OK, I feel like a child right now, partly because I am not strong on networking concepts and also because I feel as though I've tried every guide on the internet to get this working. All I'm trying to do is create a WG tunnel working between the router and my phone for now (either via LAN-only or WAN) and can't even get a handshake per the WG Status page in LuCI. Each time I have an "ah-ha!" from a new guide, it changes nothing. Each time, I blow away my tunnel config on my Android phone and delete the WG interface and firewall rules in OpenWRT before I try again. I know I'm missing something simple, so I'm kindly asking for someone to walk me through this. Mucho appreciado.
It's a bit unsorted, but does work (keep in mind that changing wg interfaces or peers via luci doesn't have an immediate effect, reboot recommended).
1 Like
I'm on the same boat... I have even tried to stablish the connection from inside my LAN, with "tcpdump" I see the packets arriving from the client, but absolutely no answer from the server. I have followed all guides I could lay may hands on, and double-checked all the configuration files... to no avail.
1 Like
My first attempt failed as well, the second one worked though (and it doesn't help that the order of steps described in that howto is a bit off). The tricky part is always getting the allowed_ips right, it must be a dedicated subnet distinct from LAN, each peer needing a hardcoded /32 IP. (IPv6 is a bit more tricky, as commonly used dynamic prefixes are problematic, so I'd suggest to skip it for your first attempts).
1 Like
Can you post your config files (/etc/config/network and /etc/config/firewall) from your router and your phone?
Gladly, except I'm not sure which phone config data you're looking for. Mind you this is just the most recent iteration of my hopeless attempts, it might be laughable. Thanks for the assist.
OpenWRT /etc/config/network:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbf:131e:24d1::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
option delegate '0'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '68:ff:7b:e4:c7:58'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'yJ4rx..........3TWY='
option listen_port '51820'
list addresses '10.200.200.1/32'
config wireguard_wg0
option persistent_keepalive '25'
option public_key 'rysIN..........rKg4='
option route_allowed_ips '1'
list allowed_ips '10.200.200.2/32'
OpenWRT /etc/config/firewall:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option src_dport '1-65000'
option target 'DNAT'
option dest 'lan'
option src 'wan'
option dest_ip '192.168.1.220'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
This needs to be list addresses '10.200.200.1/24'
1 Like
Made above change, verified changes applied, reboot/retest, negative results. The Interface config on the phone WG app still has 10.200.200.2/32, I think that's correct?
The peer definition list allowed_ips '10.200.200.2/32' and the phone settings need to be the same (10.200.200.2/32), correct.
Delete the entire ’list addresses’ line on the router, it's not necessary. I assume the phone has the correct endpoint address, i.e. your public IP?
1 Like
config redirect option src_dport '1-65000' option target 'DNAT' option dest 'lan' option src 'wan' option dest_ip '192.168.1.220'
Do you really want to be doing this -- effectively DMZ to the device at 192.168.1.220?
Meanwhile, I'm not 100% positive about this, but this might be part of the problem since firewall rules are sensitive to the order. This may be port-forwarding all ports, including 51820, therefore your OpenWrt router that has WG installed may not be seeing the incoming traffic.
1 Like
Done, negative results. I did have DDNS setup which seemed to be working fine but I went ahead and just used my ISP/WAN IP and same thing.
That's just a PS4, although I guess I could just forward the 5 or 6 ports I need manually. BUT...good news, I have handshake after disabling that firewall rule! Both over LAN and WAN. I'm unable to do anything useful with it however, OpenWRT reports 32kb RX/2kb TX. Attempts to load webpages are nope. But that port forward did indeed prevent handshake and further progress, thanks so much for getting me here. Any clues as to the lack of meaningful throughput?
What allowed ips do you have set in the config on your phone?
0.0.0.0/0, tunnel IP on my phone is 10.200.200.2/32.
Do you have a DNS server added to the config? If you try and go to a webpage on your phone while the VPN is connected do you get an error page?
1 Like
In the phone WG app I have the OpenWRT router (192.168.1.1) set as the DNS server. I don't get error messages, just "This site can't be reached" generic browser error.
have you tried ping and traceroute tests from your phone? If you don't already have a network utility app, grab one and test pings and traceroutes to:
192.168.1.1
8.8.8.8
google.com
1 Like
Tracert fail on google.com, success on 8.8.8.8. Used google DNS in my phone WG app and everything seems to working now. Gracias! But why is pointing to the router for DNS coming up negative? Thanks everyone for the help so far.
It should work, assuming that your router is indeed providing functional DNS for your network. Is it possible there was a typo in the DNS entry on your phone? Or, if you are testing this while on your local network, I could see the potential for routing ambiguity... test with cellular and report if there is any difference.
1 Like