[SOLVED] Problems setting up wireguard

openwtruser435 · January 25, 2019, 9:44am

hello,

i tried to set up a wireguard server on my openwrt router, but it doesnt work.

I followed this guide: https://casept.github.io/post/wireguard-server-on-openwrt-router/

I seem to be able to connect, because I can see my Android device in Lucis Wireguard Interface, when I am connected.
But when I ping the Wireguard interfaces IP, Android and my Router seem to have the same IP and the ping answers from my Router seem to fast over UMTS. Also DNS resolution does not work

When I try to access the Internet with VPN from my Android phone, I only get I have no internet connection.

Do I need to use my VPN local ip for the router as DNS Server or the normal local IP of my Router?

I have a Doubble-NAT with my ISPs Router. But Port-forwards work. I can connect to my OpenVPN Server on my NAS for example.

trendy · January 25, 2019, 9:55am

Hello! Please post the contents of the following files:
/etc/config/network, /etc/config/firewall , and run these commands ip -4 addr ; ip -4 ro ; ip -4 ru ; cat /tmp/resolv.* and paste here the output.

openwtruser435 · January 25, 2019, 10:26am

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda0:53cd:c74f::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option dns '9.9.9.9'
	option gateway '192.168.1.2'
	option broadcast '192.168.2.255'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option broadcast '192.168.1.255'
	option dns '9.9.9.9'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option auto '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '1234'
	list addresses '192.168.10.1/24'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXX='

config wireguard_wg1
	option public_key 'XXXXXXXXXXXXXXXXXXXXXX='
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '25'
	option description 'Android Handy'

config wireguard_wg0
	option public_key 'XXXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

/etc/config/firewall:

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '5001'
	option dest_ip '192.168.2.101'
	option dest_port '5001'
	option name 'DSM_218p'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '5022'
	option dest_ip '192.168.2.101'
	option dest_port '22'
	option name 'SSH_218p'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '5006'
	option dest_ip '192.168.2.101'
	option dest_port '5006'
	option name 'WebDAV_218p'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '1195'
	option dest_ip '192.168.2.101'
	option dest_port '1194'
	option name 'OVPN_218p'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '6001'
	option dest_ip '192.168.2.103'
	option dest_port '5001'
	option name 'DSM_213j'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '6022'
	option dest_ip '192.168.2.103'
	option dest_port '22'
	option name 'SSH_213j'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '443'
	option dest_ip '192.168.2.1'
	option dest_port '443'
	option name 'Luci_OpenWRT'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option dest_ip '192.168.2.1'
	option dest_port '22'
	option name 'SSH_OpenWRT'
	option src_dport '1122'

config redirect
	option target 'DNAT'
	option src 'wan'
	option proto 'udp'
	option src_dport '1234'
	option dest_ip '192.168.2.1'
	option dest_port '1234'
	option name 'WireGuard_OpenWRT'
	option dest 'lan'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '5003'
	option dest_port '5001'
	option name 'DockerDSM_218p'
	option dest_ip '192.168.2.109'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '5002'
	option dest_ip '192.168.2.102'
	option dest_port '5001'
	option name 'DSM_218p_VM'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '2200'
	option name 'ssh-test'

config rule
	option name 'Allow-OpenVPN-Inbound'
	option target 'ACCEPT'
	option src '*'
	option proto 'udp'
	option dest_port '1194'

config rule
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp udp'
	option target 'ACCEPT'

config zone
	option name 'newzone'
	option input 'ACCEPT'
	option forward 'REJECT'
	option network ' '
	option output 'ACCEPT'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1234'
	option name 'Allow-Wireguard-Inbound'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	option network 'wg0'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

config forwarding
	option src 'wan'
	option dest 'wg'

Commands:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 proto static 
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 
192.168.10.0/24 dev wg0 proto kernel scope link src 192.168.10.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
search lan
nameserver 127.0.0.1
# Interface lan
nameserver 9.9.9.9
# Interface wan
nameserver 9.9.9.9

trendy · January 25, 2019, 11:15am

Some things I noticed:

Remove these 2 lines.

Rename the config wireguard_wg1 to wireguard_wg0

Erase the following forwarding.

Add

option mtu_fix '1'

in wg firewall zone and change input and forward to REJECT

Finally on the smartphone make sure you are using an unused IP from the 192.168.10.0/24 subnet. Since Openwrt has .1 you can use .2, .3 etc

openwtruser435 · January 25, 2019, 11:31am

U mean in
/etc/config/network :
config interface 'lan'
?
I can not remove the gateway, then I would have no more Internet access... 192.168.1.2 is the gateway to my ISPs Router (192.168.1.1)..

And why should I remove the Broardcast address?

