[SOLVED] I'm a dummy I think. Wireguard setup

So I followed this guide here and tried a couple of other guides, but can't seem to connect.

Using the Wireguard app (Android, Pixel 7 if that matters). I scan the QR code generated for my "peer" account, and add in the IP address of my network. (It fusses at me if I try to connect without an IP address.)

One issue that I've noticed is that when I go to generate the QR code, it for an endpoint it grabs information from a DDNS config I have running. Since it's using Cloudflare, the ID is "subdomain@domain.tld" which is invalid for an endpoint entry. However, I don't know how or why it's defaulting to that when the only place it's at is the DDNS config.

Router/OpenWRT: EA8100 / 22.03.3

Network:

config interface 'wireguard_0'
	option proto 'wireguard'
	option private_key '<--snip-->'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'
	option mtu '1412'

config wireguard_wireguard_0 'wgclient'
	option public_key '<--snip-->'
	option private_key '<--snip-->'
	option preshared_key '<--snip-->'
	option description 'Wolfie'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
	list allowed_ips '0.0.0.0/0'

Firewall:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Remove the allowed IPs 0.0.0.0/0 line from below

Other than that, you'll probably want to include

	option route_allowed_ips '1'

in the peer config.

The rest looks okay.

Let's take a look at the peer config (i.e. what's on your Android phone).

The IP addresses in both fields are to my home network (external IP, of course, not 192.x).

The address in the top field must be 192.168.9.2/32 (to match the peer config on the router)

You will also need to set DNS -- recommended either a public DNS server (such as 8.8.8.8) or your router's address (possibly 192.168.1.1 -- unless you changed it).

Changing the IP at the top did it. I kept thinking it was the IP of the network. :rofl:

Thanks!

Glad it's working now!

Still curious about the issue I found. Is that a bug, or just something weird that happens (but isn't a bug)?

The address field on your phone's config must be the address that the peer uses for the WG tunnel itself (i.e. matching the peer address as set in your router's config), not the public IP/domain name of the remote endpoint. The remote endpoint is specified in the peer config section of your phone's setup.

It has been a few months since the last time I used the QR code to transfer peer configs... but I do seem to recall that there was a minor issue around what should be populated in the "address" field and/or the "allowed IPs" field... I don't recall exactly what it does do at the moment, but I know it requires manual intervention to fix. But regardless, the problem is that there wasn't agreement about how it should be handled. There was actually a thread on this topic. Without agreement about the 'correct'/expected behavior, it is also hard to get agreement about what constitutes a bug and how to fix it.

I mean on the router. It's using something that is in my ddns config, even if I have something different entered into the "Endpoint" field of the peer I'm generating a QR code for. It's like it ignores the field and picks something else on its own.

image

The peer config on your router should not have an endpoint address configured.

But I just found the thread I was thinking of... does this describe your observations?

It does indeed.

Oddly, when I try to change the LAN info to use 192.168.90.x, it won't work. It's like it's stuck on 192.168.9.x. Wow this thing hates me. :rofl:

The lan or the wg interface?

WG interface. Trying to move it to 90. But any attempts fail. I did manage to change the port number successfully (6809, it's an awesome number).

When you change the interface subnet, you must also change the peer so that it is in the same subnet (both in the router in the peer config and the phone interface address).

And you also need to restart the wg interface on both sides to reload the settings.

I had done that but it still wouldn't work. Tried again but using .209.x and seems to be working. I think 2xx is better anyways, it's where I have a LAN media server at and I use high numbers for certain things, so that fits right in.

It should be possible with any rfc1918 range, as long as you’re not using that range on any of your other networks.

My overall network is 192.168.x.x/16, so technically it's within another range, but nothing is assigned to the 209.x area. Could technically fit everything inside of /24 (254 clients) but I like the freedom and being able to use the third value to group things.

All routed networks must be in non-overlapping subnets. If you’re using a /16 definition, that is overly broad - it is recommended to use much smaller networks - /24 is common unless you actually need a larger subnet (and larger than /24 or /23 is not necessarily a good idea regarding broadcast domain inefficiency).

Even changing from /16 to /17 would create some headaches. Reducing it down to even 1024 max hosts would be a giant headache as well.

How many hosts do you have on your network??
Running a single broadcast domain of larger than ~1K hosts is not recommended for efficiency reasons. In fact, that is the reason VLANs were originally invented... it increases network efficiency by reducing the size of the broadcast domain. (the network becomes really 'chatty' as the number of hosts increases and it begins to impact performance when it is larger than ~/24 or so, unless multicast and broadcast packets are filtered and/or devices are totally isolated from each other using wifi client isolation and/or port isolation on managed switches).