Replace OpenVPN by Wireguard

Portisch · September 18, 2021, 2:19pm

Hi,
I had OpenVPN successful running. then on upgrade to 21.02.0 r16279-5cc0535800 I bricked the device.
So I reflashed it by TFTP. Now all config is lost and I want to try wireguard server instead OpenVPN.
I used this guide:

But I can't connect to the server. The client send out the handshake but it never get returned. not from android mobile client, nor from windows client.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2021.09.18 16:12:52 =~=~=~=~=~=~=~=~=~=~=~=
# Log and status
e]0;root@OpenWrt: /aroot@OpenWrt:/# logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
Sat Sep 18 14:12:26 2021 daemon.notice netifd: Network device 'vpn' link is down
Sat Sep 18 14:12:26 2021 daemon.notice netifd: Interface 'vpn' is now down
Sat Sep 18 14:12:33 2021 daemon.notice netifd: Interface 'vpn' is setting up now
Sat Sep 18 14:12:39 2021 daemon.notice netifd: Interface 'vpn' is now up
Sat Sep 18 14:12:39 2021 daemon.notice netifd: Network device 'vpn' link is up
Sat Sep 18 14:12:40 2021 user.notice firewall: Reloading firewall due to ifup of vpn (vpn)
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -
e]0;root@OpenWrt: /aroot@OpenWrt:/# pgrep -f -a wg; wg show; wg showconf vpn
8022 wg-crypt-vpn
e[0me[32me[1minterfacee[0m: e[32mvpne[0m
  e[1mpublic keye[0m: wINoxeNhmHOC8qsty7HWU0E6EcpD2eKE9Q/J2Dm9WBw=
  e[1mprivate keye[0m: (hidden)
  e[1mlistening porte[0m: 51820

e[33me[1mpeere[0m: e[33mB8NzLDGoQ5HZ12MVD20HyxwjP68e+R3ErdpPG2gZpXo=e[0m
  e[1mpreshared keye[0m: (hidden)
  e[1mendpointe[0m: 194.x.x.103:51820
  e[1mallowed ipse[0m: 192.168.9.2e[36m/e[0m32, fdf1:e8a1:8d3f:9::2e[36m/e[0m128
  e[1mtransfere[0m: 0 e[36mBe[0m received, 740 e[36mBe[0m sent
  e[1mpersistent keepalivee[0m: every 25 e[36msecondse[0m
[Interface]
ListenPort = 51820
PrivateKey = ePkikYBGmqI2da36g9z2ZxTyLRgTMOyhgCz/yhlJnkU=

