OpenWrt wireguard server with Debian roadwarrior [Solved]

And the public key for each peer is different? Taken from the setup on the client device?

1 Like

The public key was generated by Android application with QR-code. Let me regenerate by hand, give some minutes. This could be it.

The Android app does not use nice fonts and I cannot distinguish L from l from I.

I regenerated client keys (private, public and PSK).

Now it returns:
wg show

interface: wg0
  public key: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
  private key: (hidden)
  listening port: 51820

peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  preshared key: (hidden)
  allowed ips: 10.0.10.2/32, 10.0.10.3/32
  persistent keepalive: every 25 seconds

So it is not complaining for public key any longer!
Still I cannot connect with Debian client.

That would appear to indicate that the same public key is being used for both peers, unless you've changed one of the peer configs to put both 10.0.10.2/32 and 10.0.10.3/32 in the AllowedIPs?

1 Like

All public and private keys are different, I just double-checked.

Have you restarted the WG interface?

I juste restarted and wg show is still similar. To make it simple and avoid reading the whole thread, my config is as follows:

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.0.10.1/24'
        option private_key ''
        option listen_port '51820'

config wireguard_wg0
        option public_key ''
        option preshared_key ''
        option description 'x230'
        option persistent_keepalive '25'
        list allowed_ips '10.0.10.2'

#config wireguard_wg0
        option public_key ''
        option preshared_key ''
        option description 'samsunggalaxy'
        option persistent_keepalive '25'
        list allowed_ips '10.0.10.3'

Get rid of the # and then restart everything again.

1 Like

Good catch, thanks. Works.

wg show

interface: wg0
  public key: AAAAAAAAAAAAAAAAAAAAAAAAAA
  private key: (hidden)
  listening port: 51820

peer: BBBBBBBBBBBBBBBBBBBBBBBBBB
  preshared key: (hidden)
  allowed ips: 10.0.10.2/32
  persistent keepalive: every 25 seconds

peer: CCCCCCCCCCCCCCCCCCCCCCCCC
 preshared key: (hidden)
  allowed ips: 10.0.10.3/32

Many thanks.

In fact, you can set up WG server and generate client profiles with a single script.
All that remains is to transfer and import client profiles.
It helps to avoid a lot of mistakes like those.

Thanks. One last question.

My LAN and WLAN are on the same bridge, so they are on the same subnet.

When connection to a WLAN or a LAN host, no encryption is being used as shown in the routing table on client side:
sudo route -n

Table de routage IP du noyau
Destination     Passerelle      Genmask         Indic Metric Ref    Use Iface
0.0.0.0         192.168.9.1     0.0.0.0         UG    100    0        0 enp0s25
0.0.0.0         192.168.9.1     0.0.0.0         UG    600    0        0 wlp3s0
10.0.10.0       0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.9.0     0.0.0.0         255.255.255.0   U     100    0        0 enp0s25
192.168.9.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp3s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

It's only when connecting to an address other than 192.168.9.x that VPN is being used.

Now that my wireless clients are using wg VPN, I would like to access the LAN using wireguard and not only wireless. This means that I would like to have different subnets, one for wireless and one for WIFI.

I am not sure how to achieve it. Does it mean I shall create a separate VLAN for my LAN? Is there a quick way to seperate WLAN and LAN in LuCi and have seperate DHCP for hosts?

It could be tricky as I also have a mesh running. So I would like to keep WLAN+mesh on the one hand and LAN on the other hand.

Personally, I use different domain suffixes to resolve LAN and VPN host names separately:

  • VPN suffix is configured to expand short names automatically.
  • LAN suffix relies on mDNS, so it works even when VPN is not available.

Thanks, I would be glad if you could share your configuration.

My point is that when a host (typically a small server) is connected to the OpenWRT router switch with ethernet, it does not need a point-to-point VPN as the router can take care of VPN. In a small family, I trust my ethernet wires. I only want to protect wireless WIFI or 4G roaming

So a typical roadwarrior traceroute would be:
wireless client => VPN wireless client => >VPN OpenWRT router => mini server via ethernet

So all I need to do is create a seperate subnet on both ethernet ports on my GliNet B1300 router seperate from br-lan bridge. How to achieve that? Is your sufix solution even simplier?

It should be similar to guest WLAN, except for the wireless configuration step:
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan

Just disable bridging for LAN and assign your WLAN to the network created on the first step.

Thanks. This is a very interesting approach.

I am planning to offer two ESSID on wireless WIFI: essid-secure and essid-unsecure.

On essid-secure I will allow only wireguard port and kick off all other traffic. On essid-unsecure, I can connect my television and other unsecure devices and kick them away from the main network.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.