the suggestions given in the above thread didn't work for me.
The strange thing is my wiregurad insstallation/configuration running on a RAV Power WD-03 works fine.
Trying to do the same setup on a Fritzbox 7412 doesn't work.
The connect itself works fine. From the WG-Client I can access the LAN-Adress of the WRT-router, but nothing more within my LAN.
Is there any idea where I can have a look at to make it work ?
so, here we go. I hope all needed information is there.
As you can see there are two wireguard interfaces. Let's talk about wg1, that is the latest attempt and bridged with the LAN Interface (no separate Firewall-zone)
root@OpenWrt:~# uci export network
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2c:c6f7:2e1c::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'dhcp'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr '38:10:D5:3A:61:18'
config interface 'wan'
option ifname 'dsl0'
option proto 'static'
option netmask '255.255.255.0'
list dns '172.17.1.11'
option ipaddr '172.17.1.220'
option gateway '172.17.1.1'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr 'xxxxxx'
config interface 'WLAN'
option ifname 'wlan0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.178.1'
list dns '172.17.1.11'
option delegate '0'
option force_link '0'
option type 'bridge'
config interface 'wifi'
option ifname 'WLAN2'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.150.1'
list dns '172.17.1.11'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51823'
list addresses '10.14.0.0/16'
config wireguard_wg0
option public_key 'Txm//0c2rgtFwC1OmDEc='
option description 'iPhone'
list allowed_ips '10.14.0.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config interface 'wg1'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51823'
list addresses '10.14.0.0/16'
config wireguard_wg1
option description 'iPhone'
option route_allowed_ips '1'
option persistent_keepalive '25'
option public_key 'xxc='
list allowed_ips '10.14.0.3/32'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'HT20'
option country 'DE'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option key 'xxxxx'
option encryption 'psk2'
option disabled '1'
config wifi-iface 'wifinet1'
option ssid 'OpenWrt'
option device 'radio0'
option mode 'ap'
option network 'WLAN'
option ifname 'WLAN2'
option key 'xxxxx'
option encryption 'psk2'
root@OpenWrt:~# uci export dhcp; uci export firewall
package dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option confdir '/tmp/dnsmasq.d'
option localservice '0'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'WLAN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'WLAN'
config dhcp 'wifi'
option start '100'
option leasetime '12h'
option interface 'wifi'
option limit '190'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan wg1'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'WLAN'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'WLAN wifi'
option log '1'
config forwarding
option dest 'lan'
option src 'WLAN'
config forwarding
option dest 'WLAN'
option src 'lan'
config rule
option src 'WLAN'
option name 'all'
option target 'ACCEPT'
option dest 'lan'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '51823'
option name 'Allow-Wireguard-Inbound'
option src '*'
config zone
option name 'wg'
option input 'ACCEPT'
option network 'wg0'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option dest 'lan'
option src 'wg'
config rule
option dest 'lan'
option src 'wg'
option name 'wg'
option target 'ACCEPT'
config forwarding
option dest 'wg'
option src 'lan'
config zone
option name 'wglan'
option input 'ACCEPT'
option forward 'REJECT'
option network 'wg1'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'wglan'
config rule
option src_port '51823'
option src '*'
option name 'wg incomming'
option dest '*'
option target 'ACCEPT'
list proto 'udp'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51823'
option name 'Allow-Wiregurad-Inbound'
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
> head -n -0 /etc/firewall.user;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 172.17.1.81/24 brd 172.17.1.255 scope global br-lan
valid_lft forever preferred_lft forever
5: br-WLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.178.1/24 brd 192.168.178.255 scope global br-WLAN
valid_lft forever preferred_lft forever
8: WLAN2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WLAN state UP group default qlen 1000
inet 192.168.150.1/24 brd 192.168.150.255 scope global WLAN2
valid_lft forever preferred_lft forever
