Only Rx and no TX with OpenWRT and Fritz Box

Hello everyone,

as i am getting no solution fitting for my situation I am looking for some support here.
I want to create a mobile VPN Router, based on a Rasperry PI 4 (as in the NetworkChuck Youtube video). But instead of going via an commercial VPN Provider, I want to connect via Wireguard to my Fritz Box. I got to the situation that I am getting a slow TX connection, but no RX traffic.

I also wanted to change the IP on the Raspi, but wasnt sure how this might affect the config overall.

I am copying my configs so far and would really appreciate any help!

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:727f:b647::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 8.8.8.8'

config interface 'vpnclient'
        option proto 'none'
        option device 'tun0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '*********'
        option mtu '1412'
        option listen_port '51505'
        list addresses '192.168.178.0/24'
        list addresses '0.0.0.0/0'

config wireguard_wg0
        option description 'WGuardHome'
        option endpoint_host '******.myfritz.net'
        option public_key '*****************'
        option private_key '******'
        option preshared_key '******'
        list allowed_ips '192.168.178.0/24'
        list allowed_ips '0.0.0.0/0'
        option endpoint_port '51505'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config zone
        option name 'fw_wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'fw_wg0'

Thanks again!

Your list addresses directives need to be fixed. You need only one, and it can't be a subnet address. It must be a usable host address within your desired subnet range.

I suggest list addresses 192.168.178.2 (assuming the other end isn't already using .2).

You don't need the private key of the peer. You only need the public key of the peer. Each peer keeps its private key... private.

You also don't need allowed_ips for 192.168.178.0/24 if you also have allowed_ips for 0.0.0.0/0 - the latter encompasses the former.

Also, does your Fritzbox get a public IP address? If it's behind CGNAT, then you might struggle to get this to work.

Wireguard is a routed solution which needs three different subnets.
The server side as it is a Fritzbox I assume it is 192.168.178.1/24
The client side which is 192.168.1.1/24
And the WG subnet which ishould be different than the other 2 so lets use 172.16.16.1/24

So below seems wrong

Use
list address 172.16.16.2/24
instead
On the server side use 172.16.16.1/24 as address and 172.16.16.2/32 for allowed ip

Remove
list allowed_ips '192.168.178.0/24
That is redundant

Restart wireguard or the router.

Hope this helps as it is all I can do for you for now as I am travelling.
If not someone else will chime in

Also, while I remember, based on my own experience I would suggest not using a pre-shared key until you've got the connection working without it. Once you know the connection works, then introduce a PSK into the configuration.

Thanks. As of now I deleted that as sugguested.

I have been following your steps and I think i managed to do as you told.
What i am struggeling with is this "On the server side use 172.16.16.1/24 as address and 172.16.16.2/32 for allowed ip"

I am not sure where to do that. On my Fritz.Box? I added a IPv4 Route with the 172.16.16.2 but wasnt able to do anything further.

I will post the current config again for review.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:727f:b647::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option force_link '1'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        option dns '1.1.1.1 8.8.8.8'

config interface 'vpnclient'
        option proto 'none'
        option device 'tun0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '******************'
        option mtu '1412'
        option listen_port '51505'
        list addresses '192.16.16.2/24'

config wireguard_wg0
        option description 'WGuardHome'
        option endpoint_host '*************.myfritz.net'
        option public_key '***************'
        option private_key '******************'

        list allowed_ips '0.0.0.0/0'
        option endpoint_port '51505'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

Don't use public IP addresses unless they've been allocated to you. 192.16.16.2 belongs to Edgecast, in Dallas, Texas. Are you an Edgecast customer?

Did you mean to type 192.168.16.2?

I just did what @egc was telling above. Wasnt aware of the impact. I am completely new to this network stuff so a little bit struggeling here on some points.
How can i make sure to use a free public IP Address? Is there any other way to establish this kind of VPN connection between a FritzBox VPN Server and the OpenWRT Router?

Okay. In that case, some time spent learning the basics might be in order. I would also suggest reading https://www.wireguard.com/quickstart/ to get a brief overview into WireGuard.

