Setting up wg, connection up, but no internet

Yup. Not sure if they're compatible, but you should use the official Wireguard builds in order to guarantee that it will work.

1 Like

got a wireguard conf file that work on PC, internet access ok.
the same wireguard conf file when uploaded to router - doesnt give internet access.
Maybe because of lan ip submask? it 192.168.1.x while ip submask from conf file is 192.168.6.2/32

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:0551:74ce::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'ovpn'
        option proto 'none'
        option device 'tun0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option mtu '1412'
        list addresses '192.168.6.2/32'
        list dns '9.9.9.9'
        list dns '8.8.8.8'

config wireguard_wg0
        option description 'pg_wg.conf'
        option public_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '15'
        option endpoint_host 'xxx'
        option endpoint_port '41194'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'ovpn'
        list network 'wan'
        list network 'wan6'
        list network 'wg0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg'


root@OpenWrt:~# wg show
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 53510

peer: xxx
  preshared key: (hidden)
  endpoint: xxx:41194
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 56 seconds ago
  transfer: 5.73 KiB received, 2.55 KiB sent
  persistent keepalive: every 15 seconds

You got a handshake this time... so that's good.

You have the wg0 network in two firewall zones. It must only be in one. Remove it from the wan zone:

Restart and try again.

removed, restarted still no internet access

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wg'

Let's see

wg show
route
ping 8.8.8.8
ping 64.226.122.113
ping openwrt.org
1 Like
root@OpenWrt:~# wg show
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 54011

peer: xxx
  preshared key: (hidden)
  endpoint: 213.159.76.170:41194
  allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 3 seconds ago
  transfer: 12.31 KiB received, 58.30 KiB sent
  persistent keepalive: every 15 seconds
root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.31.1    0.0.0.0         UG    0      0        0 wan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.31.0    *               255.255.255.0   U     0      0        0 wan
213.159.76.170  192.168.31.1    255.255.255.255 UGH   0      0        0 wan
root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=104 time=5.401 ms
64 bytes from 8.8.8.8: seq=1 ttl=104 time=5.102 ms
64 bytes from 8.8.8.8: seq=2 ttl=104 time=5.172 ms
64 bytes from 8.8.8.8: seq=3 ttl=104 time=5.218 ms
64 bytes from 8.8.8.8: seq=4 ttl=104 time=5.158 ms
64 bytes from 8.8.8.8: seq=5 ttl=104 time=5.063 ms
64 bytes from 8.8.8.8: seq=6 ttl=104 time=5.103 ms
64 bytes from 8.8.8.8: seq=7 ttl=104 time=5.150 ms
64 bytes from 8.8.8.8: seq=8 ttl=104 time=5.136 ms
64 bytes from 8.8.8.8: seq=9 ttl=104 time=5.071 ms
64 bytes from 8.8.8.8: seq=10 ttl=104 time=5.255 ms
64 bytes from 8.8.8.8: seq=11 ttl=104 time=5.137 ms
64 bytes from 8.8.8.8: seq=12 ttl=104 time=5.158 ms
64 bytes from 8.8.8.8: seq=13 ttl=104 time=5.104 ms
^C
--- 8.8.8.8 ping statistics ---
14 packets transmitted, 14 packets received, 0% packet loss
round-trip min/avg/max = 5.063/5.159/5.401 ms
root@OpenWrt:~# ping 64.226.122.113
PING 64.226.122.113 (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=0 ttl=46 time=32.374 ms
64 bytes from 64.226.122.113: seq=1 ttl=46 time=32.050 ms
64 bytes from 64.226.122.113: seq=2 ttl=46 time=32.053 ms
64 bytes from 64.226.122.113: seq=3 ttl=46 time=31.967 ms
64 bytes from 64.226.122.113: seq=4 ttl=46 time=32.042 ms
64 bytes from 64.226.122.113: seq=5 ttl=46 time=32.163 ms
^C
--- 64.226.122.113 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 31.967/32.108/32.374 ms
root@OpenWrt:~# ping openwrt.org
PING openwrt.org (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=0 ttl=46 time=32.145 ms
64 bytes from 64.226.122.113: seq=1 ttl=46 time=32.034 ms
64 bytes from 64.226.122.113: seq=2 ttl=46 time=32.017 ms
64 bytes from 64.226.122.113: seq=3 ttl=46 time=31.979 ms
64 bytes from 64.226.122.113: seq=4 ttl=46 time=31.963 ms
64 bytes from 64.226.122.113: seq=5 ttl=46 time=31.980 ms
^C
--- openwrt.org ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 31.963/32.019/32.145 ms

ok... that all looks good.

What about if you run those same ping tests from your computer?

