Help finishing setting up Wireguard server

Hi! I have a Netgear NGR 7800 with custom OpenWRT [openwrt-22.03 branch (git-22.213.35949-d09fbe0) OpenWrt 22.03-SNAPSHOT r19629-5e39f37caa] downloaded from this dude Build for Netgear R7800

I've reviewed the wiki guide here and some threads like this one.

As far as I can tell (I'm not an expert) the server setup is fine. Also My iOS Wireguard app can connect to the server (at least it's what I think) but when I disable wifi on the cell phone and do an IP test with https://ipleak.net/, the public IP shown isn't the one reported from my router wan interface.

I have DoT wit stubby working right following this guide.

Here are the config dumps, I have setup theese with LUCI web interface, I hope I can get this working.

Networking

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.0.1'
	option delegate '0'
	option ipv6 '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option ipv6 '0'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5'
	option vid '2'

config device
	option name 'wlan1'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'erspan0'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth0.2'
	option type '8021q'
	option ifname 'eth0'
	option vid '2'
	option ipv6 '0'

config device
	option name 'eth1.1'
	option type '8021q'
	option ifname 'eth1'
	option vid '1'
	option ipv6 '0'

config device
	option name 'ifb-dns'
	option ipv6 '0'

config device
	option name 'wlan0'
	option ipv6 '0'

config interface 'vpn'
	option proto 'wireguard'
	option peerdns '0'
	option listen_port '1282'
	option private_key '<!-- IFPRIVKEY -->'
	list addresses '10.0.1.1/24'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config wireguard_vpn
	option description 'XXXX 1282'
	option public_key '<!-- PEERPUBKEY -->'
	option private_key '<!-- PEERPRIVKEY -->'
	option persistent_keepalive '25'
	option preshared_key '<!-- PEERPSKEY -->'
	list allowed_ips '10.0.1.2/32'

DHCP (removed domain and host configurations, mostly for address reservation)

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'XXXX.com.ar'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option noresolv '1'
	option localuse '1'
	list server '127.0.0.1#5453'
	list server '0::1#5453'

config dhcp 'lan'
	option interface 'lan'
	option start '2'
	option limit '50'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Firewall (removed redirect configs, none of them points to port 1282)

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'vpn'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	list proto 'udp'
	option src 'wan'
	option dest_port '1282'
	option target 'ACCEPT'
	option name 'Allow-Wireguard'

iOS Client App

imagen1284×2778 333 KB

imagen1284×2778 228 KB

Tanks!

You've got a few issues...

First, although not related to your actual problem, remove all the dns related entries from the wireguard interface definition (they don't serve any purpose).

Next, add the following line to your wireguard peer config (i.e. the config wireguard_vpn stanza)

	option route_allowed_ips '1'

You have the WG interface in two firewall zones (lan and wan)... it must only be in one. Remove it from the wan.

Finally, in the iOS WG config, add a DNS server (either your router at 10.0.0.1, or a public DNS like 8.8.8.8). And, change the Allowed IPs to 0.0.0.0/0 (if you intend for all traffic to go through the tunnel; if you only want your phone to have remote access to the lan itself, but not use the tunnel for all traffic, you'll use 10.0.0.0/24 for the allowed IPs field).

Restart the router and then test again.

Thanks a lot @psherman That's what I call a fast answer.

I have it working on my iOS device, and when I configure it on Android, I have to disconnect the iOS device from the VPN to be able the other device to work. Is that what is expected? Should I create a new Peer for each device I want to use the VPN simultaneously?

Thanks!

Yup. A peer config can only be used on one device at a time.

Yes, just create additional peers and you'll be all set.

Just in case another one helps this thread. After creating a new peer and saving and applying, I had to restart the VPN interface

imagen1561×127 13.5 KB

Yes, sorry I didn't mention that. Restarting the interface is required when you make changes (such as adding/removing peers, etc.)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.