Setup wireguard VPN server on OpenWrt

tommiedepommie · September 22, 2020, 4:06pm

Hello,

I replaced my GLi.net ar750s-ext travelrouter in my home network for a Netgear R-7800 router.
On the R-7800 router I installed Openwrt 19.07 with adguardhome and wireguard.
On the ar750 router I had Openvpn installed and later on added Wireguard.
On the R-7800 I forwarded the same ports to my server and can access my server from the outside with openvpn.

But, I can't make a connection using the wireguard protocol. Ofcourse it must be me, but after struggling for a few days now, I'm asking for help.

My goal is to setup a wireguard VPN server on the openwrt router (without using endpoint because of unstable ADSL line) and a Android phone as client to access local server and using local network as gateway for browsing (via adguardhome).

Is there somebody who can point me to a working manual which I can follow?

Thank you all very kindly,

Tom

lleachii · September 22, 2020, 4:11pm

What are your WG configs (please omit the private and pre-shared keys)?

Also let us know the SRC subnet and destination subnet of the client's traffic to the server.

mk24 · September 22, 2020, 4:12pm

When running a VPN server on the main router you would open the incoming port(s) not forward them.

Note that web browsing via VPN with the server on an ADSL line will be very slow. Every page sent to a client has to repeat through the typically sub-megabit uplink path of your DSL line.

trendy · September 22, 2020, 4:17pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

tommiedepommie · September 22, 2020, 5:39pm

Hello, thank you for your quick replies. At the moment I have no config files because I deleted all prior installations.
That's why I asked for a link which I can use to have a fresh start.

thank you,

grt tom

trendy · September 22, 2020, 5:44pm

https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic

tommiedepommie · September 24, 2020, 2:04pm

Thank you,

Here is my output,

root@Netgear_R-7800:/etc/config# ubus call system board; \
> uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*
{
	"kernel": "4.14.195",
	"hostname": "Netgear_R-7800",
	"system": "ARMv7 Processor rev 0 (v7l)",
	"model": "Netgear Nighthawk X4S R7800",
	"board_name": "netgear,r7800",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.4",
		"revision": "r11208-ce6496d796",
		"target": "ipq806x/generic",
		"description": "OpenWrt 19.07.4 r11208-ce6496d796"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb2:0e34:d2e3::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.8.1'
	option ifname 'eth1.1'

config interface 'wan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	option netmask '255.255.255.0'
	option type 'bridge'
	option ifname 'eth0.2'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option type 'bridge'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'QjfAP…...'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_wg0 'wgclient'
	option preshared_key 'ZsCB…...'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
	option persistent_keepalive '25'
	option public_key 'Rsd3…...'
	option description 'Android Phone'
	option route_allowed_ips '1'

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option src 'wan'
	option name 'L2TP (VPN)'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'
	option dest_port '1701'
	option src_dport '1701'

config redirect
	option src 'wan'
	option name 'PPTP (VPN) '
	option src_dport '1723'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'
	option dest_port '1723'

config redirect
	option src 'wan'
	option name 'OPENVPN (VPN)'
	option dest 'lan'
	option dest_ip '192.168.8.252'
	option target 'DNAT'
	option dest_port '1194'
	list proto 'tcp'
	list proto 'udp'
	option src_dport '1194'

config redirect
	option dest_port '13131'
	option src 'wan'
	option name 'telnet'
	option src_dport '13131'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '8081'
	option src 'wan'
	option name 'webserver'
	option src_dport '8081'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '500'
	option src 'wan'
	option src_dport '500'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'
	option name 'ISAKMP (VPN)'

config redirect
	option dest_port '4500'
	option src 'wan'
	option name 'IPSec NAT (VPN)'
	option src_dport '4500'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'udp'

config redirect
	option dest_port '20'
	option src 'wan'
	option name 'FTP (DATA)'
	option src_dport '20'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '21'
	option src 'wan'
	option name 'FTP (CONTROL)'
	option src_dport '21'
	option target 'DNAT'
	option dest_ip '192.168.8.252'
	option dest 'lan'
	list proto 'tcp'

config zone 'guest'
	option name 'guest'
	option network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding 'guest_wan'
	option src 'guest'
	option dest 'wan'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option family 'ipv4'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.8.1:5353
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.8.1:5353
# Generated by iptables-save v1.8.3 on Thu Sep 24 17:27:01 2020
*nat
:PREROUTING ACCEPT [7220:1156367]
:INPUT ACCEPT [740:57909]
:OUTPUT ACCEPT [319:22650]
:POSTROUTING ACCEPT [151:10744]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[372:26123] -A PREROUTING -i br-lan -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.8.1:5353
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.8.1:5353
[7220:1156367] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[6116:1082053] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[1104:74314] -A PREROUTING -i br-wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
[4909:362460] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[4758:351716] -A POSTROUTING -o br-wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
[0:0] -A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
[0:0] -A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 1701 -m comment --comment "!fw3: L2TP (VPN) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 1701 -m comment --comment "!fw3: L2TP (VPN) (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: PPTP (VPN)  (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: PPTP (VPN)  (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 13131 -m comment --comment "!fw3: telnet (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 13131 -m comment --comment "!fw3: telnet (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 8081 -m comment --comment "!fw3: webserver (reflection)" -j SNAT --to-source 192.168.8.1

