Server/Client Wireguard

migueldeblas · May 7, 2025, 4:57pm

Hello.
My goal is to access my local network from the internet through the Wireguard VPN.
To install the Wireguard server in OpenWRT, I followed the following guide:

And to test the client, I installed Wireguard on an Android phone. I obtained the tunnel configuration from the Luci QR code (server).

To configure the server in OpenWRT, I followed the guide. To automate it, I created a script (due to a lot of trial and error) with some additions (marked with MY_ADD).

I've been watching videos on the subject, and many of them set options like keepalive, route_allowed_ips, while others use port forwarding. It doesn't appear in the guide.

And to test the client, I installed WIreguard on an Android phone. I got the tunnel configuration from the Luci QR code.

The problem is that I can't perform the handsake. I don't know why. I don't know if it's a problem with the keys, the server configuration, the client, the firewall, etc.

The additional problem is that I don't know how to debug or view the logs. I don't see anything on the server, and the client only tells me that the handshake cannot be performed and that it will retry in 5 seconds.

What can I do?

My script:

#!/bin/sh

VPN_IF="vpn"
VPN_PEER="android"

VPN_PORT="51820"
VPN_ADDR="192.168.9.1/24"
VPN_ADDR6="fd00:9::1/64"

rm -rf wgserver.key wgserver.pub wgclient.key wgclient.pub wgclient.psk 2> /dev/null

umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk

# Server private key
VPN_SERVER_KEY="$(cat wgserver.key)"
VPN_SERVER_PUB="$(cat wgserver.pub)"

# Pre-shared key
VPN_CLIENT_PSK="$(cat wgclient.psk)"

# Client public key
VPN_CLIENT_PUB="$(cat wgclient.pub)"
VPN_CLIENT_KEY="$(cat wgclient.key)"


# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${VPN_IF}"
uci add_list firewall.lan.network="${VPN_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${VPN_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
service firewall restart

# Configure network
uci -q delete network.${VPN_IF}
uci set network.${VPN_IF}="interface"
uci set network.${VPN_IF}.proto="wireguard"
uci set network.${VPN_IF}.private_key="${VPN_SERVER_KEY}"
uci set network.${VPN_IF}.public_key="${VPN_SERVER_PUB}" ## MY_ADD
uci set network.${VPN_IF}.listen_port="${VPN_PORT}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR}"
uci add_list network.${VPN_IF}.addresses="${VPN_ADDR6}"

# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${VPN_IF}"
uci set network.wgclient.description="${VPN_PEER}"       ## MY_ADD
uci set network.wgclient.public_key="${VPN_CLIENT_PUB}"
uci set network.wgclient.private_key="${VPN_CLIENT_KEY}" ## MY_ADD FOR GENERATE QR IN LUCI
uci set network.wgclient.preshared_key="${VPN_CLIENT_PSK}"
uci set network.wgclient.route_allowed_ips='1'           ## MY_ADD
uci set network.wgclient.persistent_keepalive='25'       ## MY_ADD
uci add_list network.wgclient.allowed_ips="${VPN_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${VPN_ADDR6%:*}:2/128"
uci commit network
service network restart

The network file:

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.40'

config device
        option name 'wan'

config device
        option name 'vpn'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '___IzIVSaMp+xx6csS6GdFDsYrbi5BA3Eczz16UMj20='
        option public_key '___c/rcpy0uQj2DUSVhpyNiJrHjy/J3FaGQLLG7NNSc='
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option description 'android'
        option public_key '___PrQfw5lTRaG28wEl/RKFWpMs09NDM+eEZQXCVbhg='
        option private_key '___+TzyttPZJQiAqbif1wFwESlUs9k4oAMectboNgWs='
        option preshared_key '___HJRGK9ojAx6J2fe6hnQJMcIWU1LYr3jIVoUnYB2w='
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fd00:9::2/128'

The firewall file:

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

The client configuration vía Luci QR code:

[Interface]
PrivateKey = ___+TzyttPZJQiAqbif1wFwESlUs9k4oAMectboNgWs=
Address = 192.168.9.2/32, fd00:9::2/128
# ListenPort not defined
DNS = 192.168.1.1, 1.1.1.1

[Peer]
PublicKey = ___c/rcpy0uQj2DUSVhpyNiJrHjy/J3FaGQLLG7NNSc=
PresharedKey = ___HJRGK9ojAx6J2fe6hnQJMcIWU1LYr3jIVoUnYB2w=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ##########.duckdns.org:51820
PersistentKeepAlive = 25

_bernd · May 7, 2025, 5:43pm

Edit and deleted post because I am unable to read.
Config looks good to me...

