ChrisK
February 9, 2024, 8:35am
1
Hi together,
I can't get VPN with wireguard set up correctly.
Website not reachableERR_SLL_UNRECOGNIZED_NAME_ALERT
Internal websites like 192.168.1.1 are normally reachable
Just some info:
Firewall rule active, else I wouldn't see RX and TX on wg0 and couldn't reach internal things
Firewall Zone Settings > WAN > ACCEPT > MMS Clamping + Masquerading active
egc
February 9, 2024, 11:27am
2
How do you connect to the WG server by IPv6 or IPv4?
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
WG config of the remote client
1 Like
ChrisK
February 9, 2024, 11:53am
3
[Solved]
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Linksys MR8300 (Dallas)",
"board_name": "linksys,mr8300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "ipq40xx/generic",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'e8:9f:80:ad:30:d4'
config device
option name 'lan2'
option macaddr 'e8:9f:80:ad:30:d4'
config device
option name 'lan3'
option macaddr 'e8:9f:80:ad:30:d4'
config device
option name 'lan4'
option macaddr 'e8:9f:80:ad:30:d4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '64'
list ip6class 'local'
list ip6class 'wan6'
option ip6ifaceid '::3'
config device
option name 'wan'
option macaddr 'e8:9f:80:ad:30:d3'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg0'
option proto 'wireguard'
option private_key 'KEY'
option listen_port '35777'
list dns '8.8.8.8'
list dns '1.1.1.1'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
option ip6assign '64'
list ip6class 'local'
list ip6class 'wan6'
list addresses '192.168.13.1/24'
list addresses 'fd00::78/64'
option ip6ifaceid 'eui64'
option mtu '1300'
config device
option name 'wg0'
option macaddr 'EA:9F:80:AD:30:F2'
option acceptlocal '0'
option multicast '0'
option ipv6 '1'
option mtu '1300'
option mtu6 '1300'
config wireguard_wg0
option description 'test'
option public_key 'KEY'
option private_key 'KEY'
option persistent_keepalive '25'
option route_allowed_ips '1'
list allowed_ips '192.168.13.5/32'
list allowed_ips 'fd00::41/64'
config wireguard_wg0
option description 'Chris2'
option public_key 'KEY'
option private_key 'KEY'
list allowed_ips '192.168.13.6/32'
list allowed_ips 'fd00::47/64'
option persistent_keepalive '25'
option endpoint_host 'MYDNS.ddnss.de'
option endpoint_port '35777'
option route_allowed_ips '1'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Pi'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.2'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WireGuard'
list proto 'udp'
option src 'wan'
option src_dport '35777'
list reflection_zone 'lan'
option dest_ip '192.168.1.1'
option dest_port '35777'
config redirect
option dest 'lan'
option target 'DNAT'
list proto 'udp'
option src 'wan'
option src_dport '35777'
option dest_ip 'fe80::ea9f:80ff:fead:30d4'
option dest_port '35777'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'test'
option src 'wan'
option src_dport '35777'
option dest_port '35777'
list proto 'udp'
option enabled '0'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'test2'
option family 'ipv6'
list proto 'udp'
option src 'wan'
option src_dport '35777'
option dest_ip 'fe80::ea9f:80ff:fead:30d4'
option dest_port '35777'
option reflection '0'
option enabled '0'
CONF1
[Interface]
PrivateKey = KEY
Address = 192.168.13.5/32, fd00::41/64
# ListenPort not defined
DNS = 192.168.1.1
[Peer]
PublicKey = KEY
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = MYDNS.ddnss.de:35777
PersistentKeepAlive = 25
CONF2
[Interface]
PrivateKey = KEY
Address = 192.168.13.6/32, fd00::47/64
ListenPort = 35777
DNS = 192.168.1.1
[Peer]
PublicKey = KEY
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = MYDNS.ddnss.de:35777
PersistentKeepAlive = 25
Could also be possible that I messed up something completely. Trying to "fix" it by clicking around alot since 3 days. And actually connecting via VPN isn't possible. Probably by messing up Firewall rules. No Idea... That makes me headache
egc
February 9, 2024, 1:31pm
4
This probably needs another pair of eyes to untangle this.
But I will give it a try
First remove this:
For the WG server interface:
Change to:
config interface 'wg0'
option proto 'wireguard'
option private_key 'KEY'
option listen_port '35777'
list addresses '192.168.13.1/24'
list addresses 'fd00::78/64'
option mtu '1300'
MTU leave for now
For your two WG clients
Change to:
config wireguard_wg0
option description 'test'
option public_key 'KEY'
option private_key 'KEY'
option route_allowed_ips '1'
list allowed_ips '192.168.13.5/32'
list allowed_ips 'fd00::41/128'
config wireguard_wg0
option description 'Chris2'
option public_key 'KEY'
option private_key 'KEY'
list allowed_ips '192.168.13.6/32'
list allowed_ips 'fd00::47/128'
option route_allowed_ips '1'
Now on to the Firewall
Remove all this :
You only need a simple access rule to allow port 35777 on to the router (by default this will allow for IPv4 and IPv6):
config rule
option name 'wgserver'
list proto 'udp'
option src 'wan'
option dest_port '35777'
option target 'ACCEPT'
I probably overlooked some things but I hope we are moving in the right direction.
Reboot afterwards and post settings again and output of:wg show after you have tried to make contact with your phone on cellular to your router
1 Like
egc
February 9, 2024, 1:43pm
5
To add, assuming you are using IPv6 you need selective NAT out of the router for the WG IPv6 subnet e.g.:
config nat 'nat6'
option family 'ipv6'
option proto 'all'
option src 'wan'
option src_ip 'fd00::/64'
option target 'MASQUERADE'
1 Like
egc
February 9, 2024, 2:43pm
7
Awesome you got it working
Really appreciate you want to donate but not necessary at all we are here for the free and open source.
But if you are satisfied and have a working solution for your use case please mark that solution as solved:
Go to the very top of your topic, i.e. to your first posting
Click the pencil behind the topic
system
February 19, 2024, 2:44pm
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