9: wg1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.14.0.0/16 brd 10.14.255.255 scope global wg1
valid_lft forever preferred_lft forever
default via 172.17.1.1 dev br-lan proto static src 172.17.1.81
10.14.0.0/16 dev wg1 proto kernel scope link src 10.14.0.0
10.14.0.3 dev wg1 proto static scope link
172.17.1.0 dev wg1 proto static scope link
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.81
192.168.150.0/24 dev WLAN2 proto kernel scope link src 192.168.150.1
192.168.178.0/24 dev br-WLAN proto kernel scope link src 192.168.178.1
local 10.14.0.0 dev wg1 table local proto kernel scope host src 10.14.0.0
broadcast 10.14.0.0 dev wg1 table local proto kernel scope link src 10.14.0.0
broadcast 10.14.255.255 dev wg1 table local proto kernel scope link src 10.14.0.0
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.81
local 172.17.1.81 dev br-lan table local proto kernel scope host src 172.17.1.81
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.81
broadcast 192.168.150.0 dev WLAN2 table local proto kernel scope link src 192.168.150.1
local 192.168.150.1 dev WLAN2 table local proto kernel scope host src 192.168.150.1
broadcast 192.168.150.255 dev WLAN2 table local proto kernel scope link src 192.168.150.1
broadcast 192.168.178.0 dev br-WLAN table local proto kernel scope link src 192.168.178.1
local 192.168.178.1 dev br-WLAN table local proto kernel scope host src 192.168.178.1
broadcast 192.168.178.255 dev br-WLAN table local proto kernel scope link src 192.168.178.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
You probably want to remove your private keys from the info you pasted above.
Now onto specifics, why do you have two seemingly identical wireguard interfaces? And two firewall rules for allowing port 51823? Delete one of each so you're not working with duplicate interfaces/firewall rules.
As for the remaining interface, you can delete the 'list addresses' line. What's the config on the client device?
Delete the duplicate wg1. Also clean up the firewall from unnecessary zones. Assign wg0 in lan zone. The allow inbound wireguard rules are not used as the lan is your internet upstream and the lan zone accepts everything.
Fix the address to a valid host address, like 10.14.0.1/16
The route_allowed_ips is not needed for the peer.
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd2c:c6f7:2e1c::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'b'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'dhcp'
config device 'lan_eth0_dev'
option name 'eth0'
option macaddr '38:10:D5:3A:61:18'
config interface 'wan'
option ifname 'dsl0'
option proto 'static'
option netmask '255.255.255.0'
list dns '172.17.1.11'
option ipaddr '172.17.1.220'
option gateway '172.17.1.1'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr '38:10:D5:3A:61:1C'
config interface 'WLAN'
option ifname 'wlan0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.178.1'
list dns '172.17.1.11'
option delegate '0'
option force_link '0'
option type 'bridge'
config interface 'wifi'
option ifname 'WLAN2'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.150.1'
list dns '172.17.1.11'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51823'
list addresses '10.14.0.1/16'
config wireguard_wg0
option public_key 'xxx'
option description 'iPhone'
list allowed_ips '10.14.0.3/32'
option persistent_keepalive '25'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
option htmode 'HT20'
option country 'DE'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option key 'xxx'
option encryption 'psk2'
option disabled '1'
config wifi-iface 'wifinet1'
option ssid 'OpenWrt'
option device 'radio0'
option mode 'ap'
option network 'WLAN'
option ifname 'WLAN2'
option key 'xxx'
option encryption 'psk2'
package dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option confdir '/tmp/dnsmasq.d'
option localservice '0'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'WLAN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'WLAN'
config dhcp 'wifi'
option start '100'
option leasetime '12h'
option interface 'wifi'
option limit '190'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan wg0'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'WLAN'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'WLAN wifi'
option log '1'
config forwarding
option dest 'lan'
option src 'WLAN'
config forwarding
option dest 'WLAN'
option src 'lan'
config rule
option src 'WLAN'
option name 'all'
option target 'ACCEPT'
option dest 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 172.17.1.81/24 brd 172.17.1.255 scope global br-lan