[Peer]
PublicKey = B8NzLDGoQ5HZ12MVD20HyxwjP68e+R3ErdpPG2gZpXo=
PresharedKey = USIWiupHj+Yy+JMJG3txtCwf1G+AttdvzHXmWVoRmyk=
AllowedIPs = 192.168.9.2/32, fdf1:e8a1:8d3f:9::2/128
Endpoint = 194.x.x.103:51820
PersistentKeepalive = 25
e]0;root@OpenWrt: /aroot@OpenWrt:/# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 6c:b0:ce:1b:95:da brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6eb0:ceff:fe1b:95da/64 scope link 
       valid_lft forever preferred_lft forever
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 6c:b0:ce:1b:95:da brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6eb0:ceff:fe1b:95da/64 scope link 
       valid_lft forever preferred_lft forever
15: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 6c:b0:ce:1b:95:db brd ff:ff:ff:ff:ff:ff
    inet 194.x.x.103/27 brd 194.x.x.127 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::6eb0:ceff:fe1b:95db/64 scope link 
       valid_lft forever preferred_lft forever
24: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 6c:b0:ce:1b:95:da brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fdc9:5bf2:c819::1/60 scope global noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::6eb0:ceff:fe1b:95da/64 scope link 
       valid_lft forever preferred_lft forever
25: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 6c:b0:ce:1b:95:da brd ff:ff:ff:ff:ff:ff
26: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
    inet6 fdf1:e8a1:8d3f:9::1/64 scope global 
       valid_lft forever preferred_lft forever
27: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 6c:b0:ce:1b:95:dc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6eb0:ceff:fe1b:95dc/64 scope link 
       valid_lft forever preferred_lft forever
28: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 6e:b0:ce:1b:95:da brd ff:ff:ff:ff:ff:ff
    inet6 fe80::6cb0:ceff:fe1b:95da/64 scope link 
       valid_lft forever preferred_lft forever
default via 194.x.x.97 dev eth0.2  src 194.x.x.103 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.9.0/24 dev vpn scope link  src 192.168.9.1 
192.168.9.2 dev vpn scope link 
194.x.x.96/27 dev eth0.2 scope link  src 194.x.x.103 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1 
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1 
broadcast 192.168.9.0 dev vpn table local scope link  src 192.168.9.1 
local 192.168.9.1 dev vpn table local scope host  src 192.168.9.1 
broadcast 192.168.9.255 dev vpn table local scope link  src 192.168.9.1 
broadcast 194.x.x.96 dev eth0.2 table local scope link  src 194.x.x.103 
local 194.x.x.103 dev eth0.2 table local scope host  src 194.x.x.103 
broadcast 194.x.x.127 dev eth0.2 table local scope link  src 194.x.x.103 
fdc9:5bf2:c819::/64 dev br-lan  metric 1024 
unreachable fdc9:5bf2:c819::/48 dev lo  metric 2147483647 
fdf1:e8a1:8d3f:9::2 dev vpn  metric 1024 
fdf1:e8a1:8d3f:9::/64 dev vpn  metric 256 
fe80::/64 dev eth0  metric 256 
fe80::/64 dev eth0.2  metric 256 
fe80::/64 dev br-lan  metric 256 
fe80::/64 dev wlan1  metric 256 
fe80::/64 dev wlan0  metric 256 
fe80::/64 dev wlan0-1  metric 256 
local ::1 dev lo table local  metric 0 
anycast fdc9:5bf2:c819:: dev br-lan table local  metric 0 
local fdc9:5bf2:c819::1 dev br-lan table local  metric 0 
anycast fdf1:e8a1:8d3f:9:: dev vpn table local  metric 0 
local fdf1:e8a1:8d3f:9::1 dev vpn table local  metric 0 
anycast fe80:: dev eth0.2 table local  metric 0 
anycast fe80:: dev eth0 table local  metric 0 
anycast fe80:: dev br-lan table local  metric 0 
anycast fe80:: dev wlan1 table local  metric 0 
anycast fe80:: dev wlan0 table local  metric 0 
anycast fe80:: dev wlan0-1 table local  metric 0 
local fe80::6cb0:ceff:fe1b:95da dev wlan0-1 table local  metric 0 
local fe80::6eb0:ceff:fe1b:95da dev eth0 table local  metric 0 
local fe80::6eb0:ceff:fe1b:95da dev br-lan table local  metric 0 
local fe80::6eb0:ceff:fe1b:95da dev wlan0 table local  metric 0 
local fe80::6eb0:ceff:fe1b:95db dev eth0.2 table local  metric 0 
local fe80::6eb0:ceff:fe1b:95dc dev wlan1 table local  metric 0 
multicast ff00::/8 dev eth0 table local  metric 256 
multicast ff00::/8 dev eth0.2 table local  metric 256 
multicast ff00::/8 dev br-lan table local  metric 256 
multicast ff00::/8 dev wlan1 table local  metric 256 
multicast ff00::/8 dev vpn table local  metric 256 
multicast ff00::/8 dev wlan0 table local  metric 256 
multicast ff00::/8 dev wlan0-1 table local  metric 256 
e]0;root@OpenWrt: /aroot@OpenWrt:/# ip rule show; iptables-save -c
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
# Generated by iptables-save v1.8.7 on Sat Sep 18 14:13:05 2021
*nat
:PREROUTING ACCEPT [100:37488]
:INPUT ACCEPT [1:328]
:OUTPUT ACCEPT [49:3863]
:POSTROUTING ACCEPT [5:600]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[100:37488] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[96:37243] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[4:245] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[78:5277] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[1:328] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[73:4677] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[1:328] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.7/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEB_443 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.7/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEB_443 (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.7/32 -p tcp -m tcp --dport 81 -m comment --comment "!fw3: WEB_80 (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.7/32 -p tcp -m tcp --dport 81 -m comment --comment "!fw3: WEB_80 (reflection)" -j SNAT --to-source 192.168.9.1
[96:37243] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 194.x.x.103/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEB_443 (reflection)" -j DNAT --to-destination 192.168.1.7:443
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 194.x.x.103/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEB_443 (reflection)" -j DNAT --to-destination 192.168.1.7:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 194.x.x.103/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEB_80 (reflection)" -j DNAT --to-destination 192.168.1.7:81
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 194.x.x.103/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEB_80 (reflection)" -j DNAT --to-destination 192.168.1.7:81
[73:4677] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[73:4677] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[4:245] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: WEB_443" -j DNAT --to-destination 192.168.1.7:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: WEB_80" -j DNAT --to-destination 192.168.1.7:81
