jalut
May 22, 2025, 2:27pm
1
Hello, i need help on my vpn connection with wireguard on openwrthttps://www.droppy.ch/pNNKfL17
[admin edit: disabled the link; follow at your own risk]
Is this a bad joke? These are complete router configs, not just wireguard, on a hosting service, that wants you to disable any ad-blocker...
Please post your configurations directly on the forum, not on 3rd party sites.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
egc
May 22, 2025, 6:52pm
4
See my notes how to setup WireGuard also a paragraph about site-to-site setup maybe they are helpful
jalut
May 23, 2025, 6:15am
5
No this is not a bad joke, i am new to this forum and still have to learn.
jalut
May 23, 2025, 6:19am
6
Thanks for the tip psherman, i am connected to the ssh right now and this is the output it gave me from your commands:
{
"kernel": "6.6.86",
"hostname": "ER-X-SFP-08",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X SFP",
"board_name": "ubnt,edgerouter-x-sfp",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@ER-X-SFP-08:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd73:693f:54d::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
list ports 'eth5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.25.10'
option netmask '255.255.255.0'
option gateway '192.168.25.1'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'site_A'
option proto 'wireguard'
option private_key 'UPrZVjMr2qoDAziCpDvDUhhr0SBCtgbKx1fTqslSk1w='
option listen_port '51820'
list addresses '10.10.10.1'
config wireguard_site_A
option description 'site_B'
option route_allowed_ips '1'
option endpoint_host '192.168.25.11'
option endpoint_port '51820'
option persistent_keepalive '25'
option public_key 'ka1OGAsoJpwA7gLE3KklTLqhG64HUsP+RsscwUgf5z4='
list allowed_ips '172.16.20.0/24'
list allowed_ips '192.168.20.0/24'
list allowed_ips '10.10.10.0/24'
config device
option name 'site_A'
root@ER-X-SFP-08:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'lan'
list network 'site_A'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wg'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.20.1/32'
option dest_port '51820'
list proto 'tcp'
list proto 'udp'
Looking from this particular side of the equation:
You probably should have a DNS entry here:
Change the address to 10.10.10.1/24
Remove the allowed_ips line for 192.168.20.0/24
remove the lan network from this firewall zone, and remove masquerading and mtu_fix:
Delete this redirect/port-forward:
Replace the above with a rule (accept udp port 51820 from source wan).
Let's see the other side now.
Also, a quick question here:
Both of the endpoints are clearly on the same L2 upstream network (i.e. 192.168.25.0/24). Why are you setting up a VPN between them? This typically only makes sense to do if it is for educational purposes or pre-deployment testing; it doesn't make a lot of sense in most situations where the endpoints are on the same exact upstream network (although there can be some exceptions).
jalut
May 23, 2025, 6:55am
9
Thanks for the input! You're right, it's not needed in a real setup. This is just for school/training purposes to practice VPN configuration, even if both endpoints are on the same subnet.
jalut
May 23, 2025, 7:15am
10
This is the output from the commands on the other side.
{
"kernel": "6.6.86",
"hostname": "ER-X-05",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X",
"board_name": "ubnt,edgerouter-x",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.1",
"revision": "r28597-0425664679",
"target": "ramips/mt7621",
"description": "OpenWrt 24.10.1 r28597-0425664679",
"builddate": "1744562312"
}
}
root@ER-X-05:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd73:53a1:97b8::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.16.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.25.11'
option netmask '255.255.255.0'
option gateway '192.168.25.1'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'site_B'
option proto 'wireguard'
option private_key 'sPXd16O6enU9oPtKV1sD3GqjW9zd7nl+TGjOXtZiVHA='
option listen_port '51820'
list addresses '10.10.10.2'
config wireguard_site_B
option public_key 'CzmeIY6pKc30aSy79L+Kwj2n1asqcoDbo8mkAHmdHhw='
option route_allowed_ips '1'
option endpoint_host '192.168.25.10'
option endpoint_port '51820'
option persistent_keepalive '25'
option description 'Site_A'
list allowed_ips '192.168.20.0/24'
list allowed_ips '172.16.20.0/24'
list allowed_ips '10.10.10.0/24'
config device
option name 'site_B'
root@ER-X-05:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'lan'
list network 'site_B'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'wg'
option src 'wan'
option src_dport '51820'
option dest_ip '172.16.20.1/32'
option dest_port '51820'
list proto 'tcp'
list proto 'udp'