tommiedepommie · September 24, 2020, 3:42pm

and part 2,

[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 8081 -m comment --comment "!fw3: webserver (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ISAKMP (VPN) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ISAKMP (VPN) (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT (VPN) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT (VPN) (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 20 -m comment --comment "!fw3: FTP (DATA) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 20 -m comment --comment "!fw3: FTP (DATA) (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.8.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (CONTROL) (reflection)" -j SNAT --to-source 192.168.8.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.8.252/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (CONTROL) (reflection)" -j SNAT --to-source 192.168.9.1
[6116:1082053] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 1701 -m comment --comment "!fw3: L2TP (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:1701
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 1701 -m comment --comment "!fw3: L2TP (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:1701
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: PPTP (VPN)  (reflection)" -j DNAT --to-destination 192.168.8.252:1723
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: PPTP (VPN)  (reflection)" -j DNAT --to-destination 192.168.8.252:1723
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:1194
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:1194
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:1194
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:1194
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 13131 -m comment --comment "!fw3: telnet (reflection)" -j DNAT --to-destination 192.168.8.252:13131
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 13131 -m comment --comment "!fw3: telnet (reflection)" -j DNAT --to-destination 192.168.8.252:13131
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 8081 -m comment --comment "!fw3: webserver (reflection)" -j DNAT --to-destination 192.168.8.252:8081
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 8081 -m comment --comment "!fw3: webserver (reflection)" -j DNAT --to-destination 192.168.8.252:8081
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ISAKMP (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:500
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 500 -m comment --comment "!fw3: ISAKMP (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:500
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:4500
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT (VPN) (reflection)" -j DNAT --to-destination 192.168.8.252:4500
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 20 -m comment --comment "!fw3: FTP (DATA) (reflection)" -j DNAT --to-destination 192.168.8.252:20
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 20 -m comment --comment "!fw3: FTP (DATA) (reflection)" -j DNAT --to-destination 192.168.8.252:20
[0:0] -A zone_lan_prerouting -s 192.168.8.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (CONTROL) (reflection)" -j DNAT --to-destination 192.168.8.252:21
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 192.168.1.2/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (CONTROL) (reflection)" -j DNAT --to-destination 192.168.8.252:21
[4758:351716] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[4758:351716] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1104:74314] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 1701 -m comment --comment "!fw3: L2TP (VPN)" -j DNAT --to-destination 192.168.8.252:1701
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1723 -m comment --comment "!fw3: PPTP (VPN) " -j DNAT --to-destination 192.168.8.252:1723
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN)" -j DNAT --to-destination 192.168.8.252:1194
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "!fw3: OPENVPN (VPN)" -j DNAT --to-destination 192.168.8.252:1194
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 13131 -m comment --comment "!fw3: telnet" -j DNAT --to-destination 192.168.8.252:13131
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8081 -m comment --comment "!fw3: webserver" -j DNAT --to-destination 192.168.8.252:8081
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 500 -m comment --comment "!fw3: ISAKMP (VPN)" -j DNAT --to-destination 192.168.8.252:500
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 4500 -m comment --comment "!fw3: IPSec NAT (VPN)" -j DNAT --to-destination 192.168.8.252:4500
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 20 -m comment --comment "!fw3: FTP (DATA)" -j DNAT --to-destination 192.168.8.252:20
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 21 -m comment --comment "!fw3: FTP (CONTROL)" -j DNAT --to-destination 192.168.8.252:21
COMMIT
# Completed on Thu Sep 24 17:27:01 2020
# Generated by iptables-save v1.8.3 on Thu Sep 24 17:27:01 2020
*raw
:PREROUTING ACCEPT [81645:32013450]
:OUTPUT ACCEPT [17740:5574511]
COMMIT
# Completed on Thu Sep 24 17:27:01 2020
# Generated by iptables-save v1.8.3 on Thu Sep 24 17:27:01 2020
*mangle
:PREROUTING ACCEPT [76497:30472278]
:INPUT ACCEPT [14736:1829013]
:FORWARD ACCEPT [59956:27886794]
:OUTPUT ACCEPT [15915:5051472]
:POSTROUTING ACCEPT [75724:32931368]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
[772:46344] -A FORWARD -o br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[464:27056] -A FORWARD -i br-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
[0:0] -A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
[0:0] -A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
[0:0] -A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
[0:0] -A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Thu Sep 24 17:27:01 2020
# Generated by iptables-save v1.8.3 on Thu Sep 24 17:27:01 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_dest_REJECT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_REJECT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[5638:475551] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[9107:1353930] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[7414:1151816] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[230:9564] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[580:133750] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[1113:68364] -A INPUT -i br-wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
[59956:27886794] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[54846:27474129] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[5110:412665] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i br-wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[5935:501687] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[9989:4553277] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[9757:4538791] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[232:14486] -A OUTPUT -o br-wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
[296:13973] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[260:12647] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[230:9564] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_guest_dest_REJECT -o br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
[0:0] -A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_REJECT
[0:0] -A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
[0:0] -A zone_guest_input -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 53 -m comment --comment "!fw3: Allow-DNS-Guest" -j ACCEPT
[0:0] -A zone_guest_input -p udp -m udp --dport 67 -m comment --comment "!fw3: Allow-DHCP-Guest" -j ACCEPT
[0:0] -A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_REJECT
[0:0] -A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
[0:0] -A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
[0:0] -A zone_guest_src_REJECT -i br-guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[5110:412665] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[5110:412665] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[580:133750] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[223:15338] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[357:118412] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[357:118412] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[147:6898] -A zone_wan_dest_ACCEPT -o br-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[5195:420253] -A zone_wan_dest_ACCEPT -o br-wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[1113:68364] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[524:40688] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[33:1056] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[556:26620] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[232:14486] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[232:14486] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[556:26620] -A zone_wan_src_REJECT -i br-wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Sep 24 17:27:01 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: br-wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-wan
       valid_lft forever preferred_lft forever
13: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
35: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-wan proto static 
192.168.1.0/24 dev br-wan proto kernel scope link src 192.168.1.2 
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 
192.168.9.0/24 dev wg0 proto kernel scope link src 192.168.9.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-wan table local proto kernel scope link src 192.168.1.2 
local 192.168.1.2 dev br-wan table local proto kernel scope host src 192.168.1.2 
broadcast 192.168.1.255 dev br-wan table local proto kernel scope link src 192.168.1.2 
broadcast 192.168.3.0 dev br-guest table local proto kernel scope link src 192.168.3.1 
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1 
broadcast 192.168.8.0 dev br-lan table local proto kernel scope link src 192.168.8.1 
local 192.168.8.1 dev br-lan table local proto kernel scope host src 192.168.8.1 
broadcast 192.168.8.255 dev br-lan table local proto kernel scope link src 192.168.8.1 
broadcast 192.168.9.0 dev wg0 table local proto kernel scope link src 192.168.9.1 
local 192.168.9.1 dev wg0 table local proto kernel scope host src 192.168.9.1 
broadcast 192.168.9.255 dev wg0 table local proto kernel scope link src 192.168.9.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Sep  6 18:19 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Sep 24 16:56 /tmp/resolv.conf
-rw-r--r--    1 root     root            39 Sep 24 16:55 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.1.1