valid_lft forever preferred_lft forever
5: br-WLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.178.1/24 brd 192.168.178.255 scope global br-WLAN
valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.14.0.1/16 brd 10.14.255.255 scope global wg0
valid_lft forever preferred_lft forever
7: WLAN2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WLAN state UP group default qlen 1000
inet 192.168.150.1/24 brd 192.168.150.255 scope global WLAN2
valid_lft forever preferred_lft forever
default via 172.17.1.1 dev br-lan proto static src 172.17.1.81
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.1
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.81
192.168.150.0/24 dev WLAN2 proto kernel scope link src 192.168.150.1
192.168.178.0/24 dev br-WLAN proto kernel scope link src 192.168.178.1
broadcast 10.14.0.0 dev wg0 table local proto kernel scope link src 10.14.0.1
local 10.14.0.1 dev wg0 table local proto kernel scope host src 10.14.0.1
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.81
local 172.17.1.81 dev br-lan table local proto kernel scope host src 172.17.1.81
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.81
broadcast 192.168.150.0 dev WLAN2 table local proto kernel scope link src 192.168.150.1
local 192.168.150.1 dev WLAN2 table local proto kernel scope host src 192.168.150.1
broadcast 192.168.150.255 dev WLAN2 table local proto kernel scope link src 192.168.150.1
broadcast 192.168.178.0 dev br-WLAN table local proto kernel scope link src 192.168.178.1
local 192.168.178.1 dev br-WLAN table local proto kernel scope host src 192.168.178.1
broadcast 192.168.178.255 dev br-WLAN table local proto kernel scope link src 192.168.178.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
package dhcp
config dnsmasq
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option confdir '/tmp/dnsmasq.d'
option localservice '0'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'WLAN'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'WLAN'
config dhcp 'wifi'
option start '100'
option leasetime '12h'
option interface 'wifi'
option limit '190'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'lan wg0'
config include
option path '/etc/firewall.user'
config zone
option input 'ACCEPT'
option name 'WLAN'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'WLAN wifi'
option log '1'
config forwarding
option dest 'lan'
option src 'WLAN'
config forwarding
option dest 'WLAN'
option src 'lan'
config rule
option src 'WLAN'
option name 'all'
option target 'ACCEPT'
option dest 'lan'
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 172.17.1.81/24 brd 172.17.1.255 scope global br-lan
valid_lft forever preferred_lft forever
5: br-WLAN: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.178.1/24 brd 192.168.178.255 scope global br-WLAN
valid_lft forever preferred_lft forever
6: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.14.0.1/16 brd 10.14.255.255 scope global wg0
valid_lft forever preferred_lft forever
7: WLAN2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-WLAN state UP group default qlen 1000
inet 192.168.150.1/24 brd 192.168.150.255 scope global WLAN2
valid_lft forever preferred_lft forever
default via 172.17.1.1 dev br-lan proto static src 172.17.1.81
10.14.0.0/16 dev wg0 proto kernel scope link src 10.14.0.1
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.81
192.168.150.0/24 dev WLAN2 proto kernel scope link src 192.168.150.1
192.168.178.0/24 dev br-WLAN proto kernel scope link src 192.168.178.1
broadcast 10.14.0.0 dev wg0 table local proto kernel scope link src 10.14.0.1
local 10.14.0.1 dev wg0 table local proto kernel scope host src 10.14.0.1
broadcast 10.14.255.255 dev wg0 table local proto kernel scope link src 10.14.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.81
local 172.17.1.81 dev br-lan table local proto kernel scope host src 172.17.1.81
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.81
broadcast 192.168.150.0 dev WLAN2 table local proto kernel scope link src 192.168.150.1
local 192.168.150.1 dev WLAN2 table local proto kernel scope host src 192.168.150.1
broadcast 192.168.150.255 dev WLAN2 table local proto kernel scope link src 192.168.150.1
broadcast 192.168.178.0 dev br-WLAN table local proto kernel scope link src 192.168.178.1
local 192.168.178.1 dev br-WLAN table local proto kernel scope host src 192.168.178.1
broadcast 192.168.178.255 dev br-WLAN table local proto kernel scope link src 192.168.178.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default