Yup. Not sure if they're compatible, but you should use the official Wireguard builds in order to guarantee that it will work.
got a wireguard conf file that work on PC, internet access ok.
the same wireguard conf file when uploaded to router - doesnt give internet access.
Maybe because of lan ip submask? it 192.168.1.x while ip submask from conf file is 192.168.6.2/32
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbf:0551:74ce::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'ovpn'
option proto 'none'
option device 'tun0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
option mtu '1412'
list addresses '192.168.6.2/32'
list dns '9.9.9.9'
list dns '8.8.8.8'
config wireguard_wg0
option description 'pg_wg.conf'
option public_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '15'
option endpoint_host 'xxx'
option endpoint_port '41194'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'ovpn'
list network 'wan'
list network 'wan6'
list network 'wg0'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wg'
root@OpenWrt:~# wg show
interface: wg0
public key: xxx
private key: (hidden)
listening port: 53510
peer: xxx
preshared key: (hidden)
endpoint: xxx:41194
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 56 seconds ago
transfer: 5.73 KiB received, 2.55 KiB sent
persistent keepalive: every 15 seconds
You got a handshake this time... so that's good.
You have the wg0
network in two firewall zones. It must only be in one. Remove it from the wan zone:
Restart and try again.
removed, restarted still no internet access
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'wg'
Let's see
wg show
route
ping 8.8.8.8
ping 64.226.122.113
ping openwrt.org
root@OpenWrt:~# wg show
interface: wg0
public key: xxx
private key: (hidden)
listening port: 54011
peer: xxx
preshared key: (hidden)
endpoint: 213.159.76.170:41194
allowed ips: 0.0.0.0/0
latest handshake: 2 minutes, 3 seconds ago
transfer: 12.31 KiB received, 58.30 KiB sent
persistent keepalive: every 15 seconds
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.31.1 0.0.0.0 UG 0 0 0 wan
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.31.0 * 255.255.255.0 U 0 0 0 wan
213.159.76.170 192.168.31.1 255.255.255.255 UGH 0 0 0 wan
root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=104 time=5.401 ms
64 bytes from 8.8.8.8: seq=1 ttl=104 time=5.102 ms
64 bytes from 8.8.8.8: seq=2 ttl=104 time=5.172 ms
64 bytes from 8.8.8.8: seq=3 ttl=104 time=5.218 ms
64 bytes from 8.8.8.8: seq=4 ttl=104 time=5.158 ms
64 bytes from 8.8.8.8: seq=5 ttl=104 time=5.063 ms
64 bytes from 8.8.8.8: seq=6 ttl=104 time=5.103 ms
64 bytes from 8.8.8.8: seq=7 ttl=104 time=5.150 ms
64 bytes from 8.8.8.8: seq=8 ttl=104 time=5.136 ms
64 bytes from 8.8.8.8: seq=9 ttl=104 time=5.071 ms
64 bytes from 8.8.8.8: seq=10 ttl=104 time=5.255 ms
64 bytes from 8.8.8.8: seq=11 ttl=104 time=5.137 ms
64 bytes from 8.8.8.8: seq=12 ttl=104 time=5.158 ms
64 bytes from 8.8.8.8: seq=13 ttl=104 time=5.104 ms
^C
--- 8.8.8.8 ping statistics ---
14 packets transmitted, 14 packets received, 0% packet loss
round-trip min/avg/max = 5.063/5.159/5.401 ms
root@OpenWrt:~# ping 64.226.122.113
PING 64.226.122.113 (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=0 ttl=46 time=32.374 ms
64 bytes from 64.226.122.113: seq=1 ttl=46 time=32.050 ms
64 bytes from 64.226.122.113: seq=2 ttl=46 time=32.053 ms
64 bytes from 64.226.122.113: seq=3 ttl=46 time=31.967 ms
64 bytes from 64.226.122.113: seq=4 ttl=46 time=32.042 ms
64 bytes from 64.226.122.113: seq=5 ttl=46 time=32.163 ms
^C
--- 64.226.122.113 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 31.967/32.108/32.374 ms
root@OpenWrt:~# ping openwrt.org
PING openwrt.org (64.226.122.113): 56 data bytes
64 bytes from 64.226.122.113: seq=0 ttl=46 time=32.145 ms
64 bytes from 64.226.122.113: seq=1 ttl=46 time=32.034 ms
64 bytes from 64.226.122.113: seq=2 ttl=46 time=32.017 ms
64 bytes from 64.226.122.113: seq=3 ttl=46 time=31.979 ms
64 bytes from 64.226.122.113: seq=4 ttl=46 time=31.963 ms
64 bytes from 64.226.122.113: seq=5 ttl=46 time=31.980 ms
^C
--- openwrt.org ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 31.963/32.019/32.145 ms
ok... that all looks good.
What about if you run those same ping tests from your computer?
