[SOLVED]The mobile device does not connect to the wireguard server

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I installed wireguard in the router and everything works fine with computers in the local network

But on the mobile device, although it connects to the router, it does not have access to the local network or the Internet.

I have done tests connecting with the azire servers from the mobile device and I connect without problems

The device has installed oreo 8.1.0 and wireguard apk

My configuration files in case I have something wrong

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd56:aa9e:81e7::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '50:64:2b:1a:7c:30'

config interface 'wan'
        option proto 'dhcp'
        option ifname 'eth0.832'

config interface 'wan6'
        option proto 'dhcpv6'
        option ifname 'eth0.832'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 6t'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1t 6t'
        option vid '832'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '.............'
        option listen_port '51820'
        list addresses '192.168.200.1/24'

config wireguard_wg0
        option public_key '......'
        list allowed_ips '192.168.200.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg0
        option public_key 'flT......'
        list allowed_ips '192.198.200.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/firewall


config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option target 'ACCEPT'
        option proto 'udp'
        option name 'Allow Wireguard'
        option src '*'
        option dest_port '51820'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config include
        option path '/etc/firewall.user'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'wireguard'
        option masq '1'
        option network 'wg0'

config forwarding
        option dest 'wan'
        option src 'wireguard'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wireguard'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'wireguard'

router wg

interface: wg0
  public key: TZ........
  private key: (hidden)
  listening port: 51820

peer: fl.....
  endpoint: 192.168.1.2:41018
  allowed ips: 192.198.200.3/32
  latest handshake: 6 seconds ago
  transfer: 10.61 KiB received, 23.32 KiB sent
  persistent keepalive: every 25 seconds

peer: BY......
  endpoint: 192.168.1.5:38995
  allowed ips: 192.168.200.2/32
  latest handshake: 48 seconds ago
  transfer: 3.63 MiB received, 15.60 MiB sent
  persistent keepalive: every 25 seconds

mobile device with ip 192.168.1.2

Screenshot_20180519-142334

thank you very much

1 Like
2

Ensure you've updated the Wireguard client on the Android. Only the most recent versions worked in userspace (without a need for the manufacturer to compile kmod-wireguard into Android).

Also, it seems your WAN is a Private IP network, did you disable masquerade?

If so, you may need a static route on the upstream router.

3

Thanks for answering

I have installed the latest Wireguard client version downloaded from f-droid, 0.4.5

My internet provider uses a vlan with id 832 to offer me the data

if I disable masquerade of the wan the computers of the internal network stop having internet access

Sorry but I'm new and I do not know how to put static route on the upstream router.

Thank you

1 Like
4

NO! DO NOT DISABLE. I ONLY asked IF you disabled it.

I am using 0.4.7 from the Play Store.

Please confirm that you are not attempting to use the 192.168.1.1:51820 address while connected to your mobile carrier.

1 Like
5

the address 192.168.1.1:51820 is the ip of the router, the devices have a thin ip address in the range 192.168.1.xxx
router -> 192.168.1.1
pc -> 192.168.1.5
mobile device -> 192.168.1.2

I have finally installed termux on the mobile device I have seen that if I ping the address 8.8.8.8 it works but if I ping the address google.com it does not

I have deleted the DNS entry in the wireguard client and now everything works, I have made a test in dnsleaks and now there is a leaks in the DNS.

I close this thread since I have already found the solution, I will open another one to see how to solve this leak in the DNS.

@lleachii thank you very much for your help.

1 Like
6

Use a DNS IP only accessable via the tunnel.

1 Like
7

I have installed dnscrypt, I have tried with the addresses 192.168.1.1 and 192.168.200.1 as DNS in the client configuration file but then the DNS does not work

thanks

1 Like
8

Hello letstat, lleachii,

Thank you so much!!! Reading your setup, letstat, I got my wiregurad now to work...wonderfull!!!!:yum: I was stuck, and nearly upset, trying so many days to get it to work... and now, after reading this setup, I can connect with my MobilePhone to home via wireguard wunderfully nice, also my internal clients are working....Man, Thank you both very much, now finally, I understood how it works :joy:

THANK YOU!!!!!

1 Like
9

Can I make one more question, Im using DNSCRYPT, that works perfect, when Wireguard is OFF, it shows me my only 2 DNSCRPY DNS servers I defined for use in dnscrypt-proxy.toml, but asap I enable Wireguard, it shows beside those 2 DNSCRYPT servers, like 14 more...could you please tell me, what I have to do, for also when I connect via WireGuard, it only uses my 2 DNSCRYPT Servers I defined in /etc/config/dnscrypt-proxy.toml, and not others aswell? :wink:

10

I changed in my mobiledevice the DNS server from 192.168.200.1 on WireGuard Client on mobiledevice to 192.168.1.1 and now https://www.grc.com/dns/dns.htm shows me only my 2 DNS servers I defined in dnscrypt-proxy.toml, but I dont know if that is right so!? AS it shows me in the right of the grc dns test, 6 Servers ...but they dont show up, only my 2 DNSCRYPT Servers show up.... dont know, if its now OK this way.... I have a DNS forwarding set on my routers IP 192.168.1.1 to 127.0.0.1#5353 ----