Hi,
im Using OpenWRT 21.02.3 r16554 on an Xiaomi Mi Router 4A Gigabit Edition with wireguard-tools version 1.0.20210223-2.
My intention is to use it as an Access-Point routing all traffic through my WireGuard VPN Tunnel in the Netherlands.
My Problem now is, that i seem to have a misconfiguration or other kind of routing problem.
I installed a freshly Debian 11 Instance with WireGuard (which i have done before in the past).
I can connect to this WireGuard server with my Macbook, also with my Windows Computer and also with my Android phone, and the tunnel handshake works and get completed.
I can browse the internet through that tunnel without any issues.
But if i place the settings within OpenWrt i get TX data but absolute no RX data, so the Handshake fail to work.- On the WireGuard Server in the Linux VM, i see that the server is receiving data from the OpenWrt client and is also sending handshake information and try to accomplish a connection.
But it seems OpenWrt won't receive the RX data.
So far so good, and understandable if there is a routing problem or a misconfiguration.
But now i tested it with my Anonymizer VPN credentials from mullvad.net - I Only exchanged the private key, the Public key, the list addresses and the endpoint_host/port all other information stayed the same! - and with that credentials it worked just fine!
But if i switch back to my own WireGuard server (which is working with the same credentials on windows, macos, android etc, OpenWrt again not receive any RX data.
Please help me
Configs:
Configuration with my own wireguard server: (not working but working with same credentials on other device)
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd66:de80:850e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option private_key 'KMhWxxxxxxxxxxxxxxxxxxxxxxxx1xNL9HE8='
list addresses '10.252.1.2/32'
config wireguard_wg0
option description 'senku'
list allowed_ips '0.0.0.0/0'
option endpoint_port '51820'
option persistent_keepalive '15'
option route_allowed_ips '1'
option public_key 'a2VxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxABEI='
option endpoint_host '104.xxx.xxx.160'
Configuration with my mullvad wireguard credentials: (working)
root@OpenWrt:/etc/config# cat network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd66:de80:850e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option peerdns '0'
list dns '8.8.8.8'
list dns '8.8.4.4'
option private_key 'iGzquxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4FFo='
list addresses '10.65.0.35/32'
config wireguard_wg0
option description 'mullvad'
list allowed_ips '0.0.0.0/0'
option endpoint_port '51820'
option persistent_keepalive '15'
option route_allowed_ips '1'
option public_key '08lMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxWCrVg='
option endpoint_host '92.xxx.xxx.165'
Firewall Configuration:
root@OpenWrt:/etc/config# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wg0'
option input 'REJECT'
config forwarding
option src 'lan'
option dest 'vpn'