Good day,
For the past days I have been trying to set up a Wireguard connection between my router and iOS client.
Router - Western Digital MYNETN750, OpenWRT 17.01.6
Client - iPhone 6, iOS 12.1.2, Wireguard 0.0.20181104 (7), 0.0.20181018
I have followed through the information described here in the wiki:
https://openwrt.org/docs/guide-user/network/tunneling_interface_protocols#protocol_wireguard_wireguard_vpn
https://openwrt.org/docs/guide-user/network/tunneling_interface_protocols#static_addressing_of_wireguard_tunnel
I am able to bring the wireguard interface up in the router, but that's it. I am not sure if my routes are correct or my client settings. My router LAN address segment is 192.168.51.1/24, for Wireguard I have addressed 10.51.0.1/24. Router WAN port is connected to my ISP router, to overcome this issue a static dhcp lease with a DMZ address has been added to the ISP router settings so that all requests are forwarded to my OpenWRT router.
Router:
opkg list-installed
kmod-wireguard - 4.4.153+0.0.20180519-1
wireguard - 0.0.20180519-1
wireguard-tools - 0.0.20180519-1
/etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key '<router private key>'
option listen_port '50000'
list addresses '10.51.0.1/24'
# list addresses 'fe80:0:0:0:0:0:a33:1/128'
config wireguard_wg0
# MG4A2B/A (iPhone 6)
option description '<MG4A2B/A (iPhone 6)>'
option public_key '<client public key>'
option preshared_key '<router presharedkey>'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.51.0.2/24'
# list allowed_ips '::/0'
/etc/config/firewall
config zone
option name 'wireguard'
list network 'wg0'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
config fowrarding
option src 'wireguard'
option dest 'wan'
wg show
interface: wg0
public key: riT63uPfhD8cEpSVLTGoqQxmKUQcR9Hm41g+HZLWtiA=
private key: (hidden)
listening port: 50000
peer: EGiBjDoEiv84NLxoBhAgBt3wR8KyjBaSWLU4D6KkoAU=
preshared key: (hidden)
allowed ips: 10.51.0.0/24
persistent keepalive: every 25 seconds
ip route
default via 192.168.1.254 dev eth0.2 proto static src 192.168.1.2
10.51.0.0/24 dev wg0 proto kernel scope link src 10.51.0.1
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2
192.168.1.254 dev eth0.2 proto static scope link src 192.168.1.2
192.168.51.0/24 dev br-lan proto kernel scope link src 192.168.51.1
ifconfig wg0
wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.51.0.1 P-t-P:10.51.0.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Client
wg0.conf
[Interface]
PrivateKey = <client private key>
Address = 10.51.0.2/24
DNS = 8.8.8.8
[Peer]
PublicKey = riT63uPfhD8cEpSVLTGoqQxmKUQcR9Hm41g+HZLWtiA=
PresharedKey = <router preshared key>
AllowedIPs = 0.0.0.0/0
Endpoint = <wanip>:50000
PersistentKeepalive = 25
Wireguard iOS Client Log
https://pastebin.com/raw/cbg98B5z
UPDATE - 15.01.2019
After a hardware change to TP-Link C2600 with OpenWRT 18.06.1 and the superb support of #wireguard IRC channel and especilaly user mbello I was able to finish the setup and have a working VPN setup.
As I wanted my iOS client to have full access on the resources behind my router, here are the configuration files from the router and client:
ROUTER
opkg list-installed | grep wireguard
kmod-wireguard - 4.14.63+0.0.20180718-2
wireguard - 0.0.20181119-1
wireguard-tools - 0.0.20181119-1
# /etc/config/network
config interface 'wg0'
option proto 'wireguard'
# Server private key
option private_key 'QH6...uG0='
option listen_port '50000'
list addresses '10.0.51.1/24'
config wireguard_wg0
# Peer public key
option public_key 'vpG...NV0='
option preshared_key 'lYD...4F8='
list allowed_ips '10.0.51.2/32'
option persistent_keepalive '25'
option route_allowed_ips '1'
# /etc/config/firewall
config zone
option name 'wg0'
list network 'wg0'
option input ACCEPT
option output ACCEPT
option forward REJECT
...
config forwarding
option src wg0
option dest lan
config forwarding
option src wg0
option dest wan
config rule
option name 'Allow Wireguard'
option src 'wan'
option dest_port '50000'
option proto 'udp'
option target 'ACCEPT'
# wg show wg0
interface: wg0
public key: PAM...Qjk=
private key: (hidden)
listening port: 50000
peer: vpG...NV0=
preshared key: (hidden)
endpoint: 80.....130:50000
allowed ips: 10.0.51.2/32
latest handshake: 1 minute, 5 seconds ago
transfer: 855.73 KiB received, 1.73 MiB sent
persistent keepalive: every 25 seconds
# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0.2
10.0.51.0 * 255.255.255.0 U 0 0 0 wg0
10.0.51.2 * 255.255.255.255 UH 0 0 0 wg0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0.2
192.168.51.0 * 255.255.255.0 U 0 0 0 br-lan
iOS Device:
Wireguard for iOS - 0.0.20190107 (1)
WireGuard Go Backend - 0.0.20181222
# Interface
Name - Profile Name
Private key - kMC...uG4=
Public Key - vpG...NV0=
Addresses - 10.0.51.2/24
Listen Port - 50000
MTU - Automatic
DNS Servers - 192.168.51.1 (Router DNS)
# Peer
Publick Key - PAM...Qjk=
Preshared Key - lYD...4F8=
Endpoint - <Router WAN IP address>
Allowed IPs - 0.0.0.0/0
Exclude private IPs - Disabled
Persistent keepalive - 25