How to connect to a computer using WireGuard

hdog01 · June 10, 2020, 3:37am

Please help me.
I want to manually enter the LAN IP into my computer using WireGuard. As a result, the IP of the wire guard should be displayed. I actually succeeded with mobile. However, it is not displayed on the computer.

I'll differentiate between server PC and client PC (peer) and mobile (peer).

The mobile (peer) connection of the server PC is normal. IP appears as a server PC.
You need to store the client PC (peer) on the server PC and make the IP visible on the server PC LAN (static 192.168.0.40).

server PC network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd15:5672:3a87::/48'
	option multipath 'disable'
	option mptcp_path_manager 'fullmesh'
	option mptcp_scheduler 'default'
	option mptcp_checksum '0'
	option mptcp_debug '0'
	option mptcp_syn_retries '5'
	option mptcp_fullmesh_num_subflows '1'
	option mptcp_fullmesh_create_on_err '1'
	option mptcp_ndiffports_num_subflows '1'
	option congestion 'cubic'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option multipath 'off'

config interface 'lan'
	option proto 'static'
	option multipath 'off'
	option ipaddr '192.168.0.40'
	option netmask '255.255.254.0'
	option ifname 'eth0'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '192.168.10.1/32'
	option listen_port '51820'
	option multipath 'on'
	option private_key '<KEY>'

config wireguard_wg0
	option description 'Client pc'
	option route_allowed_ips '1'
	option public_key '<KEY>'
	list allowed_ips '192.168.10.16/32'

config wireguard_wg0
	option description 'mobile'
	option public_key '<KEY>'
	list allowed_ips '192.168.10.17/32'
	option route_allowed_ips '1'

server PC firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config include 'unblockmusic'
	option type 'script'
	option path '/var/etc/unblockmusic.include'
	option reload '1'

config redirect
	option target 'DNAT'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option name '2'
	option proto 'tcp udp'
	option src 'wan'
	option src_dport '80'
	option dest 'wan'
	option dest_port '80'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

config forwarding
	option dest 'wg0'

config forwarding
	option src 'wg0'

config zone
	option name 'WAN'
	option network 'WAN wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option fullcone '1'

config zone
	option output 'ACCEPT'
	option mtu_fix '1'
	option network 'wg0'
	option name 'wg0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option fullcone '1'

config zone
	option name 'LAN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'LAN lan'
	option forward 'ACCEPT'
	option masq '1'
	option fullcone '1'

config forwarding
	option src 'LAN'
	option dest 'wg0'

config forwarding
	option src 'LAN'
	option dest 'WAN'

config forwarding
	option src 'wg0'
	option dest 'LAN'

Client PC network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd15:5672:3a87::/48'
	option multipath 'disable'
	option mptcp_path_manager 'fullmesh'
	option mptcp_scheduler 'default'
	option mptcp_checksum '0'
	option mptcp_debug '0'
	option mptcp_syn_retries '5'
	option mptcp_fullmesh_num_subflows '1'
	option mptcp_fullmesh_create_on_err '1'
	option mptcp_ndiffports_num_subflows '1'
	option congestion 'cubic'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option multipath 'off'

config interface 'lan'
	option proto 'static'
	option ifname 'eth0'
	option multipath 'off'
	option netmask '255.255.254.0'
	option ipaddr '192.168.0.20'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<KEY>'
	option listen_port '51820'
	option multipath 'on'
	list addresses '192.168.10.16/32'

config wireguard_wg0
	option description 'server PC'
	option public_key '<KEY>'
	option route_allowed_ips '1'
	list allowed_ips '192.168.10.1/32'

Client PC firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wg0'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'wg0 lan'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network ' '

config zone
	option name 'wan'
	option mtu_fix '1'
	option network 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option forward 'ACCEPT'
	option fullcone '1'

config rule
	option src 'wan'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'wg0'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option src 'lan'
	option dest 'wg0'

