Setting up Wireguard questions

Hello.

I'm trying to setup a Wireguard server in my Netwgear R7800 router for the first time.
I'm using OpenWrt 23.05.2.

After a change in my /etc/config/firewall and after restarting it I starte to get this warning:

Section @include[0] is not marked as compatible with fw4, ignoring section
Section @include[0] requires 'option fw4_compatible 1' to be considered compatible

So, I added that option to that section and after that I get the following warning:

Section @include[0] specifies unreachable path '/etc/firewall.user', ignoring section

Should I worry or do anything to fix this?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
cat /etc/firewall.user
# ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Netgear Nighthawk X4S R7800",
	"board_name": "netgear,r7800",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "ipq806x/generic",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
# cat /etc/config/network 

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd39:f4fe:3b30::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option device 'eth0.12'

config interface 'wan6'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option device 'eth0.12'

config interface 'WG_0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxx'
	option public_key 'yyyyyyyyyyy'
	option listen_port '51820'
	list addresses 'a.b.c.d/24'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 4 3 2 1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5t 0t'
	option vid '12'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WG_0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option fw4_compatible '1'

config redirect
	option name 'OutToIn-SSH'
	option src 'wan'
	option dest 'lan'
	option src_dport 'hidden'
	option dest_port 'hidden'
	option dest_ip '192.168.1.112'
	option target 'DNAT'
	list proto 'tcp'

config redirect
	option dest_port 'hidden-hidden'
	option src 'wan'
	option name 'rtorrent'
	option src_dport 'hidden-hidden'
	option target 'DNAT'
	option dest_ip '192.168.1.153'
	option dest 'lan'
	list proto 'tcp'
	list proto 'udp'

config redirect
	option dest_port 'hidden'
	option src 'wan'
	option name 'RTL-ssl'
	option src_dport 'hidden'
	option target 'DNAT'
	option dest_ip '192.168.1.153'
	option dest 'lan'
	option proto 'tcp'

config redirect
	option dest_port 'hidden'
	option src 'wan'
	option name 'access-ssh'
	option src_dport 'hidden'
	option target 'DNAT'
	option dest_ip '192.168.1.153'
	option dest 'lan'
	option proto 'tcp'

config redirect
	option dest_port 'hidden'
	option src 'wan'
	option name 'application-core'
	option src_dport 'hidden'
	option target 'DNAT'
	option dest_ip '192.168.1.153'
	option dest 'lan'
	option proto 'tcp'

config redirect
	option name 'WireGuard'
	option proto 'udp'
	option dest_port '51820'
	option src_dport '51820'
	option dest 'lan'
	option src 'wan'

config rule
	option name 'AllowBits'
	option src 'wan'
	option dest_port 'hidden'
	option target 'ACCEPT'
	option proto 'tcp'
	option family 'ipv6'
	option dest 'lan'

There is no /etc/firewall.user.

There's no need to redact the address here (keys should be redacted, but not the address):

I don't see any peer config stanzas.... did you remove them?

Delete the firewall rule below and create a rule (not a port forward/redirect) that accepts udp 51820 from source zone wan:

I am following a youtube video and changing one setting at a time and trying to keep track of the files that LuCI (from the video changes). That's why I still don't have any peers!

That config redirect is probably very wrong at this point because my networking knowledge is very limited and I'm not exactlu sure which settings to use for my case!

I still struggle to understand sources and destinies and how tranffic works inside and outside networks and etc. I don't even know exactly how to explain what I don't know! lol. Please bare with me!
The video I'm following is this, as a reference:

But I'm trying to change things via command line instea of LuCI so that I can keep track of what exactly changes. Not even using UCI commands. I'm editing files manually.

Edited;
What about the OP question? :slight_smile: Shold I do anything about the "missing file"?
I just created an emprty one to get rid of the warning message!

Config rule created:

config rule                                                                                                                                                                                                                                  
        option name 'WireGuard'                                                                                                                                                                                                              
        option src 'wan'                                                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                                               
        option dest_port '51820'                                                                                                                                                                                                             
        option proto 'udp'

Is it like this??

You can ignore it or just remove the stanza that references it:

The new rule is correct.

ok, thanks, about the missing file!

About the Wireguard server configuration. I will still need port forwarding no? Or the rule is suffice?

Just the rule. Port forwarding is for the situation where you are forwarding traffic to a device behind the router. Traffic rules like this are what are used when the router itself is accepting the connection.

So, now I just need to setup the peers? Is that it?

And yet about you previous reply, one of my goals is to be able to access my devices conencted to the router from outside my home network.

For instance, if I'm outside with my latptop, I want to be able to access one device that is connected to the router!

