Hi everyone
I had installed and configured wireguard vpn with warp on my openwrt router but I can't get it to work properly but the packets are coming in and I checked the status I am attaching the configurations below
Any kind of help would be appreciated
pavelgl
November 25, 2022, 4:49pm
2
At first glance, you should enable the Route Allowed IPs option.
Ahh ok but it doesn't work anymore after tapping on that option
The packets are still being received but I can't connect to the network same with the router I tried from router diagnostics and tried pinging from ssh it doesn't work either ...
Let’s see the config in text form. Screen grabs are not always complete and can be much harder to read.
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd26:430d:1a72::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username '.'
option ipv6 'auto'
option type 'bridge'
option password '.'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option type 'bridge'
config interface 'Wireguard'
option proto 'wireguard'
option private_key '.'
option listen_port '12321'
list addresses '172.16.0.2/32'
list dns '1.1.1.1'
option mtu '1280'
config wireguard_Wireguard
option description 'Cloudflare Warp'
option public_key '.'
list allowed_ips '0.0.0.0/0'
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
option persistent_keepalive '25'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'Wireguard'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule
option ac_enabled '1'
option src '*'
option dest 'wan'
option proto '0'
option target 'REJECT'
option src_mac '10:82:D7:9D:FC:7F'
option ac_suspend '1665048555'
option enabled '0'
option start_time '03:19:00'
option stop_time '03:50:00'
config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_wan53'
option name 'Adblock DNS (wan, 53)'
option src 'wan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_wan853'
option name 'Adblock DNS (wan, 853)'
option src 'wan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_wan5353'
option name 'Adblock DNS (wan, 5353)'
option src 'wan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
1 Like
Still tried a lot didn't got it work
You need to enable the route allowed ips option in the peer config for wireguard.
If that doesn’t fix the problem, show the output of wg show
laingo
November 26, 2022, 6:35pm
9
I had issues with WARP specifically failing after a while but it does appear to be working with this configuration. Used WGCF to generate my configuration parameters.
Note that you can configure your wireguard interface to come up automatically.
config interface 'cf'
option proto 'wireguard'
option mtu '1280'
list addresses '172.16.0.2/32'
option private_key '<private-key>'
option auto '0'
config wireguard_cf 'cfpeer'
option public_key '<public-key>'
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
Firewall/Zones
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'lte'
list network 'cf'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
/etc/init.d/network reload
ifup cf
fw3 reload
Routes
route -n
root@homeap0:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 cf
...
2 Likes
After that the connection is gone but packets being received
I did use wgcf to generate the credentials previously thanks but let me try your other configurations
I get the following errors:
Mon Nov 28 22:13:23 2022 daemon.notice netifd: Interface 'cf' is setting up now
Mon Nov 28 22:13:24 2022 daemon.notice netifd: Interface 'cf' is now up
Mon Nov 28 22:13:24 2022 daemon.notice netifd: Network device 'cf' link is up
Mon Nov 28 22:13:25 2022 daemon.warn odhcpd[1966]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Mon Nov 28 22:13:27 2022 daemon.notice miniupnpd[4829]: shutting down MiniUPnPd
Mon Nov 28 22:13:28 2022 daemon.notice miniupnpd[9160]: HTTP listening on port 5000
Mon Nov 28 22:13:28 2022 daemon.notice miniupnpd[9160]: HTTP IPv6 address given to control points : [fd26:430d:1a72::1]
Mon Nov 28 22:13:28 2022 daemon.notice miniupnpd[9160]: Listening for NAT-PMP/PCP traffic on port 5351
Mon Nov 28 22:13:28 2022 user.notice firewall: Reloading firewall due to ifup of cf (cf)
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9160]: shutting down MiniUPnPd
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9271]: HTTP listening on port 5000
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9271]: HTTP IPv6 address given to control points : [fd26:430d:1a72::1]
Mon Nov 28 22:13:31 2022 daemon.notice miniupnpd[9271]: Listening for NAT-PMP/PCP traffic on port 5351