C:\Users\user>ping 64.226.122.113

Pinging 64.226.122.113 with 32 bytes of data:
Reply from 64.226.122.113: bytes=32 time=96ms TTL=54
Reply from 64.226.122.113: bytes=32 time=97ms TTL=54
Reply from 64.226.122.113: bytes=32 time=96ms TTL=54
Reply from 64.226.122.113: bytes=32 time=98ms TTL=54

Ping statistics for 64.226.122.113:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 96ms, Maximum = 98ms, Average = 96ms

C:\Users\user>ping openwrt.org

Pinging openwrt.org [64.226.122.113] with 32 bytes of data:
Reply from 64.226.122.113: bytes=32 time=96ms TTL=54
Reply from 64.226.122.113: bytes=32 time=98ms TTL=54
Reply from 64.226.122.113: bytes=32 time=98ms TTL=54
Reply from 64.226.122.113: bytes=32 time=97ms TTL=54

Ping statistics for 64.226.122.113:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 96ms, Maximum = 98ms, Average = 97ms

That looks good. Everything appears to be working. Is that not the case?

We have the situation where wireguard conf loaded on PC - work, there is internet access.
although the same wireguard conf loaded on openwrt - works, but there is no internet access.

Maybe because of lan ip submask? router gives 192.168.1.x
while from conf file is 192.168.6.2/32

You just ran tests on both your router and your computer that showed internet was working as expected. Maybe there is some confusion here regarding the circumstances of the tests you ran?

This is the way it should be. Wireguard is routed and must be on a unique subnet. In your configuration, everything appears to be setup properly.

Lets do the tests again

connected to wifi router + ssh to my router

root@OpenWrt:~# wg show
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 33167

peer: xxx
  preshared key: (hidden)
  endpoint: 213.159.76.170:41194
  allowed ips: 0.0.0.0/0
  latest handshake: 35 seconds ago
  transfer: 10.45 KiB received, 4.16 KiB sent
  persistent keepalive: every 15 seconds
  
  
root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.31.1    0.0.0.0         UG    0      0        0 wan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.31.0    *               255.255.255.0   U     0      0        0 wan
213.159.76.170  192.168.31.1    255.255.255.255 UGH   0      0        0 wan


root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=104 time=5.176 ms
64 bytes from 8.8.8.8: seq=1 ttl=104 time=5.076 ms
64 bytes from 8.8.8.8: seq=2 ttl=104 time=5.114 ms
64 bytes from 8.8.8.8: seq=3 ttl=104 time=5.054 ms
64 bytes from 8.8.8.8: seq=4 ttl=104 time=5.166 ms

connected to my PC with working internet from ISP+wireguard conf file started

C:\Users\user>route print
===========================================================================
Interface List
 55...........................WireGuard Tunnel
 10...f8 75 a4 00 27 84 ......Intel(R) Ethernet Connection (6) I219-V
 26...00 15 5d 64 40 f6 ......Hyper-V Virtual Ethernet Adapter
  5...04 ed 33 80 13 81 ......Microsoft Wi-Fi Direct Virtual Adapter #3
 12...06 ed 33 80 13 80 ......Microsoft Wi-Fi Direct Virtual Adapter #4
  2...04 ed 33 80 13 80 ......Intel(R) Wireless-AC 9560 160MHz
 23...04 ed 33 80 13 84 ......Bluetooth Device (Personal Area Network) #2
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.31.1   192.168.31.239     55
          0.0.0.0          0.0.0.0         On-link       192.168.6.2      0
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
     172.17.112.0    255.255.240.0         On-link      172.17.112.1    271
     172.17.112.1  255.255.255.255         On-link      172.17.112.1    271
   172.17.127.255  255.255.255.255         On-link      172.17.112.1    271
      192.168.6.2  255.255.255.255         On-link       192.168.6.2    256
     192.168.31.0    255.255.255.0         On-link    192.168.31.239    311
   192.168.31.239  255.255.255.255         On-link    192.168.31.239    311
   192.168.31.255  255.255.255.255         On-link    192.168.31.239    311
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link    192.168.31.239    311
        224.0.0.0        240.0.0.0         On-link      172.17.112.1    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link    192.168.31.239    311
  255.255.255.255  255.255.255.255         On-link      172.17.112.1    271
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    331 ::1/128                  On-link
  2    311 fe80::/64                On-link
 26    271 fe80::/64                On-link
 26    271 fe80::3231:d0de:7b9c:886d/128
                                    On-link
  2    311 fe80::670b:37df:3f25:71e0/128
                                    On-link
  1    331 ff00::/8                 On-link
  2    311 ff00::/8                 On-link
 26    271 ff00::/8                 On-link
===========================================================================
Persistent Routes:

I looked back at the config and noticed one thing missing:

You need to add one line:

        option route_allowed_ips '1'

Sorry that I overlooked that previously. After adding that line, restart your router and try again.

2 Likes

yes that was the missing option.
Thanks a lot @psherman for you time and support!

2 Likes

Thx a lot! I've spend 1 week to solve the same issue and this Ur solution was a key! all the best to you!

1 Like