I will try the other things later, when I have some more time.
Thanks!

trendy · January 25, 2019, 11:39am

You have already defined the gateway to the router of your ISP in the WAN interface. This IP (192.168.1.2) is assigned to the WAN interface of Openwrt, so there is no point to use it as default gateway in the LAN. Moreover you cannot use gateway that belongs to different subnet.
The broadcast is calculated from the IP and the MASK, so it is not necessary.

openwtruser435 · January 25, 2019, 11:55am

Okay, can I just edit configfile directly?

How do I comment something out, instead of removing it?
Is it like in bash with '#' ?

trendy · January 25, 2019, 12:28pm

Yes to all!
Don't forget to restart the services after you finish editing, e.g /etc/init.d/network restart
However there is a catch when editing directly. There is no rollback from a change that renders the router unusable, like there is in Luci.

lleachii · January 25, 2019, 1:03pm

You may have to do a reboot to restart a WG interface with new configs.

openwtruser435 · January 25, 2019, 8:10pm

I changed everythign like you said now, but I am still not able to connect.

Wireguard in Luci says for my Phone:

Latest Handshake: Never
Data Received: 0 B
Data Transmitted: 0 B

What else can I do?

trendy · January 25, 2019, 8:15pm

For a start post once again the updated configs to verify that everything is correct.

openwtruser435 · January 25, 2019, 8:23pm

network:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:53cd:c74f::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '9.9.9.9'
        #option gateway '192.168.1.2'
        #option broadcast '192.168.2.255'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'
        option dns '9.9.9.9'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 5t'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '1234'
        list addresses '192.168.10.1/24'
        option private_key 'XXX='

config wireguard_wg0
        option public_key 'XXX='
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option description 'Android Handy'

firewall:

root@OpenWrt:~# cat /etc/config/firewall

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5001'
        option dest_ip '192.168.2.101'
        option dest_port '5001'
        option name 'DSM_218p'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5022'
        option dest_ip '192.168.2.101'
        option dest_port '22'
        option name 'SSH_218p'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5006'
        option dest_ip '192.168.2.101'
        option dest_port '5006'
        option name 'WebDAV_218p'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1195'
        option dest_ip '192.168.2.101'
        option dest_port '1194'
        option name 'OVPN_218p'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '6001'
        option dest_ip '192.168.2.103'
        option dest_port '5001'
        option name 'DSM_213j'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '6022'
        option dest_ip '192.168.2.103'
        option dest_port '22'
        option name 'SSH_213j'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '192.168.2.1'
        option dest_port '443'
        option name 'Luci_OpenWRT'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.2.1'
        option dest_port '22'
        option name 'SSH_OpenWRT'
        option src_dport '1122'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'udp'
        option src_dport '1234'
        option dest_ip '192.168.2.1'
        option dest_port '1234'
        option name 'WireGuard_OpenWRT'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5003'
        option dest_port '5001'
        option name 'DockerDSM_218p'
        option dest_ip '192.168.2.109'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5002'
        option dest_ip '192.168.2.102'
        option dest_port '5001'
        option name 'DSM_218p_VM'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '2200'
        option name 'ssh-test'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

config rule
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'tcp udp'
        option target 'ACCEPT'

config zone
        option name 'newzone'
        option input 'ACCEPT'
        option forward 'REJECT'
        option network ' '
        option output 'ACCEPT'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '1234'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'wg'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wg0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

#config forwarding
#       option src 'wan'
#       option dest 'wg'

ip:

root@OpenWrt:~# ip -4 addr ; ip -4 ro ; ip -4 ru ; cat /tmp/resolv.*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 proto static
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.10.0/24 dev wg0 proto kernel scope link src 192.168.10.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
search lan
nameserver 127.0.0.1
# Interface lan
nameserver 9.9.9.9
# Interface wan
nameserver 9.9.9.9

Maybe it helps, if I also post the config on my Smartphone?

Is the destination in firewallcfg correct?

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'udp'
        option src_dport '1234'
        option dest_ip '192.168.2.1'
        option dest_port '1234'
        option name 'WireGuard_OpenWRT'
        option dest 'lan'

    option dest 'lan' is correct, or should there be my wireguard interface?

Also can I remove this?

config zone
        option name 'newzone'
        option input 'ACCEPT'
        option forward 'REJECT'
        option network ' '
        option output 'ACCEPT'

trendy · January 25, 2019, 8:54pm

The redirect for the wg, as well as the https and ssh, are not needed. You already have rules to accept the traffic. So you can remove it.

That newzone is empty so you can delete it.

The config from the Android would help. Also make sure that the upstream router is forwarding udp 1234 to the 192.168.1.2

lleachii · January 25, 2019, 9:58pm

Add to /etc/config/network -

config route
	option interface 'wg0'
	option target '192.168.10.0'
	option netmask '255.255.255.0'

Do not select route allowed IPs for your Android peer, the Internet is not located on your phone.

openwtruser435 · January 25, 2019, 11:08pm

That did the trick, it works now, thanks

trendy · January 25, 2019, 11:46pm

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

system · February 4, 2019, 11:46pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.