I can't connect to VPN WireGuard

I've used ChatGPT, followed tutorials on this forum, and tried just about everything. My IP address isn't changing, even though the "wg show" command indicates everything is fine and working.

I've set up the firewall and configured everything, but nothing seems to help.

I've reset everything multiple times and restarted over and over. I've tried just about everything. Can someone please help and give me precise instructions for this mess? I'm honestly exhausted. I've spent so much time with no results. I live in Slovakia and the VPN is for Ukraine.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

This is not the most configured option, because I reset the router several times, I just gave up and decided to write here.

ubus call system board

{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:4",
        "model": "TP-Link Archer C6 v3",
        "board_name": "tplink,archer-c6-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

cat /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7b:fad4:8c61::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '10.7.0.2/24'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '45.9.236.90'
        option endpoint_port '51820'


cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg0'
        option masq6 '1'

config forwarding
        option src 'lan'
        option dest 'vpn'


So is this a VPN service based in Ukraine? What provider is this? You should follow their instructions on getting VPN working with their servers.

Also you've leaked your Wireguard private key to the Internet in your original post. Generate a new key before doing any further attempts.

1 Like

You need to add the route_allowed_ips option to your wg config (peer config section) like this:

[quote="mirronake, post:4, topic:176015"]

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host '45.9.236.90'
        option endpoint_port '51820'

As stated earlier, it is critical that you replace your keys as they are no longer safe. As an admin, I will redact the keys from this thread to prevent any further exposure, but they should be replaced immediately even that not withstanding.

2 Likes

not helped

Ok.... let's see the latest update configs, as well as the output of

wg show

don't forget to redact the sensitive bits, this time.

1 Like

You still haven't told us what VPN provider you're using, they might have specific instructions you need to follow to get working with their service.

my vps server in ukraine

If you maintain your own VPS, it is necessary to verify the configuration on that end. One way you can verify it is to use a phone or a computer to connect -- if things connect and route as expected, then you know the VPS is theoretically configured properly. We can also take a look at the config from the VPS, if you have doubts.

1 Like

Add option route_allowed_ips '1' to the wireguard_wg0 section.
Then after Wireguard starts, check your (v4) routing table, there should be a split default route via wireguard.

You may want to try v4 only first then once that works bring up v6. I don't have as much experience with v6 wireguard as a defautl route but at the least you're going to need to add a link-local IP on the wg0 interface as that is not done automatically.