I am trying to setup wireguard on two routers and each have separate public IP's. I am able to ping the other router and its connected devices, vice versa. However, there's no data being transferred when I see the interfaces. I cannot identify where's the issue. Below are the details. I hope someone can help me in this.
Router 1 (server)
Router IP: 192.168.2.1
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config rule
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd69:814f:cc52::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option ifname 'eth0 lan1 lan2 lan3 lan4 wg0'
config device 'lan_lan1_dev'
option name 'lan1'
option macaddr '58:ef:68:xx:xx:xx'
config device 'lan_lan2_dev'
option name 'lan2'
option macaddr '58:ef:68:xx:xx:xx'
config device 'lan_lan3_dev'
option name 'lan3'
option macaddr '58:ef:68:xx:xx:xx'
config device 'lan_lan4_dev'
option name 'lan4'
option macaddr '58:ef:68:xx:xx:xx'
config interface 'wan'
option ifname 'wan'
option proto 'dhcp'
config device 'wan_wan_dev'
option name 'wan'
option macaddr '58:ef:68:xx:xx:xx'
config interface 'wan6'
option ifname 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key 'server 1 private key'
option listen_port '51820'
list addresses '10.9.0.1/24'
config wireguard_wg0
option description 'WireGuard_wg0'
option public_key 'server 2 public key'
option route_allowed_ips '1'
option endpoint_port '51820'
option endpoint_host 'my-dns-1.duckdns.org'
list allowed_ips '10.9.0.2/32'
list allowed_ips '192.168.1.0/24'
option persistent_keepalive '25'
Connectivity test
root@OpenWrt:~# wg
interface: wg0
public key: <**********>
private key: (hidden)
listening port: 51820
peer: <***********>
endpoint: <router 2 public IP>:51820
allowed ips: 10.9.0.2/32, 192.168.1.0/24
latest handshake: 1 minute, 40 seconds ago
transfer: 2.10 MiB received, 1.09 MiB sent
persistent keepalive: every 25 seconds
Ping client router
root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=1.337 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=1.076 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=0.949 ms
64 bytes from 192.168.1.1: seq=3 ttl=64 time=0.957 ms
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.949/1.079/1.337 ms
Ping connected device
root@OpenWrt:~# ping 192.168.1.214
PING 192.168.1.214 (192.168.1.214): 56 data bytes
64 bytes from 192.168.1.214: seq=0 ttl=63 time=2.262 ms
64 bytes from 192.168.1.214: seq=1 ttl=63 time=1.890 ms
64 bytes from 192.168.1.214: seq=2 ttl=63 time=1.903 ms
64 bytes from 192.168.1.214: seq=3 ttl=63 time=1.969 ms
64 bytes from 192.168.1.214: seq=4 ttl=63 time=1.910 ms
^C
--- 192.168.1.214 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.890/1.986/2.262 ms
Router 2 (client)
Router IP: 192.168.1.1
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'lan'
config redirect
option target 'DNAT'
option name 'wireguard'
option src 'wan'
option src_dport '51820'
option dest 'lan'
option dest_port '51820'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3f:57d2:bab6::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth1 eth2 eth3 eth4 eth5 wg0'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth0'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wg0'
option proto 'wireguard'
option private_key 'server 2 private key'
option listen_port '51820'
list addresses '10.9.0.2/24'
config wireguard_wg0
option description 'WireGuard_wg0'
option public_key 'server 1 public key'
option route_allowed_ips '1'
option endpoint_port '51820'
option endpoint_host 'my-dns-2.duckdns.org'
list allowed_ips '192.168.2.0/24'
list allowed_ips '10.9.0.1/32'
option persistent_keepalive '25'
Connectivity test
root@OpenWrt:~# wg
interface: wg0
public key: <**********>
private key: (hidden)
listening port: 51820
peer: <***********>
endpoint: <router 1 public IP>:51820
allowed ips: 192.168.2.0/24, 10.9.0.1/32
latest handshake: 21 seconds ago
transfer: 1.04 MiB received, 2.03 MiB sent
persistent keepalive: every 25 seconds
Ping server router
ping 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=1.138 ms
64 bytes from 192.168.2.1: seq=1 ttl=64 time=1.020 ms
64 bytes from 192.168.2.1: seq=2 ttl=64 time=1.041 ms
64 bytes from 192.168.2.1: seq=3 ttl=64 time=0.947 ms
^C
--- 192.168.2.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.947/1.036/1.138 ms
ping connected devices
root@OpenWrt:~# ping 192.168.2.152
PING 192.168.2.152 (192.168.2.152): 56 data bytes
64 bytes from 192.168.2.152: seq=0 ttl=63 time=3166.510 ms
64 bytes from 192.168.2.152: seq=1 ttl=63 time=2167.848 ms
64 bytes from 192.168.2.152: seq=2 ttl=63 time=1168.165 ms
64 bytes from 192.168.2.152: seq=3 ttl=63 time=168.092 ms
64 bytes from 192.168.2.152: seq=4 ttl=63 time=193.562 ms
^C
--- 192.168.2.152 ping statistics ---
6 packets transmitted, 5 packets received, 16% packet loss
round-trip min/avg/max = 168.092/1372.835/3166.510 mse or paste code here