C:\Users\user>ping 64.226.122.113
Pinging 64.226.122.113 with 32 bytes of data:
Reply from 64.226.122.113: bytes=32 time=96ms TTL=54
Reply from 64.226.122.113: bytes=32 time=97ms TTL=54
Reply from 64.226.122.113: bytes=32 time=96ms TTL=54
Reply from 64.226.122.113: bytes=32 time=98ms TTL=54
Ping statistics for 64.226.122.113:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 98ms, Average = 96ms
C:\Users\user>ping openwrt.org
Pinging openwrt.org [64.226.122.113] with 32 bytes of data:
Reply from 64.226.122.113: bytes=32 time=96ms TTL=54
Reply from 64.226.122.113: bytes=32 time=98ms TTL=54
Reply from 64.226.122.113: bytes=32 time=98ms TTL=54
Reply from 64.226.122.113: bytes=32 time=97ms TTL=54
Ping statistics for 64.226.122.113:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 96ms, Maximum = 98ms, Average = 97ms
That looks good. Everything appears to be working. Is that not the case?
We have the situation where wireguard conf loaded on PC - work, there is internet access.
although the same wireguard conf loaded on openwrt - works, but there is no internet access.
Maybe because of lan ip submask? router gives 192.168.1.x
while from conf file is 192.168.6.2/32
You just ran tests on both your router and your computer that showed internet was working as expected. Maybe there is some confusion here regarding the circumstances of the tests you ran?
This is the way it should be. Wireguard is routed and must be on a unique subnet. In your configuration, everything appears to be setup properly.
Lets do the tests again
connected to wifi router + ssh to my router
root@OpenWrt:~# wg show
interface: wg0
public key: xxx
private key: (hidden)
listening port: 33167
peer: xxx
preshared key: (hidden)
endpoint: 213.159.76.170:41194
allowed ips: 0.0.0.0/0
latest handshake: 35 seconds ago
transfer: 10.45 KiB received, 4.16 KiB sent
persistent keepalive: every 15 seconds
root@OpenWrt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.31.1 0.0.0.0 UG 0 0 0 wan
192.168.1.0 * 255.255.255.0 U 0 0 0 br-lan
192.168.31.0 * 255.255.255.0 U 0 0 0 wan
213.159.76.170 192.168.31.1 255.255.255.255 UGH 0 0 0 wan
root@OpenWrt:~# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=104 time=5.176 ms
64 bytes from 8.8.8.8: seq=1 ttl=104 time=5.076 ms
64 bytes from 8.8.8.8: seq=2 ttl=104 time=5.114 ms
64 bytes from 8.8.8.8: seq=3 ttl=104 time=5.054 ms
64 bytes from 8.8.8.8: seq=4 ttl=104 time=5.166 ms
connected to my PC with working internet from ISP+wireguard conf file started
C:\Users\user>route print
===========================================================================
Interface List
55...........................WireGuard Tunnel
10...f8 75 a4 00 27 84 ......Intel(R) Ethernet Connection (6) I219-V
26...00 15 5d 64 40 f6 ......Hyper-V Virtual Ethernet Adapter
5...04 ed 33 80 13 81 ......Microsoft Wi-Fi Direct Virtual Adapter #3
12...06 ed 33 80 13 80 ......Microsoft Wi-Fi Direct Virtual Adapter #4
2...04 ed 33 80 13 80 ......Intel(R) Wireless-AC 9560 160MHz
23...04 ed 33 80 13 84 ......Bluetooth Device (Personal Area Network) #2
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.31.1 192.168.31.239 55
0.0.0.0 0.0.0.0 On-link 192.168.6.2 0
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.17.112.0 255.255.240.0 On-link 172.17.112.1 271
172.17.112.1 255.255.255.255 On-link 172.17.112.1 271
172.17.127.255 255.255.255.255 On-link 172.17.112.1 271
192.168.6.2 255.255.255.255 On-link 192.168.6.2 256
192.168.31.0 255.255.255.0 On-link 192.168.31.239 311
192.168.31.239 255.255.255.255 On-link 192.168.31.239 311
192.168.31.255 255.255.255.255 On-link 192.168.31.239 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.31.239 311
224.0.0.0 240.0.0.0 On-link 172.17.112.1 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.31.239 311
255.255.255.255 255.255.255.255 On-link 172.17.112.1 271
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
2 311 fe80::/64 On-link
26 271 fe80::/64 On-link
26 271 fe80::3231:d0de:7b9c:886d/128
On-link
2 311 fe80::670b:37df:3f25:71e0/128
On-link
1 331 ff00::/8 On-link
2 311 ff00::/8 On-link
26 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
I looked back at the config and noticed one thing missing:
You need to add one line:
option route_allowed_ips '1'
Sorry that I overlooked that previously. After adding that line, restart your router and try again.
yes that was the missing option.
Thanks a lot @psherman for you time and support!
Thx a lot! I've spend 1 week to solve the same issue and this Ur solution was a key! all the best to you!