But your dynamic domain name resolves to your wan address?

egc · May 7, 2025, 7:48pm

See my notes about setting up a WirGuard server with some additional pointers e.g. a public wan ip address etc.

migueldeblas · May 7, 2025, 10:25pm

Yes. It resolves. I try with domain name and public ip.

migueldeblas · May 7, 2025, 10:46pm

The complete firewall file (includes lan zone with vpn):

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'                <--------------

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

psherman · May 8, 2025, 6:51am

Have you verified that the address that resolves is the same as what you see when you issue the following command:

ifstatus wan | grep address

migueldeblas · May 8, 2025, 1:42pm

Thanks for all.
This is the problem. The domain points to another IP.
And another issue...when I used mobile client I access via wifi (lan) instead of mobile network (wan).
Offtopic: The luci DDNS service doesn't seem to be working (start/stop).

egc · May 8, 2025, 2:02pm

From my notes:

Check for Public IP address

To be able to connect from outside, your router must have a public IP address (either IPv4 and/or IPv6).

Check if your router has a proper Public IPv4 address with (from command line):
ifstatus wan | grep address

A public IP address does not start with 192.168.X.X, 10.X.X.X, 172.16-31.X.X or a CGNAT address (IP addresses from 100.64.0.0 to 100.127.255.255 )

Another way to test is to compare the routers IP address (ifstatus wan | grep address ) with the address from ipleak.net it should show the same address for a Public IPv4 address. If it is not the same you might not have a Public IPv4 address and the router is not reachable with IPv4.

If your router is behind another router then:

Check if that router has a Public IP address.

Check if and how you can Port Forward from that router to your router which is going to run the WireGuard Server.

If your Public IP address is non static, e.g. it can change, then look into using DDNS.

If you are behind CGNAT and do not have IPv6 (ifstatus wan6) or using IPv6 is not applicable then you have to involve a third party to get a public IP address.

This can be a VPN provider which supports port forwarding, or you can rent a Virtal Private Server ( I have an Oracle VPS which can be had for free see at the bottom of this guide), or use things like Zerotier, Cloudflared, Tailscale or ngrok and there are more.

Test from outside

Proper testing can only be done from outside e.g. with your phone or laptop on cellular data or from a friends/neighbors internet.

psherman · May 8, 2025, 2:20pm

What do you see on your wan address? Only post the first two octets (in bold: aaa.bbb.ccc.ddd)

migueldeblas · May 8, 2025, 7:14pm

79.116.25.dd

migueldeblas · May 8, 2025, 7:15pm

Thanks for all. I do it.

mk24 · May 8, 2025, 7:34pm

If the address matches what an IP test site reports, but not what DNS reports, the problem is that DDNS is not updated. If the router wan does not have the real public IP, you have CGNAT.

psherman · May 8, 2025, 8:24pm

Try entering this address directly into your remote wireguard peer's configuration (i.e. your phone) as the endpoint host (in the peer config). This way you can test the wireguard config in general (and then later sort out your DDNS issue).

see if it works as expected. If not, post the output form:

wg show

mk24 · May 8, 2025, 11:04pm

Wireguard in the kernel doesn't make log entries. For example received packets with the wrong key are silently ignored. You can observe if connection attempts are being received from the phone with tcpdump -p 51820 (install tcpdump package first).

persistent_keepalive should be set on the device which originates the connection (the phone). It has little use to set it on the "server." Without persistent_keepalive, Wireguard does not start to handshake the connection until the initiator end tries to send an inner packet.

sampson · May 10, 2025, 10:29am

Thank you very much!

I followed the simiple method (add wgserver interface to existing lan firewall zone) and my computer and mobile phone are all connected fine.

Just that, whenever a new peer is added at the OpenWrt side, the Interface need to be restarted (save and apply is not enough)

I will be trying with my second router for the dedicated firewall zone, aimed to access LAN devices without local firewall change.