using the wireguard app, and the laptop is a gentoo machine. I'm sure I'm nearly there.

What happens is, when I am using my phone's mobile network, I turn on the phone's VPN, and use a browser to go to 192.168.1.1, which is my openwrt box, hoping to get to the luci screen. What's happens is that it starts and then just hangs, failing with a timeout in two different browsers . As I do this, I'm running "tcpdump -i eth0.2 port 55555" on the router, via ssh, and can see 96, 256, 112 and 912 block udp packets coming from a reasonable address, but nothing going the other way. Looking on luci I can see the received packets increasing, but almost nothing in the transmit measure ~500x greater number of packets. I chose 55555 as it's free of other traffic.

I've installed these modules;

luci-proto-wireguard luci-app-wireguard kmod-wireguard wireguard-tools

wg and lan should be on the same zone. The relevant sections of my /etc/config/network are;

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'qFG.......'
        option listen_port '55555'
        list addresses '192.168.1.240/24'

config wireguard_wg
        option description 'Phone'
        option public_key 'JZSh....'
        option private_key '6DoIJ....'
        list allowed_ips '192.168.1.241/32'

config wireguard_wg
        option description 'Laptop'
        option public_key 'O4Ig......'
        list allowed_ips '192.168.1.242/32'

Oddly luci contains a public key record for interface 'wg' but the text file doesn't
This is the contents of the /etc/config/firewall

root@magic:/etc/config# cat firewall 

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '55555'
        option dest_ip '192.168.1.1'
        option dest_port '55555'

My Phone's config is

Interface
Public key = JZSh......
Addresses = 192.168.1.241/24
DNS servers = 1.1.1.1

Peer
Public Key = BsZ.....
Allowed IPs = 0.0.0.0/0,::/0
EndPoint = <my external ip>:55555

Your wg interface overlaps the lan subnet. It must be different. Maybe 192.168.5.1/24. (and adjust your peers accordingly)
This firewall rule is wrong... delete it.

Instead, it should be a standard rule (not a redirect)

config rule
        option name 'WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '55555'
        option target 'ACCEPT'

Hi,
Thanks for the help, I've made those changes, (is src_dport meant to be src_port?). Now I'm still seeing the incoming udp packets but the wg interface is showing no packets received. The app says
Sending handshake initiation
Handshake did not complete after 5s.

Should I now put the wireguard interface on it's own firewall zone and forward between that and lan?

Thanks

Sorry... I made a typo in the rule...

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '55555'
	option name 'Allow-WireGuard-Inbound'

I am unsure if that is a hard requirement but it is how I have mine configured:

hereyousee1037×705 42.5 KB

Don't forget a traffic rule for DNS/DHCP:

dns980×100 7.25 KB

This is not a requirement. I personally do put it in a unique firewall zone, but it is absolutely fine to put it in the lan zone if it is fully trusted.

First things first, though... we need to get a handshake.

That field is derived at runtime from the private key for convenience when configuring peers. A public key can always be computed from knowing the private key, but not the other way.

Hi,
I've got this working now thanks to you all, I've been having a bit of a nightmare with this, so I'm very grateful to everyone here. I think I'll backup my config now!

Much appreciated!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.