OpenWrt-Wireguard only TX

Hi friends, thanks to this wonderful community I managed to fix many things of my GL.inet AR750S ext device. and I am sure I will be able to solve this problem with your help.

My wireguard server once started transmits only packets without receiving, I illustrate the code:

root@OpenWrt:~# vim /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf2:c117:f722::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.8.1'
        option gateway '192.168.1.1'
        list dns '1.0.0.1'
        list dns '1.1.1.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.24'
        option gateway '192.168.1.1'
        list dns '1.0.0.1'
        list dns '1.1.1.1'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'WireGuard'
        option proto 'wireguard'
        list addresses '10.0.0.1'
        option listen_port '51820'
        option private_key 'client-publickey'

config wireguard_WireGuard
        option public_key 'server-publickey'
        option description 'wg1'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.2'
        option route_allowed_ips '1'
- /etc/config/network 1/64 1%

What is the other peer? Is it a commercial VPN service? One of your devices (like a phone or laptop)? or something else?

I'm going to guess that you have a key problem, at least if your redaction labels are correct.
The wireguard interface must have the local private key.
The wireguard peer config must have the peer public key.

1 Like

A normal internal Wireguard VPN that uses no external server.

Ok to understand better I show my partial keys:
server-privatekey: MHO8xxxxxxxxxxxxxxxxx =
server-publickey: iGeG2dTIkxxxxxxxxxxxxx =

client-privatekey: eGlhyQDWxxxxxxxxxxxxxxxx=
client-publickey: So0chBHXQxxxxxxxxxxxxxxx=

What?

Wireguard must have 2 endpoints -- one that you have running on your system (i.e. your router, computer, mobile device), and the other somewhere else.

You obviously are running this on your router. What/where is the other end?

sorry if I have any difficulty in understanding thank you for your availability, I am following the LUCI-wireguard interface, everything the interface asks me I inserted, the other half on that screenshot that I posted maybe there is not

Wireguard is a VPN. It connects two remote devices/networks together.

For example:

  1. your OpenWrt router at home <--> our phone or your computer in a remote location (i.e. when you're traveling)
  2. your OpenWrt router at home <---> a commercial VPN service
  3. your OpenWrt router at while traveling <--> your OpenWrt router at home
  4. your OpenWrt router at home <---> your office/school/etc.

There must always be two endpoints. Your OpenWrt AR750S is one end point. What is the other?

Also, I assume the subnets are messed up.

Make e.g. /24 to define a network on the OpenWrt.

Make /32 to define a single host at the far-end peer.

I'm thinking they're both defined as /32's, placing them different network/subnets/defined single IP.

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'server-privatekey='
        option listen_port '52820'
        list addresses '10.0.0.1/32'

config wireguard_WireGuard
        option description 'wg1'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option endpoint_host 'mydns.duckdns.org'
        option public_key 'client-publickey='
        option endpoint_port '51820'
        list allowed_ips '10.0.0.2/24'


What are you connecting to at the other end?

the connection is between notebooks - a750s (openwrt-wireguard) - vodafone adsl router.

I actually suggested.

/24

/32

But OK.

nothing to do at this point I think he must configure the firewall, the fact that there is TX and not RX lets me think about this?

how should the firewall be configured?

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key 'xxxxxxxi2XmhPR2k='
        option listen_port '52820'
        list addresses '10.0.0.1/24'

config wireguard_WireGuard
        option description 'wg1'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option endpoint_host 'xxxx.duckdns.org'
        option public_key 'xxxxxxxxxx2zxPr+C0='
        option endpoint_port '51820'
        list allowed_ips '10.0.0.2/32'

Only the "server end" (the one with the firewall rule) needs a port specified!

You do realize that this is entirely useless. One end of your wg tunnel is at your laptop. The other ends terminates at the OpenWrt router. The two are already directly connected to each other so there is no value to encrypting your data between them unless you will also have untrusted devices joining the same network.

This configuration offers no added security beyond the ar75s.

the security lies in the fact that the flow of data that is sent from my notebook is encrypted via my ar750s-wireguard router to vodafone station

No it isn't

2 Likes

the ar750s was born for this reason it acts as a bridge between a device and a router offering the possibility to encrypt the data flow

No it doesn't. You're encrypting the data between the notebook and the AR750S, that's it. If the Vodafone modem isn't in-between them then the data will not be encrypted.

1 Like