[Solved] 3 WG clients only 1 works well - closed

neurotransmitter · October 21, 2024, 8:52pm

I have setup 3 Smartphones as WG-VPN clients.
MT6000(openwrt) is the WG Server.
I have tested the 3 Smartphones directly after there separat setup.
All Smarphones worked perfectly separatly.
Now, when I activate all 3 Smartphone WG-VPN in parallel only on Smartphone(the last I setup) works well and the speed of the others are miserably sloooooooowwwww...
Is this a known behavior, did I make a mistake(wrong setup for more than 1 client) or work by design?

MT6000 with GL-iNET Software all 3 clients worked perfectly in parallel.

mikma · October 21, 2024, 8:56pm

Are they using different keys? Each client needs its own set of keys (public+private).

neurotransmitter · October 21, 2024, 8:56pm

Yes, similar setup as with GL-iNET Release...and separate Pre-shared Keys as well.

psherman · October 21, 2024, 10:28pm

Let’s review the config to see if we can spot any issues

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

neurotransmitter · October 22, 2024, 6:39am

GM,

{
	"kernel": "5.15.167",
	"hostname": "GL-MT6000",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2d:2ed7:06c9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a6:01:6e'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.yyy.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr '94:83:c4:a6:01:6c'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'WGSERVER'
	option proto 'wireguard'
	option private_key '0...='
	option listen_port '1234'
	list addresses '10.0.49.1/24'

config wireguard_WGSERVER
	option description 'VPN-ccc-GL-MT6000'
	option public_key 'T...7EI='
	option private_key 'w...o='
	option preshared_key 'C...='
	list allowed_ips '10.0.49.2/24'
	option route_allowed_ips '1'
	option endpoint_host 'www'
	option endpoint_port '1234'

config wireguard_WGSERVER
	option description 'VPN-aaa-GL-MT6000'
	option public_key 'Pn2PpbY/HX...0='
	option private_key '2B...2c='
	option preshared_key 'L0...Q='
	list allowed_ips '10.0.49.3/24'
	option route_allowed_ips '1'
	option endpoint_host 'www'
	option endpoint_port '1234'

config wireguard_WGSERVER
	option description 'VPN-bbb-GL-MT6000'
	option public_key 'Jn...='
	option private_key 'SP...g='
	option preshared_key '6piBF/BT...='
	list allowed_ips '10.0.49.4/24'
	option route_allowed_ips '1'
	option endpoint_host 'www'
	option endpoint_port '1234'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WGSERVER'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.yyy.1'
	option dest_ip '192.168.yyy.1'
	option dest_port '53'

config nat
	option name 'Prevent hardcoded DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.yyy.1'
	option dest_port '53'
	option target 'MASQUERADE'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'WGSERVER'

config forwarding
	option src 'VPN'
	option dest 'lan'

config forwarding
	option src 'VPN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'VPN'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1234'
	option dest_ip '192.168.yyy.1'
	option dest_port '1234'

psherman · October 22, 2024, 6:46am

neurotransmitter:

config wireguard_WGSERVER
	option description 'VPN-ccc-GL-MT6000'
	option public_key 'T...7EI='
	option private_key 'w...o='
	option preshared_key 'C...='
	list allowed_ips '10.0.49.2/24'
	option route_allowed_ips '1'
	option endpoint_host 'www'
	option endpoint_port '1234'

Change the allowed ips to /32. Do this for all of the peers.

Also delete the endpoint host and endpoint port dive this device is the one listening for inbound connections (do this on alll of the peers, too).

Delete all of this. You’ve already added the wg server network to your lan zone.

neurotransmitter:

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'WGSERVER'

config forwarding
	option src 'VPN'
	option dest 'lan'

config forwarding
	option src 'VPN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'VPN'

And finally, this should be a traffic rule, not a redirect. Delete this and replace it with a traffic rule:

neurotransmitter:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1234'
	option dest_ip '192.168.yyy.1'
	option dest_port '1234'

After making the changes, reboot the router and test again.

neurotransmitter · October 22, 2024, 7:41am

Thanks for response so quickly!

I'll do that ......help me god

let you know about the result.

neurotransmitter · October 22, 2024, 3:08pm

Feedback:
Implemented recommendated changes...current status didn't change.

