[Solved] Problems configuring wireguard

Urby93 · November 7, 2020, 3:49pm

Hi all!

I am a new OpenWrt user trying to setup wireguard server on my WRT1900ACS v2 router to be able to remotly acess LAN and internet. I've been trying to figure this out for a past few days. Recently I started over following this guide: https://doc.turris.cz/doc/en/public/wireguard. So far I am able to make handshake between my router and android peer, but can't access anything when connected.

Here is how I have it configured at the moment:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd08:0f6a:2926::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.11.1'
	option ifname 'eth0.1 wlan1'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '5t 3 2 1 0'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 4'
	option vid '2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'yLn ... H8='
	option listen_port '51820'
	list addresses '10.10.11.1/24'

config wireguard_wg0
	option public_key 'g8z ... 9zE='
	option persistent_keepalive '25'
	option description 'Wireguard peer'
	option route_allowed_ips '1'
	list allowed_ips '10.10.11.2/32'

/etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'OpenConnect'
	option src_dport '443'
	option target 'DNAT'
	option dest 'lan'
	option dest_ip '192.168.11.1'

config forwarding 'lan_wan'
	option dest 'wan'
	option src 'lan'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'wg0'

config forwarding
	option src 'wg'
	option dest 'wan'
 
config forwarding
	option src 'wan'
	option dest 'wg'
 
config forwarding
	option src 'lan'
	option dest 'wg'
 
config forwarding
	option src 'wg'
	option dest 'lan'

Wireguard status

root@OpenWrt:~# wg show
interface: wg0
  public key: 2aK ... H4=
  private key: (hidden)
  listening port: 51820

peer: g8z ... zE=
  endpoint: 178.58.4.186:9377
  allowed ips: 10.10.11.2/32
  latest handshake: 6 minutes, 34 seconds ago
  transfer: 2.15 KiB received, 8.26 KiB sent
  persistent keepalive: every 25 seconds

Android config

Any help is appreciated!

lleachii · November 7, 2020, 4:05pm

@Urby93, welcome to the community!

You sure???

Remove this from the wg firewall zone and test. You should have routes and don't need to NAT, the far-end may be a different issue and need to be configured (but you only allow one IP, so you can handle that there as normal).

Urby93 · November 7, 2020, 4:43pm

Hi @lleachii, thanks for your time!

By not being able to access anything I meant, I am not able to connect to any local device connected to router or internet.

I removed the option you suggested and restarted the router. The results are still the same.

I'm not sure I understand this last part. Are you suggesting I should add some other IPs to allowed IP list?

lleachii · November 7, 2020, 5:17pm

No, I'm not - unless you understand why and choose to. I suggested the masquerade (NAT) on the far end.

You only allow one IP...so if you allow other IPs at the far end, you also need to make routes on that device to send the traffic to the tunnel (unless of course you already send 0.0.0.0/0).

trendy · November 7, 2020, 6:00pm

There is our tested and verified guide by the way.
Your network part of the wireguard is fine (although the option route_allowed_ips '1' is not needed)
In firewall I would add wg0 interface in lan zone. That eliminates most of the forwardings you have added. Also masquerade is not needed on wg zone. wan->wg forwarding is wrong.
In the android client the IP is wrong, should be 10.10.11.2/24, according to what you have configured for this peer in OpenWrt.

Urby93 · November 7, 2020, 6:24pm

Hi @trendy, thanks for your time.

I already tried to do it without all the forwarding before, but was not successful. Also, I think that was because I was using wrong IP from the beginning . So now that this is out of the way, I think I'll start over and do it without the forwarding as you suggested.

Thank you guys both for the help. You'll hear from me again if I find new problems.

trendy · November 7, 2020, 6:27pm

Just don't forget, if your problem is solved, to mark this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

system · November 17, 2020, 6:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.