Another goal is that I am able to start a couple of services I have running on a device connected to my router, inside my home network!

Yes, peers are requried.

Yes, this should work as long as you have a public IP on your OpenWrt wan.

If I add a peer via LuCI interface, in which file can I find it? Do I need to restart the router to make it visible in the files or simply restarting the network service is enough?

I added a peer but unless I have to restart the router or the network service, I can't find it neither in /etc/config/netowrk nor in /etc/config/firewall.

/etc/config/network

It should be immediately visible (after you've hit save and apply), but you do need to restart the network service (or reboot the router) for it to load the new configuration.

Post your /etc/config/network file

1 Like

Yeah, I already see it. I think I only clicked Save in the Peers tab and not the Save and Apply in the Interfaces config screen.

So, pleaase let me know if this is enough to get going with Wireguard server configured in my router and then a client, in this case, my android phone.

In my router I have the following in /etc/config/netowrk

config interface 'WG_0'                                                         
        option proto 'wireguard'                                                
        option private_key 'xxxxxxxxxx'       
        option public_key 'yyyyyyyyyy'        
        option listen_port '51820'                                              
        list addresses '10.14.0.1/24'

...

config wireguard_WG_0        
        option description 'GalaxyPhone'
        option public_key 'peer_public_key_generated_by_the_app'
        option private_key 'peer_private_key_generated_by_the_app'
        list allowed_ips '192.168.4.1'
        option route_allowed_ips '1'
        option endpoint_port '51820'

In /etc/config/firewall I have the following:

config zone                                                                     
        option name 'lan'                                                       
        option input 'ACCEPT'                                                   
        option output 'ACCEPT'                                                  
        option forward 'ACCEPT'                                                 
        list network 'lan'                                                      
        list network 'WG_0'

...

config rule                                                                     
        option name 'WireGuard'                                                 
        option src 'wan'                                                        
        option target 'ACCEPT'                                                  
        option dest_port '51820'                                                
        option proto 'udp'

Now, on the client, I downloaded an alternative for Wireguard from F-Droid shop, and configured a client like this:
Name: GalaxyPhone
Private Key: peer_public_key_generated_by_the_app
Public Key: peer_private_key_generated_by_the_app
Addresses: 192.168.4.1/32
Listen Port: 51820
DNS Servers: 1.1.1.1

Peer
Public Key: the one generated by Wireguard in my router
Pre-Sahred Key: None
Persistent keepalive: none
Endpoit: my router external IP provided by my ISP
Allowed IPs: 0.0.0.0/0

But I must be missing more settings, for sure!

My /etc/config/network is:

# cat /etc/config/network 

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd39:f4fe:3b30::/48'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option device 'eth0.12'

config interface 'wan6'
	option proto 'dhcpv6'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'
	option device 'eth0.12'

config interface 'WG_0'
	option proto 'wireguard'
	option private_key 'hidden'
	option public_key 'hidden'
	option listen_port '51820'
	list addresses '10.14.0.1/24'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '6t 4 3 2 1'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5t 0t'
	option vid '12'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config wireguard_WG_0
	option description 'GalaxyPhone'
	option public_key 'hidden'
	option private_key 'hidden'
	list allowed_ips '192.168.4.1'
	option route_allowed_ips '1'
	option endpoint_port '51820'

There are some issues here:

  • change the allowed IPs to 10.14.0.2/32
  • remove the endpoint port
  • Remove the public key here (although it shouldn't present an issue)
  • remove the listen port
  • change the address to 10.14.0.2/32

You probably need to specify the endpoint port, too (i.e. external.ip.address.fromisp:51820)

Reboot your router and then try again.

Like this in the app:

and

Note:
On the 2nd screenshot, the Public key I have there is the one generated my Wireguard in my router.

Another thing I don't understand, is why I must use 10.14.0.2/32 in config wireguard_WG_0 and not the IP I set for my phone wireguard interface.
Aren't we supposed to tell to my router to allow traffic from the IP I set to my phone?

The peer's address must be consistent between the phone (in the interface section) and the router config (in the peer stanza). It needs to be in the same subnet as you've defined for your router's WG interface.

The app screenshot now looks good.

Are you able to connect?

Ah ok. I got it!

But from the phone I still cannot connect, no!

On LuCI

While connected to wifi, try changing the endpoint address on the phone as follows:

192.168.1.1:51820

Then see if this is able to connect.

yes, it was able to connect while connected to Wifi!

Ok...

I suspect you may not have a public IP.
Look at your LuCI main status page and find the section that says "IPv4 upstream." There will be an IP address there. What are the first two octets (in bold: aaa.bbb.ccc.ddd)