COMMIT
# Completed on Sat Sep 18 14:13:05 2021
# Generated by iptables-save v1.8.7 on Sat Sep 18 14:13:05 2021
*mangle
:PREROUTING ACCEPT [677:226343]
:INPUT ACCEPT [139:11570]
:FORWARD ACCEPT [468:179112]
:OUTPUT ACCEPT [183:27456]
:POSTROUTING ACCEPT [629:205688]
[14:688] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[11:540] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Sep 18 14:13:05 2021
# Generated by iptables-save v1.8.7 on Sat Sep 18 14:13:05 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[21:2485] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[120:9386] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[97:7627] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:80] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[1:328] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[22:1431] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[468:179112] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[437:177618] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[31:1494] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[21:2485] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[166:26132] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[105:21901] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:328] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[60:3903] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[22:1431] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:80] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[1:328] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[31:1494] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[31:1494] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1:328] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1:328] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:328] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:328] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[1:328] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[22:880] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[69:4517] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[22:1431] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --sport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[22:1431] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[60:3903] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[60:3903] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[22:1431] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep 18 14:13:05 2021
e]0;root@OpenWrt: /aroot@OpenWrt:/# ip -6 rule show; ip6tables-save -c
0:	from all lookup local 
32766:	from all lookup main 
4200000001:	from all iif lo lookup unspec 12
4200000015:	from all iif eth0.2 lookup unspec 12
4200000024:	from all iif br-lan lookup unspec 12
4200000026:	from all iif vpn lookup unspec 12
# Generated by ip6tables-save v1.8.7 on Sat Sep 18 14:13:06 2021
*mangle
:PREROUTING ACCEPT [111:33705]
:INPUT ACCEPT [82:13102]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [111:20127]
:POSTROUTING ACCEPT [113:20231]
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Sep 18 14:13:06 2021
# Generated by ip6tables-save v1.8.7 on Sat Sep 18 14:13:06 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [20:1852]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[45:9865] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[37:3237] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[22:2030] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[13:1103] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[2:104] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[45:9865] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[66:10262] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[31:7142] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[11:864] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[4:404] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[11:864] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[13:1103] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[13:1103] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[11:864] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[11:864] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[13:1103] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[4:404] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2:104] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[2:104] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --sport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[4:404] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[4:404] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Sep 18 14:13:06 2021
e]0;root@OpenWrt: /aroot@OpenWrt:/# uci show network; uci show firewall; crontab -l
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdc9:5bf2:c819::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth0.1'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.@device[1]=device
network.@device[1].name='eth0.2'
network.@device[1].macaddr='6c:b0:ce:1b:95:db'
network.wan=interface
network.wan.device='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='1 2 3 4 0t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='5 0t'
network.vpn=interface
network.vpn.proto='wireguard'
network.vpn.private_key='ePkikYBGmqI2da36g9z2ZxTyLRgTMOyhgCz/yhlJnkU='
network.vpn.listen_port='51820'
network.vpn.addresses='192.168.9.1/24' 'fdf1:e8a1:8d3f:9::1/64'
network.wgclient=wireguard_vpn
network.wgclient.public_key='B8NzLDGoQ5HZ12MVD20HyxwjP68e+R3ErdpPG2gZpXo='
network.wgclient.preshared_key='USIWiupHj+Yy+JMJG3txtCwf1G+AttdvzHXmWVoRmyk='
network.wgclient.allowed_ips='192.168.9.2/32' 'fdf1:e8a1:8d3f:9::2/128'
network.wgclient.endpoint_host='my.dns.at'
network.wgclient.description='Note 8'
network.wgclient.route_allowed_ips='1'
network.wgclient.endpoint_port='51820'
network.wgclient.persistent_keepalive='25'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan' 'vpn'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
....
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='WEB_443'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='443'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='192.168.1.7'
firewall.@redirect[0].dest_port='443'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='WEB_80'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='80'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.1.7'
firewall.@redirect[1].dest_port='81'
firewall.@rule[10]=rule
firewall.@rule[10].name='Allow-WireGuard'
firewall.@rule[10].proto='udp'
firewall.@rule[10].src='wan'
firewall.@rule[10].src_port='51820'
firewall.@rule[10].target='ACCEPT'
crontab: can't open 'root': No such file or directory
e]0;root@OpenWrt: /aroot@OpenWrt:/#

