Hello !
Please help me to configure my Wireguard VPN server and client !
I worked a couple of days but still no results...
With current configuration both on the server and the client I managed to obtain only :
-Server can't ping the client;
-A PC from my LAN having 192.168.1.5 IP address, under the OPEN WRT router can ping both the VPN server on 10.6.0.1 address and the local OPEN WRT router on on 10.6.0.11 address.
I want to be able to redirect all the traffic of my LAN network through MVPS Wireguard Server and I also want to be able to connect to my LAN network through MVPS Wireguard Server from a remote location using a laptop with Wireguard client installed.
Please tell me the MTU value used on MVPS.NET servers and please tell me which is my server DNS address.
I attached a diagram of my LAN network and the configuration for the VPN server, the VPN client and the firewall from the server. The file is on this link : https://we.tl/t-zjlJ2BAh2U
The server is running Ubuntu 22, the router client is running OpenWRT 22 and the laptop is running Windows 10.
Please help me to solve my problem !
Thank You Very Much !
Please post your images in the forum directly -- it is much better to have the images in-line than to use external links. Please remove those links.
For your questions about mvps, you should look to them for support. This forum doesn't offer support for other services.
It's not clear to me how mvps is involved here (maybe your diagram shows that, but I'm not willing to click on those links)... where is the ubuntu server in the equation?
Is the laptop simply a host behind the OpenWrt router, or are you asking for support for that, too?
If you have issues with wireguard (or any openwrt issue), you need to post your config so that people can understand the context.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
And you'll also need to post the 'server' configuration.
Sorry for the confusion !
I didn't know about the posibility to upload images here, on this forum !
Here is my network diagram, the OPENWRT client configuration, laptop configuration.
My Ubuntu 22 server is hosted by MVPS.NET.
Thank you for understanding !
#UBUNTU SERVER 22 WG0.CONF FILE
[Interface]
Address = 10.6.0.1/24
MTU = 1360
SaveConfig = true
PreUp = iptables --table nat --append POSTROUTING --jump MASQUERADE --out-interface eth0
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 33333
PrivateKey = SERVER PRIVATE KEY ZZZZZZZZZZZZZZZZZZZZZZZZ
#THIS IS THE OPENWRT ROUTER CLIENT
[Peer]
PublicKey = OPENWRT CLIENT PUBLIC KEY XXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 10.6.0.11/24
#THIS IS THE LAPTOP RUNNING WINDOWS CLIENT
[Peer]
PublicKey = WINDOWS CLIENT PUBLIC KEY YYYYYYYYYYYYYYYYYYYYYYYYYYY
AllowedIPs = 10.6.0.124/24
I have a similar setup just made last week, it is between two routers running OpenWRT one configured as a server another as a WG client and wanted to connect both sides.
I believe it is sometimes referred as a site-to-site setup.
For that I needed to open up the firewall on the client side to allow traffic:
config zone
option name 'VPN_s_to_s'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
option masq '1'
config forwarding
option dest 'lan'
option src 'VPN_s_to_s'
config forwarding
option src 'lan'
option dest 'VPN_s_to_s'
I added the Masq option for you although it is not necessary if you set a static return route on the Ubuntu server and as set the routers subnet under Allowed IPs.
Furthermore you sometimes have to open up the firewall of your local lan clients to allow traffic from 10.6.0.0/24 or alternatively Masquerade traffic from 10.6.0.0/24 going out of br-lan.
I am new to OpenWRT so maybe wait till the more experienced users chime in
To add, on your Ubuntu server use /32 instead of /24 for the Allowed IPs e.g. 10.6.0.11/32 but add in the routers Allowed IPs: its local subnet 192.168.1.0/24 this will also give you a (return) route to the routers local LAN clients e.g.
Allowed IPs: 10.6.0.11/32, 192.168.1.0/24
Yes on the server the different client's allowed_ips cannot overlap. For an IPv4 road warrior, it is typical to allow a /32 for each client, with the server wireguard interface holding a /24 which covers all the clients. On the client use one IP in the /24 with a 24 netmask, this automatically installs a route to the other clients. Though that isn't necessary if (as is typical for a road warrior) the VPN is routing 0.0.0.0/0 anyway.
OK good so far. Note that every node in your system must use its own unique private key. Do not share key pairs, it will not work. For best security, each private key should be locally generated and never copied outside of the one system that uses it.
I don't know why people keep including this, as it does nothing. peerdns is applicable to protocols like dhcp or pppoe that allow the other end to push a DNS server advertisement. Wireguard does not push configurations through the tunnel, so the concept of using or ignoring a pushed configuration is moot.
The system DNS is usually set on the wan interface. A road warrior will forward all Internet usage (including DNS) through the wireguard tunnel anyway.
Use 10.190.190.X/24 in the interfaces. (In the peers, allowed_ip is the /32 of only the one peer)
The second line is completely wrong, remove it. That subnet already exists on lan, you can't use overlapping IPs on two interfaces.
Like the v4 backbone IPs, use a /64 on the interface and /128 in the peer section.
Sorry, but I am confused !
The previous message from user egc told me :
"but add in the routers Allowed IPs: its local subnet 192.168.1.0/24 this will also give you a (return) route to the routers local LAN clients e.g.
Allowed IPs: 10.6.0.11/32, 192.168.1.0/24"
So, I added this line : list addresses '192.168.1.0/24' .
Can somebody provide some real help to solve my problem described in the first message and above images ?
