OpenWrt to run wireguard client, so all clients get remote server’s wan public ip

I have openwrt 23.05.5 running on Aruba AP-303H.
lan and wan configured as below,

I have a wireguard server setup in cloud (oracle cloud) by using pivpn (curl -L https://install.pivpn.io | bash)
In pivpn, we run command pivpn add on the server to create profiles. And it will show a qr code we can scan on the wireguard client (such as iphone)
I tested above on my iphone client and everything works.

Now I would like to make openwrt dial a connection to wireguard server automatically and keep it on always. So that all clients connected to openwrt will assume the remote cloud wireguard server wan ip.

I went through https://openwrt.org/docs/guide-user/services/vpn/wireguard/client but here the client configure part is different than how you do it in a phone.

VPN_ADDR="192.168.9.2/24"
VPN_ADDR6="fd00:9::2/64"

How do I know, what value I use for above?

A WG client needs a preconfigured unique IP from the WG server side.

From my wireguard server in cloud I opened the config I created for openwrt router,

xxxx@xxxx:~/configs$ cat xxxxx.conf
[Interface]
PrivateKey = xxxxxxx
Address = 10.119.75.3/24,fd11:5ee:bad:c0de::a77:4b03/64
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = xxxx
PresharedKey = xxxx
Endpoint = xxxx:xxx
AllowedIPs = 0.0.0.0/0, ::0/0

In that case is below correct?

VPN_ADDR="10.119.75.3/24"
VPN_ADDR6="fd11:5ee:bad:c0de::a77:4b03/64"
VPN_KEY=<PrivateKey from above>
VPN_PUB=<PublicKey from above>
VPN_PSK=<PresharedKey from above>

I ran below,

VPN_IF="vpn"
VPN_SERV=<my vpn server>
VPN_PORT=<my vpn server port>
VPN_ADDR="10.119.75.3/24"
VPN_ADDR6="fd11:5ee:bad:c0de::a77:4b03/64"
VPN_KEY=<PrivateKey from above>
VPN_PUB=<PublicKey from above>
VPN_PSK=<PresharedKey from above>

skipped 2. Key management steps

uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${VPN_IF}"
uci add_list firewall.wan.network="${VPN_IF}"
uci commit firewall
service firewall restart

uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_KEY}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"
 
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${VPN_IF}"
uci set network.wgserver.public_key="${VPN_PUB}"
uci set network.wgserver.preshared_key="${VPN_PSK}"
uci set network.wgserver.endpoint_host="${VPN_SERV}"
uci set network.wgserver.endpoint_port="${VPN_PORT}"
uci set network.wgserver.persistent_keepalive="25"
uci set network.wgserver.route_allowed_ips="1"
uci add_list network.wgserver.allowed_ips="0.0.0.0/0"
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
service network restart

Restarted openwrt but internet not working

root@OpenWrt:~# logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
Wed Jan  1 13:08:25 2025 daemon.notice netifd: Interface 'vpn' has lost the connection
Wed Jan  1 13:08:27 2025 daemon.notice netifd: Interface 'vpn' is now down
Wed Jan  1 13:08:27 2025 daemon.notice netifd: Interface 'vpn' is setting up now
Wed Jan  1 13:08:27 2025 daemon.notice netifd: Interface 'vpn' is now down
Wed Jan  1 13:08:31 2025 daemon.notice netifd: Interface 'vpn' is setting up now
Wed Jan  1 13:08:36 2025 daemon.notice netifd: vpn (3957): Try again: `xxxxxxxx:xxxx'. Trying again in 1.00 seconds...
Wed Jan  1 13:08:40 2025 daemon.notice netifd: Interface 'vpn' is now up
Wed Jan  1 13:08:40 2025 daemon.notice netifd: Network device 'vpn' link is up
Wed Jan  1 13:08:40 2025 user.notice firewall: Reloading firewall due to ifup of vpn (vpn)
udp        0      0 0.0.0.0:60724           0.0.0.0:*                           -
udp        0      0 :::60724                :::*                                -
root@OpenWrt:~#

root@OpenWrt:~# pgrep -f -a wg; wg show; wg showconf vpn
3967 wg-crypt-vpn
interface: vpn
  public key: xxx
  private key: (hidden)
  listening port: 60724

peer: xxxx
  preshared key: (hidden)
  endpoint: xx.xx.xx.79:xxx
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 2.31 KiB sent
  persistent keepalive: every 25 seconds
[Interface]
ListenPort = 60724
PrivateKey = xxx

[Peer]
PublicKey = XXX
PresharedKey = XXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xx.xx.xx.79:xxxx
PersistentKeepalive = 25
root@OpenWrt:~#

install the wg-installer-client and you can just import the config file in WireGuard

I tried that too.
Basically created new interface named wg0 with Protocol as Wireguard VPN and then on the new interface used Import configuration option where i pasted the contents of my conf file which auto filled in all details
Saved and restarted.
But,
RX: 0 B (0 Pkts.)
TX: 0 B (0 Pkts.)

I used the same conf file on windows (which is on same network as my openwrt router) wireguard client and it worked.

But same conf on openwrt is where I have issues.

The best way to see what is happening is to review your config.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Aruba AP-303H",
        "board_name": "aruba,ap-303h",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7d:e76b:843f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.20.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.20.2'
        option netmask '255.255.255.0'
        option gateway '192.168.20.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'xxxxxxxx'
        list addresses '10.119.75.3/24'
        list addresses 'fd11:5ee:bad:c0de::a77:4b03/64'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config wireguard_vpn
        option description 'Imported peer configuration'
        option public_key 'xxxx'
        option preshared_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host 'xxxx'
        option endpoint_port 'xxxx'

root@OpenWrt:~#

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

root@OpenWrt:~#

root@OpenWrt:~# wg show
interface: vpn
  public key: xxx
  private key: (hidden)
  listening port: 39838

peer: xxxx
  preshared key: (hidden)
  endpoint: xx.1x.xx9.xx:xxx
  allowed ips: 0.0.0.0/0, ::/0

Remove the gateway and dns from the lan interface.

Add:

        option route_allowed_ips '1'

You do not have a handshake.

1. Make sure you have disabled WG on any other devices -- each connected peer must be unique, so if any of your other devices are using the same keys and address, that will conflict.
2. You may have a key issue. Verify that the keys are correct, double check for any errors.

That solved my issue.
Its working now!
Thank you.

@psherman which interface I should set google dns on?
Now my router itself don't resolve google.com (but I can ping 8.8.8.8 from router)
I set 8.8.8.8 as dns on my windows pc network card and internet works.

Set the dns in the dnsmasq (system) resolver.

Is this done in Luci or in some file?
Any instructions link please?

see dns forwarding

or, via LuCI:

Network > DHCP and DNS > Forwards > DNS Forwards

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.