Luci generates wrong peer config

I am running my OpenWrt One (current release) via WLAN as a client behind the ISP router, and there it has the static ip address 192.168.2.7. Wireguard's port is foewarded in the ISP router to my router.I am using a dynamic DNS service and let's assume, my endpoint host is "my.host.net".

When I create a peer configuration for e,g, my smartfon, the endpoint in Luci's peer config is substituted by the ip address of my router in the ISP router's subnet (192.168.2.7). This caused a lot of frustration during my testing.

But even if I correct the endpoint to the correct value and create a tunnel on my fon scanning the QR code, the tunnel is not established and I cannot see the endpoint's name in the log of my phone.

Any ideas?

how are you testing ?

As I have written in my problem description, Wireguard's port is forwarded to my One.

I have tested scanning Luci's QR code with my fon. and then tried to establish the tunnel

doesn't actually say anything about how you're testing it ...

You have to manually alter that, the router cannot know that
See my notes how to setup a WireGuard server, hopefully those are helpful:

It has to forward in from an outside network on the Internet like you will be in the field. This means turn off the wifi in the phone so it uses the cell connection not your house wifi.

Please give me a few seconds to read the docs

Many thanks @egc for the link to your helpful hints. Finally, I could establish a tunnel from my tablet to the router and access my Proxmox cluster. Unfortunally, there are two open issues:

• there is no name resolution - I can access intranet systems only by ip-address, not by hostname
• when the tunnel is established, I cannot access the internet from the client

What do I have to change in my configuration?

Network config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd52:9fa4:1fed::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan6'
	option device 'eth1'
	option proto 'none'

config interface 'wwan'
	option proto 'static'
	option ipaddr '192.168.2.7'
	option netmask '255.255.255.0'

config route
	option interface 'wwan'
	option target '0.0.0.0/0'
	option gateway '192.168.2.1'

config device
	option name 'br-wan'
	option type 'bridge'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key 'privatewgserverkey='
	option listen_port '51810'
	list addresses '192.168.101.1/24'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.3.1/24'

config wireguard_wgserver
	option description 'R-Fon'
	option public_key 'publicclientkey='
	option private_key 'privateclientkey='
	list allowed_ips '192.168.101.2/32'
	option route_allowed_ips '1'
	option endpoint_port '51810'
	option persistent_keepalive '25'

config wireguard_wgserver
	option description 'R-Tablet'
	option public_key 'publicclientkey='
	option private_key 'privateclientkey='
	option route_allowed_ips '1'
	option endpoint_port '51810'
	option persistent_keepalive '25'
	list allowed_ips '192.68.101.3/32'

Firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wgserver'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wgserver'

config forwarding
	option src 'lan'
	option dest 'wgserver'
	
config forwarding
	option src 'wgserver'
	option dest 'lan'
	
config forwarding
	option src 'wgserver'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	
config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51810'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTP'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8080'
	option dest_ip '192.168.1.20'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HTTPS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.20'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PVE-Cluster'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8006'
	option dest_ip '192.168.1.11'
	option dest_port '8006'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PBS'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8007'
	option dest_ip '192.168.1.30'
	option dest_port '8007'

One remark from my side about your documentation: Luci seems to store parameters at least sometimes randomly. I had a 'mental hick-up' reading the 'config forwarding' statements for the firewall. My recommendation is not just to copy and paste the statements but put the src and dest parameters in the same sequence.

Excellent suggestion will take care of that, thanks!

In one of the WGPeers there is a typo:

For your peers to get internet access you need a Forwarding rule from wgserver to wan zone but there is one so that actually should work.

Things to check:
Did you reboot the router?
Do you test from outside e.g with your phone tablet on cellular?

If that does not help maybe it is related to the fact that there is no wan but only a wwan interface?

Can you show the output of:

ip route show

About DNSmasq there are some pointers in the guide:

DNS server: standard your routers IP address, not all clients can deal with this (rebind protection, using the wgserver's interface IP (172.22.22.1) might help) but you router might not listen on the wgserver's interface or only listens for local subnets (option localservice '0') so to be sure that you have got DNS resolution use 1.1.1.1 but if you have setup DNS hijacking (either manually or through e.g. Adblock or https-dns-proxy) that might also play tricks .

Oh silly me! I have found the reason:

I am using AdGuard Home as the primary resolver (port 53) and the not-filtered requests are forwarded to DNSmasq via port 5353, which handles the local addressess reading /etc/hosts. The remainig requests are then handed over to some internet DNS servers.

My /etc/adguard.yaml originally looked like

dns:
...
  allowed_clients:
    - 192.168.1.0/24
    - 127.0.0.1
 ...

better is

dns:
...
  allowed_clients:
    - 192.168.0.0/16
    - 127.0.0.1
 ...

The problem did not occur with my guest WLAN because for this subnet I do not use any internal DNS service.

Thanks for your support!

Great you solved it, that is why in my pointers it states:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.