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @rule[10] specifies unknown option 'ac_enabled'
Section @rule[10] specifies unknown option 'ac_suspend'
Section @rule[10] is disabled, ignoring section
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
Section mia option 'reload' is not supported by fw4
Section mia specifies unreachable path '/etc/mia.include', ignoring section
Automatically including '/usr/share/nftables.d/table-post/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/dstnat/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/forward/20-miniupnpd.nft'
Automatically including '/usr/share/nftables.d/chain-post/srcnat/20-miniupnpd.nft'
Here is my present config:
Network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd26:430d:1a72::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'redacted'
option ipv6 'auto'
option type 'bridge'
option password 'Redacted'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option type 'bridge'
config interface 'cf'
option proto 'wireguard'
option mtu '1280'
list addresses '172.16.0.2/32'
option private_key '+EunFibGK0=(redacted)'
option auto '0'
config wireguard_cf 'cfpeer'
option public_key 'bmXOC+UguH/lol=(redacted)'
option endpoint_host 'engage.cloudflareclient.com'
option endpoint_port '2408'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
Firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'lte'
list network 'cf'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule
option ac_enabled '1'
option src '*'
option dest 'wan'
option proto '0'
option target 'REJECT'
option src_mac '10:82:D7:9D:FC:7F'
option ac_suspend '1665048555'
option enabled '0'
option start_time '03:19:00'
option stop_time '03:50:00'
config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_wan53'
option name 'Adblock DNS (wan, 53)'
option src 'wan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_wan853'
option name 'Adblock DNS (wan, 853)'
option src 'wan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_wan5353'
option name 'Adblock DNS (wan, 5353)'
option src 'wan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
My default connection without wireguard was Ppoe ipv4
root@router:~# wg show
interface: cf
public key: (redacted)
private key: (hidden)
listening port: 57352
peer: (redacted)
endpoint: 162.159.192.1:2408
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 16 seconds ago
transfer: 3.32 KiB received, 217.35 KiB sent
persistent keepalive: every 25 seconds
laingo
November 28, 2022, 4:57pm
15
The errors above appear to be different issues.
Can you check your routes after bringing up cf
Share the output of this:
route -n
ip r
curl --interface cf https://ipinfo.io
Should resolve to a Cloudflare address.
{
"ip": "<<ip>>",
...
"org": "AS13335 Cloudflare, Inc.",
...
}
root@router:~# route -n
ip r
curl --interface cfKernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0
0 cf
10.90.8.1 0.0.0.0 255.255.255.255 UH 0 0
0 pppoe-wan
162.159.192.1 10.90.8.1 255.255.255.255 UGH 0 0
0 pppoe-wan
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 br-lan
hroot@router:~# ip r
ttps://ipidefault dev cf scope link
n10.90.8.1 dev pppoe-wan scope link src 10.90.8.251
162.159.192.1 via 10.90.8.1 dev pppoe-wan
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
froot@router:~# curl --interface cf https://ipinfo.io
curl: (6) Could not resolve host: ipinfo.io
Fyi
I am using adblock on my router
And there is currently a bug with luci app wireguard
I see in 22.03.2 that the QRCode peer config generator for Wireguard in LUCI is now incorporating private keys and pre-shared keys. Also it is getting the peer's endpoint hostname from ddns config and this was a stroke of genius. However the config that it is generating is actively incorrect.
Basically, what is being sent to the peer as its config file reverses what is going into [Interface] -> Address and what is going into [Peer] -> AllowedIPs. This means that the peer ends up thinking i…
1 Like
I also setup an interface with the account generated by wgcf. Works here.
There's traffic.
You're not using a QR code (you used wgcf) - how is your comment related to your issue?
Not necessarily a bug, the QR Code and what's expected has been a discussion since it was created - see: [?] luci-app-wireguard QR Code shows Private Key
Does it block Cloudflare?
I suspended adblock process and tested its same from router and warp isn't blocked in my country I connected manually using warp vpn from my phone it works fine there
Do you have any social media where I could send you the warp credentials for further testing ?