Nocte · June 10, 2020, 10:00am

I feel a bit confused by your question. What do you mean by "IP of the wireguard should be displayed"? What would that display be?
I can see that you are configuring IPs with x.x.x.x/32 which only allows that particular IP so you don't intend to route anything apart from that one connection?
Does wg command show a handshake?

hdog01 · June 10, 2020, 10:09am

Simply put, the client's IP is taken from the 192.168.0.40 LAN and entered into the server computer.

krazeh · June 10, 2020, 10:12am

Nope, that still doesn't make sense. Are you wanting to connect a client and have it receive an IP address in the same subnet as LAN computers connected to the server?

hdog01 · June 10, 2020, 10:14am

Yes. I want to bring the IP of the client PC to the server PC. Used as a server PC!

Nocte · June 10, 2020, 10:17am

I don't have experience with that particular approach since normally you would create a separate subnet for your wiregurd peers and route your traffic accordingly.
When your wireguard interface is up check if ip r shows routes to the peers as you want it.

But could you please validate the handshake first?

krazeh · June 10, 2020, 10:21am

Well that hasn't made it any clearer... Let's try this a different way -

The two configs you posted above ('Server PC' and 'Client PC') both appear to be OpenWRT devices. Is this correct?
If so, are they both operating as routers for LANs behind them?
Do they each have direct access to the internet? i.e. does the WAN interface have a public IP?
Do you just want the two devices to be able to speak to each other? Or do you want to be able to access devices in LANs behind each of them from the other side?

hdog01 · June 10, 2020, 10:21am

Yes, you can actually communicate with each other! ( 192.168.10.1 <-> 192.168.10.16 )

hdog01 · June 10, 2020, 10:25am

Both are openwrt devices.
wan dhcp connection completed lan static connection completed!
Internet connection available! Wan dhcp
We are already talking to each other! In server lan, I want to display the client's wan dhcp ip in server lan static.

In other words, the server PC IP should be viewed as the client PC IP. Server pc lan statically through.

krazeh · June 10, 2020, 10:29am

Viewed by what?

Do you have LANs set up behind both OpenWRT devices? Are they at different locations with different public IPs?

hdog01 · June 10, 2020, 10:35am

Yes, both lans were used statically. The two dhcp are in different locations.

server
WAN (DHCP) - 222.222.222.111
LAN (Static) - 192.168.0.40
( Supports two ports )

Client
WAN (DHCP) - 222.111.111.111
LAN (Static) - 192.168.0.20
( Supports two ports )

192.168.0.40 -> 222.111.111.111 request..

krazeh · June 10, 2020, 10:52am

Right, so when you connect to the internet from the 'server' side you want it to appear as if you're connecting from the 'client' side? Do you want it to be like that just for the OpenWRT router or for all the devices on the 'server' side?

hdog01 · June 10, 2020, 10:53am

Yes, that's right! I want to see from server to client.
Any device on the server!

krazeh · June 10, 2020, 10:57am

What are the IP addresses of the other devices on the server side?

hdog01 · June 10, 2020, 11:05am

I didn't understand. Public ip? Or wireguard IP? Or lan static IP?

hdog01 · June 10, 2020, 11:07am

The interface picture of the server.

krazeh · June 10, 2020, 11:09am

Are there any other devices connected to this one? What is plugged into the LAN?

hdog01 · June 10, 2020, 11:12am

The computer is connected to the LAN. The wan IP is displayed on the computer. I want to show the client IP. ( wg0 ) Through..

krazeh · June 10, 2020, 11:17am

And what is the IP address of the computer? Is it statically assigned? Or done by DHCP? Are there other devices on the LAN that you also want to connect to the internet through the 'client' site? If so, what are their IPs? Are they static or DHCP?

hdog01 · June 10, 2020, 11:19am

LAN computers are static and use 192.168.1.1 IP. Subnet 255.255.254.0. Gateway 192.168.0.40