Hi,
i watched different examples to configure wireguard, but it still doesn't work.
I am running OpenWRT on a raspberry with usb to lan adapter.
Both are on the same switch. But routernetwork and pc-openwrt network have different network.
Another Setup with Fritzbox routerconnection lan2, lan2 is pc, doesn't work too.
My config, with "wrong"credentials
What do i wrong?
I am using luci, coz it seems to be easier for me.
ty
Please post your configs here for review:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
t{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.1",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd81:901f:1786::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '8.8.8.8'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
config device
option name 'eth1'
config interface 'wgIF'
option proto 'wireguard'
option private_key ''
list addresses '10.2.0.2/32'
list dns '10.2.0.1'
config wireguard_wgIF
option description 'Imported peer configuration'
option public_key ''
list allowed_ips '0.0.0.0/0'
option endpoint_host '89.39.107.161'
option endpoint_port '51820'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
list network 'wgIF'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
wg show
interface: wgIF
public key: ##
private key: (hidden)
listening port: 39129
peer: ###
endpoint: 89.39.107.161:51820
allowed ips: 0.0.0.0/0
ype or paste code here
You've got bunch of issues:
Change the device for the lan to br-lan instead of eth0 (you can also delete the DNS lines, as they don't do anything here):
You're missing one line from here:
add the following line to the above peer config:
option route_allowed_ips '1'
Remove the wgIF from the lan firewall zone below. You can also remove the mtu_fix line:
Add the wgIF network to the wan firewall zone:
Finally, you're not getting a handshake:
This usually means there is an error with the keys, date/time, or general connectivity. If you've used this same wireguard config on another device, make sure that it is off/deactivated so that it doesn't conflict.
example of configuration may be
I understand how the configuration is supposed to work.
Did you make the changes I suggested? In addition to those, you need to figure out why you're not getting a handshake.
Make the requested changes, restart and try again. It could be an issue with the date/time, if it doesn't work, let's see the output of:
wg show
date
Tyvm Peter,
It works now.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.