As the titles suggest, chrome works fine when entering the router IP, chrome on android I get a message 192.168.x.x refused to connect.
Equally, wireguard connects to my server fine on mac and on android I get error "Wg turnon returned -1"...
Sounds like it may be an issue with the Android device since it everything else is working. But you haven't given much information about the configuration.
Does the Android device connect to the OpenWrt wifi SSID properly? Does it have normal internet connectivity?
What is the output of:
ubus call system board
It does connect to the SSID fine and has internet connectivity. Where would I enter that command? Terminal on mac?
yes... ssh into the router (likely at 192.168.1.1, root is the username, password is whatever you set), then issue the command.
I am getting the following error:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the XXXXXXX key sent by the remote host is
SHA256:xxxxxxxxxxxxxxx.
Please contact your system administrator.
Add correct host key in /Users/alexmanessi/.ssh/known_hosts to get rid of this message.
Offending XXXXXXXX key in /.ssh/known_hosts:2
XXXXXXX host key for 192.168.X.X has changed and you have requested strict checking.
There is no need to redact the rfc1918 addresses.
Issue the following command on your max:
ssh-keygen -R 192.168.1.1
Then try connecting again.
Thanks!
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.146",
"hostname": "OpenWrt",
"system": "MediaTek MT7628AN ver:1 eco:2",
"model": "Xiaomi Mi Router 4C",
"board_name": "xiaomi,mi-router-4c",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.2",
"revision": "r19803-9a599fee93",
"target": "ramips/mt76x8",
"description": "OpenWrt 22.03.2 r19803-9a599fee93"
}
}
ok... let's see the configs from that router:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/uhttpd
1 Like
uhhh, this is not a configuration problem with openwrt.
you could say "it's an SSL problem, where chrome doesnt like either your plain http LUCI, or your https certificate is self-signed".
In chrome, you've turned on "Enhanced Protection" where chrome on Android wants to refuse these kinds of connections. You could click on "Advanced" and disable/make exception for LUCI's ip addr. Or you could ditch chrome, because Google sucks and it's logging/recording all your URLs and sending them to the mothership.
Other options:
I prefer Firefox Focus on Android. It may bark a lil bit, but it's 1000x better than chrome, in my opinion as a guy who's used web browsers since the days of Netscape and Mosiac. I am older than Google.
1 Like
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0e:fd0e:fd0e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option name 'eth0.2'
option macaddr 'XXXXXXXXX'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
option listen_port 'xxx'
list addresses '10.1.0.1/24'
config wireguard_wg0
option public_key 'xxx'
option persistent_keepalive '25'
list allowed_ips '10.1.0.3'
option private_key 'xxx'
option endpoint_host 'xxx'
option endpoint_port 'xxx'
config wireguard_wg0
option description ''
option public_key 'xxx'
option private_key 'xxx'
option persistent_keepalive '25'
list allowed_ips '10.1.0.4'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option channel '1'
option band '2g'
option htmode 'HT20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wg0'
option interface 'wg0'
option ignore '1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'ACCEPT'
config zone
option name 'Wireguard1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'Wireguard1'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'Wireguard1'
config forwarding
option src 'Wireguard1'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'Wireguard1'
config rule
option name 'Allow-Wireguard-Inbound'
list proto 'udp'
option src '*'
option dest_port 'xxx'
option target 'ACCEPT'
config redirect
option dest 'Wireguard1'
option target 'DNAT'
option src_dport 'xxx'
option dest_port 'xxx'
option src 'lan'
root@OpenWrt:~# cat /etc/config/uhttpd
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/uhttpd.crt'
option key '/etc/uhttpd.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
option state 'Somewhere'
option location 'Unknown'
option commonname 'OpenWrt'
Thank you, this is correct, just tried firefox on Android and it worked.
However, the VPN still isn't connecting on Android?
Masquerading should be disabled on the lan and the wireguard zones.
Make sure masq is disabled here, too.
This rule probably doesn't belong.
let's see the output of wg show -- please indicate which peer config is the android one.
1 Like
I made a mistake and was not actually connecting from the computer, when away from the home network, neither work.
However, a connection is being made, just no (or very little) data transferred. I made the changes you suggested and here is the output:
wg0
public key:xxxxxxxxxxx
private key: (hidden)
listening port: 0000
peer: xxxxxxxxxx
endpoint: 00.000.000.000:0000
allowed ips: 00.000.000.2/32
latest handshake: 5 minutes, 32 seconds ago
transfer: 28.47 KiB received, 10.49 KiB sent
persistent keepalive: every 25 seconds
peer: xxxxxxxxx
allowed ips: 000.00.000.3/32
persistent keepalive: every 25 seconds
so which peer is the android device? peer with .2 at the end or .3?
For testing both have been using the same profile, with .2 on the end. But neither are working from outside the home network, despite some connection seemingly being achieved.
I'd recommend only working with one device. If you (accidentally) leave one of the connections activated and try the other, both will break.
let's see the latest config files from both your router and one of the wireguard config files from one of the devices.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option name 'eth0.2'
option macaddr ''
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key '"xxx'
list addresses '0.0.0.1/24'
option listen_port '0000'
config wireguard_wg0
option public_key 'xxx'
option persistent_keepalive '25'
list allowed_ips '0.0.0.3'
option private_key 'xxx'
option endpoint_host 'xxx'
option endpoint_port '0000'
config wireguard_wg0
option description 'Phone'
option public_key 'xxx'
option private_key 'xxx'
option persistent_keepalive '25'
list allowed_ips '0.0.0.4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
option input 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'Wireguard1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'Wireguard1'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'Wireguard1'
config forwarding
option src 'Wireguard1'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'Wireguard1'
config rule
option name 'Allow-Wireguard-Inbound'
list proto 'udp'
option src '*'
option dest_port '0000'
option target 'ACCEPT'
Peer
Aside from the keys, did you redact any information in this section? If so, please repost with the addresses and ports unreacted (keep the keys redacted). If it hasn't been changed, there are significant problems here that we will resolve.
technically the forwarding lan > wireguard1 is not required unless devices on the lan will actually initiate connections to the remote peers. This won't cause any problems, though.
It appears that you are actually connecting this router to an upstream LAN by the lan port, correct? If so, these rules can be deleted.
And if that's the case, this rule can be deleted, too.
In the screenshot below, the addresses field doesn't need to be redacted -- it's actually important to share that. It should be an RFC1918 address and is therefore not unique or sensitive info.
Ok, I have deleted those rules and below are the outputs again with less redacted. I don't believe there is an RFC1918 issue.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0e:a6d9:902d::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option name 'eth0.2'
option macaddr 'redacted'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '4 2 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.1.0.1/24'
option listen_port 'redacted (same as endpoint port)'
config wireguard_wg0
option public_key 'redacted'
option persistent_keepalive '25'
list allowed_ips '10.1.0.3'
option private_key 'redacted'
option endpoint_host 'redacted'
option endpoint_port 'redacted'
config wireguard_wg0
option description 'Phone'
option public_key 'redacted'
option private_key 'redacted'
option persistent_keepalive '25'
list allowed_ips '10.1.0.4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'Wireguard1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
config forwarding
option src 'Wireguard1'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'Wireguard1'