I changed FW entries.
I change IP/24 to /32 for one client. This client can't established a connection to WG-Server, other clients were able to established a connection.
One client isn't able to connect to WG-Server, one client ist fast, other client is very slow...

psherman · October 22, 2024, 3:09pm

Let's review the latest config files (same as before), and then please also post your remote WG peer configurations (I.e. from the phone/computer/etc).

neurotransmitter · October 22, 2024, 3:16pm

I'll do that...later...

neurotransmitter · October 22, 2024, 5:17pm

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2d:2ed7:06c9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a6:01:6e'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.xxx.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr '94:83:c4:a6:01:6c'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'WGSERVER'
	option proto 'wireguard'
	option private_key '0...'
	option listen_port '1234'
	list addresses '10.0.xx.1/32'

config wireguard_WGSERVER
	option description 'VPN--GL-MT6000'
	option public_key 'Tc...'
	option private_key 'w...='
	option preshared_key 'C...'
	list allowed_ips '10.0.xx.2/32'
	option route_allowed_ips '1'

config wireguard_WGSERVER
	option description 'VPN--GL-MT6000'
	option public_key '...'
	option private_key '2...='
	option preshared_key 'L...='
	list allowed_ips '10.0.xx.3/32'
	option route_allowed_ips '1'

config wireguard_WGSERVER
	option description 'VPN--GL-MT6000'
	option public_key 'J...='
	option private_key 'S...='
	option preshared_key '6pi...='
	list allowed_ips '10.0.xx.4/32'
	option route_allowed_ips '1'

Firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WGSERVER'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.xxx.1'
	option dest_ip '192.168.xxx.1'
	option dest_port '53'

config nat
	option name 'Prevent hardcoded DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.xxx.1'
	option dest_port '53'
	option target 'MASQUERADE'

config rule
	option dest 'lan'
	option target 'DNAT'
	option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1234'
	option dest_ip '192.168.xxx.1'
	option dest_port '1234'

Status:

No WLAN(Internet connection) at all on all devices (NB, TV, Smartphone,...)

psherman · October 22, 2024, 5:23pm

The main interface should remain a /24. I only recommended changing the peers to /32s.

Change this to /24:

This is incorrect...

neurotransmitter:

config rule
	option dest 'lan'
	option target 'DNAT'
	option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '1234'
	option dest_ip '192.168.xxx.1'
	option dest_port '1234'

edit it to look like this:

config rule
	option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option dest_port '1234'
	option target 'ACCEPT'

Then restart and test again.

neurotransmitter · October 22, 2024, 6:34pm

Hi Peter,
I'm sorry for the clumsiness on my part but my thanks go to you for solving what you see as my little problem.

Thank you very much.

neuro

neurotransmitter · October 23, 2024, 4:58pm

Sorry, but I have to come back again...

I now have the problem that I can't access the WG server via mobile and external WLAN... but I can connect via the router's local WLAN.

The WG client recognizes the external network, switches to VPN connection WG but there is no connection.

Where is the error?

Thank you

EDIT:
I can see a connection to WG Server but extremly slow...
Ok, I will setup completly new clients...

psherman · October 23, 2024, 5:37pm

We never looked at your remote peer configs... if you'd like, please post those as well as the latest config files for review.

neurotransmitter · October 23, 2024, 6:45pm

Thank you.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2d:2ed7:06c9::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan2'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan3'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan4'
	option macaddr '94:83:c4:a6:01:6e'

config device
	option name 'lan5'
	option macaddr '94:83:c4:a6:01:6e'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.152.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr '94:83:c4:a6:01:6c'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'WGSERVER'
	option proto 'wireguard'
	option private_key '...'
	option listen_port '1234'
	list addresses '10.0.xx.1/24'

config wireguard_WGSERVER
	option description 'VPN-xxx-GL-MT6000'
	option public_key '...'
	option private_key '...'
	option preshared_key '...'
	list allowed_ips '10.0.xx.2/32'
	option route_allowed_ips '1'

config wireguard_WGSERVER
	option description 'VPN-xxx-GL-MT6000'
	option public_key '...'
	option private_key '...'
	option preshared_key '...'
	list allowed_ips '10.0.xx.3/32'
	option route_allowed_ips '1'

config wireguard_WGSERVER
	option description 'VPN-xxx-GL-MT6000'
	option public_key '...'
	option private_key '...'
	option preshared_key '...'
	list allowed_ips '10.0.xx.4/32'
	option route_allowed_ips '1'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WGSERVER'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.yyy.1'
	option dest_ip '192.168.yyy.1'
	option dest_port '53'

config nat
	option name 'Prevent hardcoded DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.yyy.1'
	option dest_port '53'
	option target 'MASQUERADE'

config rule
        option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option dest_port '1234'
	option target 'ACCEPT'

[Interface]
PrivateKey = ...
Address = 10.0.xx.4/32
# ListenPort not defined
DNS = 192.168.yyy.1

