Install WireGuard-VPN

AZNBCDDW · July 15, 2023, 9:46am

I want to set up a WireGuard VPN between two OpenWrt 22.03.5 devices. I have proceeded according to https://openwrt.org/docs/guide-user/services/vpn/wireguard/server.

For this test, both devices are connected to my local network on the WAN side.

** begin server **********************************************************

Server: Install packages

opkg update
opkg install luci-proto-wireguard # is not in the manual but is necessary in my eyes
opkg install wireguard-tools

Configuration parameters

VPN_IF="vpn" # Name der Schnittstelle
VPN_PORT="51820" # UDP-Port für wireguard
VPN_ADDR="192.168.9.1/24" # eigene , einigartige IP, im gleichen IP-Raum wie Server
VPN_ADDR6="fd00:9::1/64"

Server: Generate keys

umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk

Server private key

VPN_KEY="$(cat wgserver.key)" # Server private key
VPN_PSK="$(cat wgclient.psk)" # Pre-shared key
VPN_PUB="$(cat wgclient.pub)" # Client public key

Server: Configure firewall

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
Server: here I get this:
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible

Server: Configure network

uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"

Server: Add VPN peers

uci -q delete network.wgclient
uci set network.wgclient="wireguard_${VPN_IF}"
uci set network.wgclient.public_key="${VPN_PUB}"
uci set network.wgclient.preshared_key="${VPN_PSK}"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.}.2/32"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:}:2/128"
uci commit network
/etc/init.d/network restart
** end server ************************************************************

according to https://openwrt.org/docs/guide-user/services/vpn/wireguard/client
** begin client **********************************************************

Client: Install packages

opkg update
opkg install luci-proto-wireguard # is not in the manual but is necessary in my eyes
opkg install wireguard-tools

copy wgclient.key, wgclient.psk, wgserver.pub from server

Client Configuration parameters

VPN_IF="vpn" # Name der Schnittstelle
VPN_SERV="SERVER_ADDRESS" # IP-Adresse der Servers
VPN_PORT="51820" # UDP-Port für wireguard
VPN_ADDR="192.168.9.2/24" # eigene , einigartige IP, im gleichen IP-Raum wie Server
VPN_ADDR6="fd00:9::2/64"

Client Configure firewall

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${VPN_IF}"
uci add_list firewall.wan.network="${VPN_IF}"
uci commit firewall
/etc/init.d/firewall restart
Client: here I get this:
Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible

Client: Configure network

uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"

Client: Add VPN peers

uci -q delete network.wgserver
uci set network.wgserver="wireguard_${VPN_IF}"
uci set network.wgserver.public_key="${VPN_PUB}"
uci set network.wgserver.preshared_key="${VPN_PSK}"
uci set network.wgserver.endpoint_host="${VPN_SERV}"
uci set network.wgserver.endpoint_port="${VPN_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart
** end client ************************************************************

After this procedure and reboot of both devices I have this situation:

Good:
VPN interface is there and has the correct IP (server 192.168.9.1, client 192.168.9.2).
On the client the VPN interface is in a zone with WAN.
On the server, the VPN interface is in a zone with LAN.

The problem:
No VPN tunnel is established, example: no ping from client zu 192.168.80.1
In luci, under Status, the menu item "WireGurad" does not appear.

Question:
Where is the problem?
Or how can I proceed to find the error?

As for WireGurad, I am unfortunately a novice. I have tried to explain everything. Probably you need more information, which I will gladly send.

best regards

iplaywithtoys · July 15, 2023, 9:47am

Did you install luci-app-wireguard as well, or only luci-proto-wireguard ?

iplaywithtoys · July 15, 2023, 9:51am

192.168.80.1 is not referenced anywhere in your configuration. Does that IP address exist on your network, and is it active and able to respond to ICMP ECHO REQUEST traffic?

iplaywithtoys · July 15, 2023, 9:53am

Any chance your ISP has you behind a CGNAT barrier?

AZNBCDDW · July 15, 2023, 12:23pm

that worked! Thank you for your help!

AZNBCDDW · July 15, 2023, 12:25pm

Your answer showed me the way. I had used the LAN IP as VPN destination IP. this was of course wrong. Thanks for your help!

iplaywithtoys · July 15, 2023, 12:29pm

You're welcome. Glad it's working now.

system · July 25, 2023, 12:31pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.