OpenWRT wireguard server behind ISP NAT

Hi,

I have my OpenWRT router which also works as wireguard server for my devices. My router was connected to the bridged port of the router provided my ISP (OpenWRT router obtained public ipv4 address, public ipv6 address and ipv6 prefix) and my clients could connect to wireguard server (in both ipv4 and ipv6 modes). My ISP decided not to allow bridged ports anymore, so my OpenWRT router WAN address became 192.168.64.100 (while my ISP router has 192.168.64.1 ipv4 address). My OpenWRT device is still in the router mode (all local connected devices are on 192.168.1.x subnet and receive ipv6 addresses by wan/lan dhcpv6 relay mode). However, there is a problem now with wireguard. While my devices can still connect to wireguard server, there is no (or very little data exchange going on between server and clients and the internet does not work). I can see clients connected to wireguard server (in Luci wireguard overview tab), but no handshake happens between clients and server. My ISP router has very limited settings, but I managed to forward UDP 51820 (wireguard port) to 192.168.64.100 (OpenWRT router "WAN" address). If needed, I can share my wireguard setup information later (however, it is a fairly standard one). Do you have any ideas what to do to convince wireguard to work in such a stupid network?

Does your ISP router have a proper public IPv4 address on its wan? That will be required.

Let's see your current config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Also please include your remote peer's config.

Chances are that your ISP router does not have a public IPv4 address any more.

Please check your WAN IPv4 address on the ISP router.

You might have a CGNAT address (100.64.0.0/10)

My ISP router has a proper public ipv4 address (91.xx.xx.xx). I will post other info later today.

That is great

Do not forget to port forward from your ISP router

I already forwarded the required port from my ISP router. But it does not solve the problem. One additional (obvious) observation. If I connect to wireguard from my lan network, the connection works as expected.

  "kernel": "6.6.30",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "FriendlyElec NanoPi R5C",
        "board_name": "friendlyarm,nanopi-r5c",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26272-39f595d1d8",
                "target": "rockchip/armv8",
                "description": "OpenWrt SNAPSHOT r26272-39f595d1d8"

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0f:xxxx:xxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'c2:d8:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.1'
        list dns 'fd0f:xxxx:xxxx::1'

config device
        option name 'eth1'
        option macaddr 'c2:d8:xx:xx:xx:xx'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option norelease '1'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'KCxxxxxxxxxxxxxxx='
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list dns '192.168.1.1'

config wireguard_vpn 'wgclient'
        option public_key 'hXxxxxxxxxxxxxx='
        option preshared_key 'n/xxxxxxxxxxxxx='
        list allowed_ips '192.168.9.2/32'
        option description 'Laptop'
        option route_allowed_ips '1'

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

interface: vpn
  public key: xXxxxxxxxxxxxxxxxxxxxxxxxxxx=
  private key: (hidden)
  listening port: 51820

peer: hXxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
  preshared key: (hidden)
  endpoint: 188.xxx.xxx.xxx:51820
  allowed ips: 192.168.9.2/32
  latest handshake: 16 hours, 17 minutes, 56 seconds ago
  transfer: 525.14 KiB received, 1.65 MiB sent

[Interface]
PrivateKey=yCxxxxxxxxxxxxxxxxxxx=
ListenPort=51820
Address=192.168.9.2/32
DNS=192.168.1.1

[Peer]
PublicKey=xXxxxxxxxxxxxxxxxxxxxxxxxxxx=
PresharedKey=n/xxxxxxxxxxxxxxxxxxxxxxxxx=
AllowedIPs=0.0.0.0/0
Endpoint=secxxxxxx.net:51820

Some small things.

Remove list dns '192.168.1.1' you cannot point DNSMasq to itself

Remove option masq '1'

For your client configs for the time being do not use 192.168.1.1 as DNS server it is possible the DNSMasq is not listening on the WG interface or only services local subnets, so for now use e.g. 9.9.9.9

wg show shows last handshake 16 hours ago so reboot the router and check again with wg show after trying to connect form outside

You can see if there is traffic coming from the ISP router (after you tried to connect from outside) with:
nft list chain inet fw4 input_wan

Normally you would acquire public port via natpmpcli ur upnpc.

No, WireGuard does not use these protocols to open/forward ports.

The ports must be opened and/or forwarded manually. The OP's config shows that they do have the port open on the wan, and they said that they had done the port forward from the upstream router to OpenWrt.

Yes, wireguard does not do it, but you can open public UDP listener manually and acquire hostname via some ddns and get incoming connections via double- or cg- nats

Generally speaking, no, this isn't going to work for WG. There may be tricks that could make this plausible, but it would be quite fragile and may also be a bad idea for security. For users who have CG-NAT or double-NAT for which they cannot setup port forwards, the recommended path is to use something like zerotier or Tailscale. But this doesn't currently seem to be relevant to the OP's situation based on the previous parts of the discussion (unless we learn otherwise as we move forward).

I changed configuration as suggested by egc, but wireguard still does not work. The handshake was successful when I connected to wireguard from my lan. I think this is the part related to wireguard if I run: nft list chain inet fw4 input_wan

 udp dport 51820 counter packets 4 bytes 692 accept comment "!fw4                                            : Allow-WireGuard"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_wan

Let's double check a few things:

1. Can you show us your main router's port forward config (a screen grab is fine)?
2. What is the output of ifstatus wan | grep address
3. How did you determine your public IP address?
4. How are you connecting from your remote peer? Is it via a domain name or directly by IP address?

I deleted 51820 port forward on my ISP router and created the same rule once again. Now it works Something must have gone wrong when I created the rule for the first time (I need to log in to my ISP website and remotely change router settings, it is not done locally...).

I have another challenge for you. How to enable ipv6 on such configuration? I remember I once used NATv6 to do this, before I managed to properly setup wireguard (but that was when I had 64-bit prefix delegated by the ISP).

Awesome!

This is not my area of expertise, so I will defer to others who can speak about IPv6 more authoritatively.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Great that it works

I have it running with IPv6, I use ULA addresses with NAT66, I know there are other ways using GUA addresses with a PD of the router, but I have dynamic prefixes so I did not venture into that direction.

I suggest you make a new topic about IPv6

The error repeated today. So, again there is no handshake between client and server. I tried adding/removing ISP router port forward rule multiple times, but to no avail. I guess there is nothing I can do (all wireguard/OpenWRT configs seem to be fine) to make it work reliably. So I either not use wireguard anymore (frankly, I have no urgent need to use it anymore) or pay my ISP additional fee to allow me to use public IP on my OpenWRT router.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.