I can't set this up, I try, it supposedly connects but no internet at all. I want this:
Phone -------------> Openwrt AP
Wireguard
So it will be a server.
What issues are you having?
Setup on an AP is no different than a router.
1 Like
No it is different. At this wiki here: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server
On firewall section it talks about WAN, which AP doesn't have a WAN. So what do I do here then? There is no WAN in my setup, only LAN. However, my NAS device can do wireguard just fine.
Ummmmm...so you deleted WAN?
- Use the interface/zone that has an IP/gateway
- Rename the zone to 'WAN'
(Since we don't know the zone's name, and you didn't tell us - there's no way to guess. The name of the firewall zone doesn't matter.)
I'm sure, because there's no difference.
If you need more assistance, feel free to post your firewall and network configs.
I am totally lost.. Now the wireguard vpn interface says, "no device is present"
As a reminder:
For Wireguard to work you have to route into the Wireguard tunnel from another network. So you need to add some networks to your AP. Probably the best way to do it is to start with lan->wan routing as if it were a main router, then you can follow any of the numerous guides for how to add a Wireguard interface and do "whole house" routing through Wireguard. Here in this case though it would not be the whole house, only devices connected to OpenWrt's lan.
You can set up wan as a bridge with an additional AP. Users connected to it will bypass Wireguard entirely and bridge into the house's upstream network exactly like the AP you have now.
I also added port forwarding to this AP to 51821 port, as UDP. It worked only once while I was fiddling with it, but it wouldn't connect me to the internet. Only to this local network.
So,
firewall:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
config forwarding
option src 'wg'
option dest 'lan'
network:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'blahblah::/48'
option packet_steering '1'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '50:'
config device
option name 'lan2'
option macaddr '50:'
config device
option name 'lan3'
option macaddr '50:'
config device
option name 'lan4'
option macaddr '50:'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option name 'dsl0'
option macaddr '50:'
config interface 'kabloguard'
option proto 'wireguard'
option private_key 'privatekey'
option listen_port '51821'
list addresses '10.0.0.1/24'
config wireguard_kabloguard
option description 'test'
option public_key 'publickey'
option private_key 'privatekey2'
option preshared_key 'presharedkey'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option endpoint_host 'myddnsthing.org'
option endpoint_port '51821'
I assume the Wireguard instance in your OpenWrt AP/router will link to a commercial VPN service to be used for Internet. This means that your instance of Wireguard is a "client", though the whole box might be considered a "server" in that it is taking connections from LAN users and directing their traffic to the commercial service.
Since the encrypted packets are an outgoing connection, you don't have to open or forward any ports for it to work.
1 Like
Hmm. I don't understand but what I want is this. I use my NAS as wireguard server, whenever I am on holidays from another country, I connect to my NAS via my phone or laptop. This is convenient. But NAS needs a lot of power. I also sold my Openwrt router for now, so I am using the ISP's router. Which doesn't have wireguard. Then I thought this idea that maybe I can use a dumb Openwrt AP as a wireguard server?
But if I understand you right, this is not possible right? You say do WAN instead but with that it will be double NAT and somewhat more ping.
I don’t see masquerading? enable it on your wg zone
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
list network 'kabloguard'
In network simplify config wireguard_kabloguard
config wireguard_kabloguard
option description 'test'
option public_key 'publickey'
option preshared_key 'presharedkey'
list allowed_ips '10.0.0.2/32'
restart both network and firewall
1 Like
Thanks but still not working, when I restart the wireguard interface it says no network device is present.
What does the log say? are all the modules installed? Try standard name wg0 instead of custom interface namekabloguard
Masquerading needs to be enabled on the lan zone.:
It should not be enabled on the wg zone (it is worth noting that the earlier config was missing the network from the wg zone):
The naming of the wg network is largely arbitrary it doesn’t need to be wg0 or anything else kabloguard is fine
The endpoint host and port number should be removed from the above
Let’s see the config from the remote peer.
and lets see the output of wg show.
On the normal router setup we enable masquerading on the wan zone to hide private lan network from the public internet. But In his specific dumb AP setup doesn’t have a wan zone. wg clients are on a new private wg network & his main router has no idea that wg network exists. In short:
- wg zone: Masquerading enabled.
- lan zone: Masquerading disabled.
- Forwarding: Allow wg —> lan
Am i correct?
This is incorrect. And it will not work.
the lan zone here is the upstream and thus must be masqueraded (unless the upstream router has an appropriate static route installed).
1 Like
But that would effectively turn the AP into a router right? 
And OP doesn’t want that. Maybe the problem is with the interface failing to start & not the firewall imo
Wireguard is a routed protocol. So yes, the AP will perform some routing. (It’s required)
and masquerading is required on the upstream (lan in this case) unless the main router supports static routes and has the necessary route installed.