trendy · September 24, 2020, 4:14pm

What seems to be the issue?
I don't see any hits on the firewall for the Wireguard, so nothing reached your router.

[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT

vgaetera · September 24, 2020, 4:44pm

Set up port forwarding for 51820/udp on the upstream router and disable bridge for the WAN interface.

tommiedepommie · September 24, 2020, 5:20pm

This rule is active under traffic rules

In the second post search for "Allow-Wireguard"

tommiedepommie · September 24, 2020, 5:23pm

This is a standard wireguard installation from this page : https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic

But even when I forwarded the UDP port 51820, I can't connect from my phone.

vgaetera · September 24, 2020, 5:26pm

Your current router has no public IP address.
You need to set up port forwarding on the upstream router.
The upstream router must have a public IP address.

tommiedepommie · September 25, 2020, 6:12am

The netgear router is placed in the DMZ of the provider's router.

It has worked like this with the AR750S-ext router too

vgaetera · September 25, 2020, 8:14am

Ask your ISP if they can provide a public IP address or port forwarding.
Self-hosted VPNs such as WireGuard and OpenVPN require this to be able to connect from the internet.

trendy · September 25, 2020, 8:59am

Make sure that the router of the provider has a public IP. If you are using dyndns service, make sure that the binding is correct. Make sure that the port forwarding from isp router to the OpenWrt is correct.
As long as the counters at the beginning of the DNAT are zeroes, it means that no packets made it to the OpenWrt.
iptables-save -c | grep Allow-WireGuard

tommiedepommie · September 25, 2020, 11:42am

Impossible, my phone services depends on this modem.

Openvpn to my Qnap server works like a charm with netgear forwarding ports in DMZ
Only Wireguard doesn't work.

dyndnss.net had a wrong ipaddress pointing to my router.
Changed to duckdns.org and added duckdns.org to endpoint but no luck so far.

trendy · September 25, 2020, 12:29pm

Run a tcpdump and try to connect from the internet.
tcpdump -i eth0.2 -evn udp port 51820
Post here the output.

tommiedepommie · September 25, 2020, 1:02pm

Hello everyone,

it is working now. Using duckdns.org as ddns, I can access my homeserver and I can browse using my home network.
When I installed the Android wireguard app, it generated a pre-shared key.
Removing the pre-shared key and after rebooting the router, I can connect to my home network.In the 'pre-shared' field it says optional.

thank you for all your help.

greetings tom

tommiedepommie · September 25, 2020, 1:51pm

When using this guide, it generates an error on the key generation:umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genpsk > wg.psk

WG_KEY="$(cat wgserver.key)"
WG_PSK="$(cat wg.psk)"
WG_PUB="$(cat wgclient.pub)"

Because the file wgclient.pub is not generated. I suppose it must be
WG_PUB="$(cat wgserver.pub)"