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.xxx.yy:1234
# PersistentKeepAlive not defined

[Interface]
PrivateKey = ...
Address = 10.0.xx.3/32
# ListenPort not defined
DNS = 192.168.yyy.1

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.xxx.yy:1234
# PersistentKeepAlive not defined

[Interface]
PrivateKey = ...
Address = 10.0.xx.2/32
# ListenPort not defined
DNS = 192.168.yyy.1

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.xxx.yy:1234
# PersistentKeepAlive not defined

neurotransmitter · October 24, 2024, 10:28am

When I walk through the instruction https://openwrt.org/docs/guide-user/services/vpn/wireguard/server I wounder I can't see the private key information for peers...?!
I'm not able to klick on the QR-code because due to missing private key...how to transport the the wg.conf to the client??

neuro

psherman · October 24, 2024, 5:28pm

You don't need to redact the RFC1918 addresses (that is: 10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) as they do not reveal sensitive information about your network (they are not publicly routable).

Meanwhile, I don't see any issues with your most recently posted configuration, so we may want to look at other relevant details including your internet connection speed and your methods for testing.

Correct...
From an operating standpoint, the private keys for the remote peers are not needed by the local side and vice versa. All that is required is that the local peer has the public key for the remote peer, and that each peer has its own private key. (the public key for each side is derived from the private key)

That said, you're right about the QR code not working unless you have the private key for the remote peers.

You have two options:

Manually copy/paste the relevant public keys and any pre-shared keys between the devices with whatever means you have available. This isn't ideal, of course, but whatever works here -- ssh, scp, a document/note on a cloud sync'd service, email, etc.... if stored in the cloud for transfer, make sure it's a secure method and then delete after it's done... again, not ideal, but it can work. FWIW, the first time I setup WG, I used iCloud notes and then copied/pasted from my Mac (where I had the OpenWrt config available via ssh and LuCI) and my iPhone which was my 'client' side peer with the WG app installed.

or

Create a keypair (private + public keys, where the public is derived from the private) using OpenWrt in the peer config section. This will allow the use of the QR code function. OpenWrt will ignore the remote peer's private key during operation (it has no use/function). If you do this, make sure that your OpenWrt device is properly secured, of course.

neurotransmitter · October 25, 2024, 8:51am

Ok, following setup:

ISP -> Main router (Fritzbox) -> GL-MT6000
Main router: 192.168.150.1 - Port forwarding: 47362 and DynDNS for WG-VPN
MT6000: 192.168.152.1
Adguard Home as DNS

Network:

config interface 'WGSERVER'
	option proto 'wireguard'
	option private_key '...'
	option listen_port '47362'
	list addresses '10.0.49.1/24'

config wireguard_WGSERVER
	option description 'VPN-xxx-GL-MT6000'
	option public_key '...'
	option preshared_key '...'
	list allowed_ips '10.0.49.2/32'

config wireguard_WGSERVER
	option description 'VPN-xxx-GL-MT6000'
	option public_key '...'
	option preshared_key '...'
	list allowed_ips '10.0.49.3/32'

config wireguard_WGSERVER
	option description 'VPN-xxx-GL-MT6000'
	option public_key '...'
	option preshared_key '...'
	list allowed_ips '10.0.49.4/32'

Firewall:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'lan'
	option src_dport '53'
	option name 'AdGuardHome DNS Interception'
	option src_ip '!192.168.152.1'
	option dest_ip '192.168.152.1'
	option dest_port '53'

config nat
	option name 'Prevent hardcoded DNS'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '192.168.152.1'
	option dest_port '53'
	option target 'MASQUERADE'

config rule
	option name 'VPN'
	list proto 'udp'
	option src 'wan'
	option dest_port '47362'
	option target 'ACCEPT'

My old setup I posted worked well with Pi(Pi-hole, unbound, WG) and GL-MT6000 with GL-iNET software (openwrt 21.xxx) before I switched to openwrt
(25.05.5)

Mobile setup:
3x Google GrapheneOS with Fdroid-app WG Tunnel
LTE/5G mobile network

Fdroid-app behavior:
When a connection was established, a green signal was displayed in the past (old setup).
Currently no green signal will displayed but a data flow can be detected when I observe the interface in LuCi.
Connection via LTE/5G.

egc · October 25, 2024, 9:16am

Maybe a DNS problem?

I think Adguard DNS should be specifically set to serve DNS to non local subnets (e.g. the WG subnet 10.0.49.0/24)
That is if you have set the Adguard home server as DNS address in the peers, but as it is redacted I cannot tell