Setting up wg, connection up, but no internet

Hi, friends.
I'm trying to setup up wireguard connection.
i've created a new interface with wireguard protocol, uploded the config file using AmneziaVPN app.

firewall zone 'wg' is set to input=reject, output=accept, forward=reject, allow forward from source zone LAN.

When making the diagnostic test, traceroute openwrt.org shows route.
Wifi connection is ok, but no internet access.

Below some configs

root@OpenWrt:~# ip route show
default via 192.168.31.1 dev wan  src 192.168.31.233
2.56.205.63 via 192.168.31.1 dev wan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.31.0/24 dev wan scope link  src 192.168.31.233


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'ovpn'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg'


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:0551:74ce::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'ovpn'
        option proto 'none'
        option device 'tun0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private_key'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list addresses '10.8.1.3/32'
        option mtu '1412'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key 'public_key'
        option preshared_key 'preshared_key'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option endpoint_host '2.56.205.63'
        option endpoint_port '46474'

fyi: openwrt.org site is on the internet.
likely you miss masquerade checkbox on wg interface.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

checkbox Masquerade is set

root@OpenWrt:~# wg show
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 37641

peer: xxx
  preshared key: (hidden)
  endpoint: 2.56.205.63:46474
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 26.30 KiB sent
  persistent keepalive: every 25 seconds

Is the OpenVPN connection active

No it isnt

There is no handshake. This often means a key issue, but could also be related to the clock.

What is the router’s time? date

its +3 and correct

what key ?

config file was generated as follows
a have a VPS server
using AmneziaVPN app on my PC, entered the IP of VPS, setup a connection, and the made a config file right from application.
maybe keys were generated for my PC, and not for router?

A lot of steps made from source https://www.ivpn.net/setup/router/openwrt-wireguard/

where did you saw this?

You said it?

Jut to clarify, I assume your time zone is set for UTC +3 such that the time is actually correct in your locale? It is critical that the time is accurate.

  • There are 4 required keys:
    • A private key and a public key on each side.
      • The public key is derived from the private key, and the public key is shared with the peer on the other side.
  • You also have a preshared key which is optional.

So you have your own VPS? Did you install official Wireguard on your VPS?

Have you been able to make a successful connection via the VPN to your VPS on your PC?
Is the connection on the PC still active? If so, that will cause a problem.

Have you tried using the official WireGuard app on your computer (instead of whatever this AmneziaVPN thing is)?

The target device for the keys don't matter, but the keys must be unique per peer. It is fine to move the keys from the PC to the router, but you must disable the tunnel on the PC if you wish to use the same keys on the router. Ideally, though, you create a separate set of keys for your router so you don't need to worry about it.

local time UTC +3 and also set it now in router

not own VPS, rented one.

yes a made a successful conn via VPN on PC.

It is not active

Have you used the official wireguard app on your computer?

yes, looks like no handshake

So you need to fix that first.

Are you using official Wireguard on the rented VPS? If not, you should probably move to that instead of whatever you're using.

1 Like

Not official, using AmneziaVPN and it looks like this is the problem