Here is an absolute bare-minimum WireGuard configuration for the client in a client-server scenario:

[Interface]
Address = 192.168.1.2/24
PrivateKey = <my private key>

[Peer]
Endpoint = peer's.public.ip.address:51250
PublicKey = <remote peer's public key>
AllowedIPs = 192.168.1.1/32

The server side would have a ListenPort directive, where the client does not. If you want to set up what's commonly called a "site-to-site VPN", where either side can initiate the connection, then both sides would have ListenPort directives.

You don't have to use port 51250; I happen to use it and I extracted the above from my own working WG configuration.

That configuration will allow one host to connect to another host and exchange data through the VPN tunnel. Each end of the tunnel will have the IP addresses 192.168.1.1 and .2.

If you wanted to send all traffic through the tunnel, you could do something like this:

[Interface]
Address = 192.168.1.2/24
PrivateKey = <my private key>
DNS = 1.1.1.1

[Peer]
Endpoint = peer's.public.ip.address:51250
PublicKey = <remote peer's public key>
AllowedIPs = 0.0.0.0/0

If you're sending all traffic through the VPN (0.0.0.0/0) then you also have to account for DNS, because DNS also goes through the VPN, so your desired DNS server must be available through the VPN. In the example above, 1.1.1.1 is a known, public DNS server operated by CloudFlare. There are many others you may choose.

You've shown us one side of the WireGuard configuration, but not the other. It might be helpful to see both configurations side-by-side. As you have been doing, redact any keys.

You don't need to, not for the tunnel. The endpoints may use public addresses (or DNS names, like in your configuration), but the tunnel should use RFC 1918 addresses.

On that note, what is the WAN address of your FRITZ!box? Does it agree with what you see if you visit ipv4.icanhazip.com ? If the two agree, then you're good to go. But if they disagree, e.g. your FRITZ!box says an address in the 100.64.0.0/10 range, then you may have some challenges getting this to work.

Not quite. @egc suggested 172.16.16.x, not 192.16.16.x. And 172.16.16.x falls within one of the allotted RFC 1918 ranges: 172.16.0.0/12.

Oh yes! Thanks a lot. This is quite helpful and I appreciate your patience.
I will have a close look into it on Sunday/Monday.

so I reviewed some topics you mentioned @iplaywithtoys .

1. WAN Address is the same on my fritz as well as stated on ipv4.ican....
2. config of the fritz.box is here

[Interface]
PrivateKey = xxxxxxx
Address = 172.16.16.1/24
DNS = 192.168.178.1
DNS = fritz.box

[Peer]
PublicKey = xxxxxx
PresharedKey = xxxxxxxx
AllowedIPs = 192.168.178.0/24
Endpoint = xxxxxxx.myfritz.net:55303
PersistentKeepalive = 25

3. Config looks now as this:

config interface 'wg0'
        option proto 'wireguard'
        option private_key '**********'
        option mtu '1412'
        list addresses '172.16.16.2'
        option listen_port '55303'

config wireguard_wg0
        option description 'WireGHome'
        option endpoint_host '**********.myfritz.net'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '192.168.178.0/24'
        option public_key '************'
        option endpoint_port '55303'

Whilse setting up the fritz.box Wireguard connection it asked me if i want all traffic via the VPN tunnel, which i want. If I understood you correctly, I will need to add the DNS = 1.1.1.1 so that it looks like this, right?

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'kAqc+4pp3ZexYftqcNwwvV72nX6xtpv2ex2/MPfS33o='
        option mtu '1412'
        list addresses '172.16.16.2'
        option listen_port '55303'
        option dns '1.1.1.1'

and thanks again - i really appreciate your time!

I've snipped the relevant parts of your config for my comments below:

Based on the two configurations, I'm assuming that the FRITZ!box is your "server" (172.16.16.1) and your OpenWRT device is your "client" (172.16.16.2).

If so, that prompts the question, where is the subnet 192.168.178.0/24 in your setup?

Your earlier OpenWRT configuration shows 192.168.1.1 as OpenWRT's LAN address, so I'm going guess that 192.168.178.0/24 might be the LAN behind your FRITZ!box.