I do not find the reason why it can not connect to the server.
I can ping my DNS and it shows me the correct IP.

Anyone a idea?

vgaetera · September 18, 2021, 2:41pm

You must not specify endpoint* options on the server side.

This must be dest_port, not src_port.

Portisch · September 18, 2021, 2:50pm

Thx, changed both. But still not able to connect.
This is the client screenshot:

vgaetera · September 18, 2021, 2:52pm

Try connecting the client from outside, then check on the server:

wg show; iptables-save -c | grep -e 51820

Portisch · September 18, 2021, 3:07pm

 -----------------------------------------------------
 OpenWrt 21.02.0, r16279-5cc0535800
 -----------------------------------------------------
root@OpenWrt:~# wg show; iptables-save -c | grep -e 51820
interface: vpn
  public key: wINoxeNhmHOC8qsty7HWU0E6EcpD2eKE9Q/J2Dm9WBw=
  private key: (hidden)
  listening port: 51820

peer: B8NzLDGoQ5HZ12MVD20HyxwjP68e+R3ErdpPG2gZpXo=
  preshared key: (hidden)
  endpoint: 194.x.x.103:51820
  allowed ips: 192.168.9.2/32, fdf1:e8a1:8d3f:9::2/128
  transfer: 0 B received, 73.71 KiB sent
  persistent keepalive: every 25 seconds
[1:176] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT

vgaetera · September 18, 2021, 3:17pm

uci -q delete network.wgclient.endpoint_host
uci -q delete network.wgclient.endpoint_port
uci commit network
/etc/init.d/network restart

Portisch · September 18, 2021, 3:21pm

The host is removed, but still nothing:

BusyBox v1.33.1 (2021-08-31 22:20:08 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.0, r16279-5cc0535800
 -----------------------------------------------------
root@OpenWrt:~# wg show; iptables-save -c | grep -e 51820
interface: vpn
  public key: wINoxeNhmHOC8qsty7HWU0E6EcpD2eKE9Q/J2Dm9WBw=
  private key: (hidden)
  listening port: 51820

peer: B8NzLDGoQ5HZ12MVD20HyxwjP68e+R3ErdpPG2gZpXo=
  preshared key: (hidden)
  allowed ips: 192.168.9.2/32, fdf1:e8a1:8d3f:9::2/128
  persistent keepalive: every 25 seconds
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
root@OpenWrt:~#

vgaetera · September 18, 2021, 3:26pm

Try to reconnect as the traffic counter on the firewall rule is zero.

Portisch · September 18, 2021, 3:35pm

Nothing, maybe I should try port 443? Just to test if the provider does not block the port?
The webserver can be reached by port 80 & 443

krazeh · September 18, 2021, 3:40pm

The allowed IPs in your client setup are wrong. It should either be 0.0.0.0/0 if you want access to both your LAN and have the client access the internet through your home connection, or if you only want to access your LAN it should be 192.168.9.2/32, 192.168.1.1/24 (assuming your local LAN uses that subnet).

vgaetera · September 18, 2021, 3:49pm

Try reconnecting the client and verify that is increments the traffic counter in the server firewall rule.
Make sure to specify 0.0.0.0/0 for allowed IPs on the client as mentioned by @krazeh.

Portisch · September 18, 2021, 3:54pm

changed to 0.0.0.0/0 and ::/0

nothing changed:

Public Key: B8NzLDGoQ5HZ12MVD20HyxwjP68e+R3ErdpPG2gZpXo=
Persistent Keepalive: 25s
Latest Handshake: Never
Data Received: 0 B
Data Transmitted: 0 B

Portisch · September 18, 2021, 4:25pm

I changed it at the client to. Still no connection.
I tried 51820 for https webserver and it's working. So not blocked by provider.

vgaetera · September 18, 2021, 4:28pm

You'd better use the automated script:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated
Then transfer and import the generated VPN profile on your client.
This should help avoid common user mistakes.

Portisch · September 18, 2021, 5:09pm

Thanks, i will remove everything and make a new install.

Portisch · September 18, 2021, 6:29pm

The automated install is working! Thank you very much!

I can connect now and access internet over my home ip.

But I can not access the LAN 192.168.1.0, what do I need to be able to see the internal LAN?

trendy · September 18, 2021, 6:44pm

Is wg interface part of lan firewall zone?

Portisch · September 18, 2021, 6:45pm

yes, like the script added it. LAN + VPN are in same zone

vgaetera · September 18, 2021, 6:50pm

Multicast and network discovery across subnets deserves a separate thread.
Meanwhile, unicast access by IP can easily work.

Make sure you allow the VPN subnet in the firewall settings on the LAN hosts.
Windows firewall restricts access only allowing local subnet by default.

Portisch · September 18, 2021, 6:54pm

Sorry, I just checked it on mobile and I can access the LAN.
But on the Windows client it does not work, as like @vgaetera said it's maybe a client firewall issue.

Thanks for your help!