Hi.
I'm fairly new to OpenWrt but I've been blown away by the amount of flexibility it gives vs your usual router firmware. Congrats on all who contributes to this phenomenal project!
My goal is to setup wireguard on my router to access my home network while I'm away. My OpenWrt router (Archer C7) is connected to my modem (SageMCom) for internet access.
I have gone through the server setup as explained by the OpenWrt docs. I also followed this discussion (" Wireguard Handshake did not complete - 22.03.1 " And tried to apply everything mentionned in there as well.
My problem is that the handshake never completes on my android phone using the wireguard app as seen in the logs the app provides.
.. sending handshake initiation
... Handshake did not complete after 5 seconds
repeat...
Here are my settings:
Network:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'lan'
list network 'wg0'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'MAG-DHCP+DNS LAN_Kids'
option src 'LAN_Kids'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'MAG-DHCP+DNS IOT NoTrust'
option src 'IOT_NoTrust'
option dest_port '53 67 68'
option target 'ACCEPT'
config rule
option name 'MAG-DHCP+DNS Guest'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'
<some personnal rules for the kids interface excluded here>
config include
option enabled '0'
option type 'script'
option path '/etc/firewall.user'
option fw4_compatible '1'
config zone
option name 'GuestZone'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'Guest'
config zone
option name 'LAN_Kids'
option output 'ACCEPT'
list network 'LAN_Kids'
option forward 'ACCEPT'
option input 'ACCEPT'
config zone
option name 'IOT_NoTrust'
option output 'ACCEPT'
list network 'IOT_NoTrust'
option forward 'ACCEPT'
option input 'ACCEPT'
config forwarding
option src 'GuestZone'
option dest 'wan'
config forwarding
option src 'LAN_Kids'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'LAN_Kids'
config forwarding
option dest 'IOT_NoTrust'
config forwarding
option src 'lan'
config forwarding
option dest 'IOT_NoTrust'
config forwarding
option src 'lan'
config forwarding
option src 'lan'
option dest 'IOT_NoTrust'
config forwarding
option src 'IOT_NoTrust'
option dest 'lan'
config forwarding
option src 'IOT_NoTrust'
option dest 'wan'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'Wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config forwarding
option src 'Wireguard'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'Wireguard'
Firewall:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda1:9f5c:8061::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option description 'LAN'
option ports '0t 2 3'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '6t 1'
option vid '2'
option description 'WAN'
config interface 'Guest'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.20.1.1'
option device 'br-guest'
config interface 'IOT_NoTrust'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.66.1.1'
config interface 'LAN_Kids'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '10.10.1.1'
option device 'br-lan_kids'
config device
option name 'wlan0-1'
config device
option name 'wlan0'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 5'
option vid '14'
option description 'LAN_Kids #4'
config device
option type 'bridge'
option name 'br-lan_kids'
list ports 'eth1.14'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 4'
option vid '13'
option description 'Guest #3'
config device
option type 'bridge'
option name 'br-guest'
list ports 'eth1.13'
config route 'lan_to_kids'
option target '10.10.1.0'
option netmask '255.255.255.0'
option gateway '10.10.1.1'
option interface 'lan'
config route
option interface 'lan'
option target '10.66.1.0/24'
option gateway '10.66.1.1'
config route 'kids_to_lan_to_kids'
option target '192.168.1.0'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option interface 'LAN_Kids'
config interface 'wg0'
option proto 'wireguard'
option private_key '***********************'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
option listen_port '51820'
config wireguard_wg0 'wgclient'
option public_key '***************************'
option preshared_key '***************************'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fd00:9::2/128'
option route_allowed_ips '1'
option persistent_keepalive '25'
My setup on the phone looks like this:
=====================
INTERFACE:
=====================
Public Key:
'***************************'
Addresses
192.168.9.2/32
DNS Servers:
<my ISP internet ip>
=====================
PEER
=====================
Public Key
'***************************'
Pre-shared key:
Enabled
Allowed IPs
0.0.0.0/0, ::/0
Endpoint:
192.168.2.10:51820
Any help is much appreciated.