The configuration on your FRITZ!box sends all traffic destined for 192.168.178.0/24 through the VPN tunnel towards OpenWRT, and in turn OpenWRT sends all traffic destined for 192.168.178.0/24 through the VPN towards the FRITZ!box. If my guess about the location of 192.168.178.0/24 is right, then you might not need the AllowedIPs = 192.168.178.0/24 directive in your FRITZ!box's WireGuard configuration.

While WireGuard uses the terminology AllowedIPs, my own opinion is that "allowed" is potentially misleading. It's all in the interpretation of language. WireGuard says "allowed"; I say "forced". It helps me to remember the distinction between traffic going down the tunnel and traffic bypassing the tunnel.

Not quite. I merely suggested 1.1.1.1 as one of many public DNS servers which are available for everyone to use.

The real requirement is that your chosen DNS server must be available through the VPN. Whether that's 1.1.1.1 or another DNS server of your choosing is beside the point; the important bit is that it must be accessible from the other end of the VPN tunnel.

I'm assuming that the FRITZ!box is your "server" (172.16.16.1) --> correct
OpenWRT device is your "client" - Correct
192.168.178.0/24 might be the LAN behind your FRITZ!box --> Correct. I changed that to 192.168.10.0/24 as it was explained like that on the fritz.box site and my OpenWRT to 192.168.20.1.
I deleted that: might not need the AllowedIPs = 192.168.178.0/24

I have been thinking about that, but not sure if i understood it correctly.
What I did now is that i changed it from 1.1.1.1 to 192.168.178.1 as this is what was stated within the config file from the fritz.box.

What i also can see within the WireGuard Status OVerview is, that i never got a handshake, whilst not receving any data, but sending a few bits. Also the Endpoint IP Adress matches with the IP Address from my fritz.box.

If I connect to the OpenWRT Router via Mobile Phone, I do get internet.

Just to make sure.
within the config wireguard_wg0 config, I am putting the public_key I got from the fritz.box, correct?

That suggests a few possibilities.

• You might have mixed up the keys
• Your chosen port might not be open
• You might not be trying to connect to the correct address.

I'll bang out a shoddy diagram, per the link in my profile. It might help to illustrate what goes where.

As promised, one shoddy diagram to help illustrate a WireGuard "client-server" deployment:

image388×802 52.9 KB

For the avoidance of doubt, those IP addresses in that diagram are dummy placeholders to illustrate the concept. Replace them as required with your own details.

Note that the "server" does not know - nor does it need to know - the "client's" Endpoint address. This is how a "client-server" deployment is handled. In contrast a "site-to-site" configuration would require each peer to know the other peer's Endpoint address.

WireGuard does not do "client-server" in the same way that, say, OpenVPN does, but its configuration is so flexible that the administrator can create a "client-server" deployment by carefully placing each piece of information in the appropriate configurations.

Pay attention to which key is Public and which key is Private. Every peer needs to know its own Private Key, and the peer's Public Key. But no peer needs to know any other peer's Private Key.

Also, those WG configuration samples may not be complete; I trimmed the details just to show which key and IP address goes where.

Lastly, I just stumbled across this page, which suggests that the FRITZ!box has the ability to generate QR codes to help configure other WireGuard devices: https://en.avm.de/news/the-latest-news-from-fritz/2022/wireguard-vpn-has-never-been-so-easy/

If you have a suitable QR code reader, or can transcribe the configuration from your phone to OpenWRT, you might find that all the information you need could be in one of those QR codes.

Hi there, after back and forth I wasnt able to establish a connection between the Rasperry and the fritzbox.
Reason why I now bought a GL-AXT1800 hoping that the user interface will help me more.
I managed to get a connection between Router and Fritz.Box and can access the fritzbox, once Wireguard is active.
My problem now is, that i cant access the internet via any device going over the GL-AXT1800, once Wireguard is active.
Connection with a mobile phone directly to the wireguard, I had no problem in accessing the internet.

Any sugguestions as this looks as it is something or on the GL-AXT1800 with Firewall, Port or same on fritz.box (which wouldnt explain why i can access via mobile phone).

I connect my GL-AXT1800 to a mobile phone in order to have a "public" internet access.