My Wireguard setup is not working, need a second pair of eyes

eugene · December 28, 2020, 11:46am

This is my first time tying to set up a Wireguard on my home's router.

After following an old but seemingly comprehensive guide found on Reddit, I am stuck and need a second pair of eyes on what I am doing.

What doesn't work is – simply pinging a 8.8.8.8 after connecting my phone to Wireguard VPN. (I'm using termux app on android)

Can someone spot what's wrong with configs here? If something is missing, I will update the post with more info. In the meantime, I've contacted my ISP to rule out possibility UDP ports are not getting blocked, inspired by this – they confirmed they are not blocking.

Perhaps there are known ways / checklist to diagnose possible issues with Wireguard?

In the end, this is what I've got:

OpenWrt:

root@OpenWrt:~# uci show | grep -e 'network.@wireguard_homevpn[0]' -e 'homevpn' -e '@rule\[9\]' -e '@zone\[0\]'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan homevpn'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-Wireguard'
firewall.@rule[9].proto='udp'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].dest_port='51758'
firewall.@rule[9].src='*'
firewall.@rule[9].dest='*'
network.homevpn=interface
network.homevpn.proto='wireguard'
network.homevpn.private_key='iBoa...'
network.homevpn.listen_port='51758'
network.homevpn.addresses='10.14.0.1/24'
network.@wireguard_homevpn[0]=wireguard_homevpn
network.@wireguard_homevpn[0].description='Eugene'\''s Android phone'
network.@wireguard_homevpn[0].public_key='2ykr...'
network.@wireguard_homevpn[0].allowed_ips='10.14.0.3/32'
network.@wireguard_homevpn[0].route_allowed_ips='1'
network.@wireguard_homevpn[0].persistent_keepalive='25'

Android:

image591×893 79.1 KB

For context: I am away from home in a different country now. Would like to use a VPN, so that all traffic from my Android phone and MBP laptop would go through the VPN. In particular, I need this to be able to access some services that are only reachable from within my home country.

faser · December 28, 2020, 12:47pm

Can you ping 10.14.0.1?
Did you configure forwarding from WG to WAN?

trendy · December 28, 2020, 1:09pm

One mistake is the dest line. With this rule you allow forwarding from any zone to any zone. But you want to allow INPUT, so you need to remove the destination zone.

In the client allowed IPs you have ::/128, I am not sure if you intended that or not. Normally you should use ::/0
Also the address can be 10.14.0.3/24, although it won't matter much, since you route everything to the server.

Why not follow the up-to-date and tested guide from openwrt.org?

eugene · December 28, 2020, 2:07pm

One mistake is the dest line

Fixing this one did the trick. Thank you so much! For completeness, in order to do the fix from the web UI, I had to select "Device (input)"

In the client allowed IPs you have ::/128, I am not sure if you intended that or not. Normally you should use ::/0

Btw I am pretty sure I used ::/0 Not sure why it got changed to ::/128

Why not follow the up-to-date and tested guide from openwrt.org?

Good question. At first I was committed to only using resources found on openwrt.org, but found a couple of issues:

the page you're linking to – it stumbled upon it as well – appears to be a high level guide, while I was on a lookout for something more detailed for both server and a client, but also dense enough to fit a screen,
while checking "WireGuard client" page, it immediately appeared a lot more detailed and seemingly what I need; after a closer look, I realized it covers a different use case, e.g. setting up WireGuard as a client inside OpenWRT, which is not what my scenario,
"WireGuard server" covers only server setup (I must admit I initially missed this one).
"Static addressing of WireGuard tunnel" looks like what I might have used after all, but the word "static" got me confused, e.g. is it related to static routing in some way or not?

Btw, in the past I've used Wireguard by setting it up via algo script. The end result would be a .conf or .png (QR code) file that can be seamlessly imported into a client (macOS and android are the ones that I've tried and which worked for me). Would it be naive to ask for a "Peers" tab to have a button that'd register a new peer & generate a QR code / .conf file automatically?

trendy · December 29, 2020, 5:39pm

It is the main wiki page for wireguard, a bit lower there are the Internal links with the various functions.

Indeed you want a server, not a client.

This is not really needed, as it is covered by the server and client guides.

I think I have seen it before, but I don't remember if it was for WG or OpenVPN or IPSEC.

system · January 8, 2021, 5:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.