I have been trying to run a wireguard server on my Archer C7 v5 without success.
Although I have been reading through many posts here that seem similar, I couldn't find a way to apply the solutions to my configuration.
I have copied the keys to my wireguard configuration on my pc and can start the connection
wg show indicates that the handshake is successful and that a few hundred bytes are exchanged
The problem is that I can neither ping, ssh or access the LuCI WebUI via the vpn connection. It is not even a timeout but there is "no route to Host".
I would be very happy about any help, if someone has experience with these setups.
And I apologize in advance, I am sure that the problem is very basic as I am very new to the Router world
Here are my config files:
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd6:79dd:4af2::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'xxx'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
config wireguard_vpn 'wgclient'
option public_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fd00:9::2/128'
option route_allowed_ips '1' # this line I added when testing
------------------------------------------------------------------------------------
# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn' # this line I added when testing
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
# The configs below I also added when testing, it didn't work either way
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpn'
config forwarding
option src 'wireguard'
option dest 'lan'
config forwarding
option src 'wireguard'
option dest 'wan'
One first question I have is: what is the ip of the router in the VPN network and wher can I find this? I am suspecting either 192.168.1.1 or 192.168.9.1 but the second one seems to be my PC. I am very much confused by this already.
This also enables a successful handshake, and this time I seem to be able to ping the router!
But ssh and the WebUI are still unreachable, this time it is a timeout though.
These changes now enable me to log in via ssh, that is great! Thanks.
But like before, the WebUI does not load.
Interestingly, when I connect my pc over ethernet to the router, I can resolve the WebUI instantly over the VPN tunnel (192.168.9.1) and also vie its local LAN ip (192.168.1.1).
EDIT: Also it is difficult to get the ssh going, I have to wait a few minutes after starting the vpn before being able to ssh. After the ssh was successful once, it seems stable.
Yes I am normally testing the connection using my 4G hotspot.
Could it be linked to the fact that my router is connected as an access point to the main router of the house (via lan)?
The public ip I have in my client config is the one of the main router, and I have forwarded the wireguard port from the main router to my OpenWRT router.
Yes you need to test VPNs from outside. For example connect the client laptop to a cell phone that is running hotspot, with wifi off in the phone so it reaches the Internet by the cellular connection.
Since you're alllowing all input on the wireguard firewall zone, http to the router should work the same as ssh.
Yes I seem to be getting good replies from the router:
$ ping 192.168.9.1
PING 192.168.9.1 (192.168.9.1) 56(84) bytes of data.
64 bytes from 192.168.9.1: icmp_seq=1 ttl=64 time=62.4 ms
64 bytes from 192.168.9.1: icmp_seq=2 ttl=64 time=46.6 ms
64 bytes from 192.168.9.1: icmp_seq=3 ttl=64 time=40.4 ms
64 bytes from 192.168.9.1: icmp_seq=4 ttl=64 time=44.0 ms
64 bytes from 192.168.9.1: icmp_seq=5 ttl=64 time=26.4 ms
64 bytes from 192.168.9.1: icmp_seq=6 ttl=64 time=52.6 ms
64 bytes from 192.168.9.1: icmp_seq=7 ttl=64 time=36.4 ms
64 bytes from 192.168.9.1: icmp_seq=8 ttl=64 time=45.3 ms
64 bytes from 192.168.9.1: icmp_seq=9 ttl=64 time=46.1 ms
64 bytes from 192.168.9.1: icmp_seq=10 ttl=64 time=45.8 ms
64 bytes from 192.168.9.1: icmp_seq=11 ttl=64 time=45.5 ms
64 bytes from 192.168.9.1: icmp_seq=12 ttl=64 time=53.5 ms
64 bytes from 192.168.9.1: icmp_seq=13 ttl=64 time=33.5 ms
64 bytes from 192.168.9.1: icmp_seq=14 ttl=64 time=40.5 ms
64 bytes from 192.168.9.1: icmp_seq=15 ttl=64 time=70.4 ms
64 bytes from 192.168.9.1: icmp_seq=16 ttl=64 time=31.1 ms
64 bytes from 192.168.9.1: icmp_seq=17 ttl=64 time=54.8 ms
64 bytes from 192.168.9.1: icmp_seq=18 ttl=64 time=35.6 ms
64 bytes from 192.168.9.1: icmp_seq=19 ttl=64 time=63.2 ms
64 bytes from 192.168.9.1: icmp_seq=20 ttl=64 time=42.6 ms
64 bytes from 192.168.9.1: icmp_seq=21 ttl=64 time=27.8 ms
^C
--- 192.168.9.1 ping statistics ---
21 packets transmitted, 21 received, 0% packet loss, time 20027ms
rtt min/avg/max/mdev = 26.407/44.972/70.350/11.303 ms
For what its worth, the ssh connection is very stable and reliable once I have waited for a few minutes after I start the vpn. I can then login and out smoothly. But before that it also times out.
Hold up a second, what's Endpoint on the router side? Is it the IP address of your smartphone's 4G hotspot? A domain name? Does the Wireguard configuration on the smartphone side have an Endpoint set?
One or both peers need either a static IP address or a domain name. If one of the peers is a "road warrior" type device like a smartphone hotspot, the other peer would be your router with a DDNS name. The smartphone's config would have its Endpoint set to the router's DDNS name, while the router's config would not have its Endpoint set (unless you're configuring a site-to-site tunnel with another OpenWrt device as a peer).
This might explain the timeout behavior you're seeing. The Wireguard tunnel on the smartphone side is waiting for your OpenWrt device to connect to it. Once the router decides to start a handshake, the tunnel connects, then packets can be tunneled. The smartphone side can't actively connect to the OpenWrt side without knowing the router's IP address.
Let's see the current complete (except for redacted private information) configs from both your router (/etc/config/network and /etc/config/firewall) and your remote peer (asking in case things have changed since earlier postings)
Add a static route on the main router to 192.168.9.0/24 via the LAN IP of VPN server, or enable masquerading on the LAN firewall zone of the VPN server.
