Hello,
I have no luck setting up a Wireguard client on a newly installed OpenWRT using GUI.
Here is what I have:
Model Linksys EA8300 (Dallas)
I basically followed the steps from https://www.vpnunlimited.com/help/manuals/open-wrt-wireguard-setup except to setup the interface (wg) I used a wireguard conf file that has been verified on an Android Wireguard client.
But no attempt to connect to the Wireguard server is ever made:
Here are the logs:
Fri Jan 3 23:42:22 2025 daemon.notice netifd: Interface 'wg' is now up
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using nameserver 10.9.9.1#53
Fri Jan 3 23:42:22 2025 daemon.notice netifd: Network device 'wg' link is up
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for test
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for local
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Fri Jan 3 23:42:22 2025 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Fri Jan 3 23:42:23 2025 user.notice firewall: Reloading firewall due to ifup of wg (wg)
Fri Jan 3 23:42:23 2025 daemon.warn odhcpd[1296]: No default route present, overriding ra_lifetime!
What am I missing?
Any help appreciated!
egc
January 4, 2025, 11:09am
2
So you are setting up a WireGuard client to a commercial VPN provider?
To get some more insight , please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show
Post your /etc/config/network for wireguard but redact the keys.
Example from mine:
onfig interface 'wg0'
option proto 'wireguard'
option listen_port '58120'
list addresses '10.200.200.200/24'
option private_key 'routers private key'
option delegate '0'
config wireguard_wg0
option description 'my phone'
list allowed_ips '10.200.200.201/32'
option route_allowed_ips '1'
option public_key 'phones public key'
option preshared_key 'this is the preshared key'
here it is, reducted:
root@OpenWrt:~# ubus call system board
etwork
cat /etc/config/d{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Linksys EA8300 (Dallas)",
"board_name": "linksys,ea8300",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ipq40xx/generic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd94:f968:1cdb::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '58:ef:68:62:b4:e5'
config device
option name 'lan2'
option macaddr '58:ef:68:62:b4:e5'
config device
option name 'lan3'
option macaddr '58:ef:68:62:b4:e5'
config device
option name 'lan4'
option macaddr '58:ef:68:62:b4:e5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '58:ef:68:62:b4:e4'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg'
option proto 'wireguard'
option private_key 'cL+4KEW7-------------------nUemgjN/W7mU='
list addresses '192.168.200.3/32'
list dns '1.1.1.1'
list dns '8.8.8.8'
config wireguard_wg
option description 'keysrouter.conf'
option public_key 'CBYuPU--------------------Kd6usoEbnw='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'xxxx.xxxxxx.com'
option endpoint_port '6xxxxx'
root@OpenWrt:~# cat /etc/config/dhcp
wall
ip route show
wg show
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'w_g'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg'
config forwarding
option src 'lan'
option dest 'w_g'
config forwarding
option src 'lan'
option dest 'wan'
root@OpenWrt:~# ip route show
default via 10.9.9.1 dev wan src 10.9.9.225
10.9.9.0/24 dev wan scope link src 10.9.9.225
xx.xx.xx.xx via 10.9.9.1 dev wan
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
root@OpenWrt:~# wg show
interface: wg
public key: jFuIDM------------------------5+Mts8i1g=
private key: (hidden)
listening port: 35561
peer: CBYuPUq2g-------------------------6usoEbnw=
endpoint: xx.xx.xx.xx:xxxxx
allowed ips: 0.0.0.0/0
root@OpenWrt:~#
For config wireguard_wg I think you need to use the IP the provider assigned to you rather than 0.0.0.0/0
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd94:f968:1cdb::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr '58:ef:68:62:b4:e5'
config device
option name 'lan2'
option macaddr '58:ef:68:62:b4:e5'
config device
option name 'lan3'
option macaddr '58:ef:68:62:b4:e5'
config device
option name 'lan4'
option macaddr '58:ef:68:62:b4:e5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '58:ef:68:62:b4:e4'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg'
option proto 'wireguard'
option private_key 'cL+4--------------------mgjN/W7mU='
list addresses '192.168.200.3/32'
list dns '1.1.1.1'
list dns '8.8.8.8'
config wireguard_wg
option description 'keysrouter.conf'
option public_key 'CBYuP------------------------soEbnw='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'xxx.xxxxxxx.com'
option endpoint_port '6xxxx'
I believe 0.0.0.0/0 is allowed IPs, i.e. everything should go through the VPN. This is normal, I have exact the same conf on my android phone Warguard client and it works. Provider address is endpoint_host
egc
January 4, 2025, 11:52am
9
Correct.
You have to enable Route Allowed IPs on the peer section of the WG interface
Make sure you also do not have your phone or other WG client active , as only one can be active.
Reboot and lets see wg show
It's been enabled from the start
darksky
January 4, 2025, 11:55am
11
My bad... here is my config section connecting wg2 to my commercial vpn:
config interface 'wg2'
option proto 'wireguard'
option private_key 'provider assigned private key'
list addresses 'provider assigned IP'
list dns 'provider assigned DNS'
option defaultroute '0'
option delegate '0'
option auto '0'
config wireguard_wg2
option description 'my client'
option preshared_key 'provider assigned psk'
option endpoint_host 'www.provider.com'
option endpoint_port '51280'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '0'
option route_allowed_ips '1'
egc
January 4, 2025, 11:56am
12
Just click EDIT on the PEER section of the Wireguard interface and Enable/tick Route Allowed IPs
You might also set Persistent Keep Alive to 25
I've just done that. Nothing changed, unfortunately
egc
January 4, 2025, 12:06pm
14
Have you done a reboot ?
Please lets see:
cat /etc/config/network
cat /etc/config/firewall
wg show
Hey, it just started working! Keep Alive and Route Allowed IPs did the trick!
Why they were not set by default?!
Thank you very much!
egc
January 4, 2025, 12:11pm
16
Great you got it solved. Do not know why it is not default, I think it is a good idea though.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
mk24
January 4, 2025, 12:13pm
17
First, there can't be multiple connections using the same client private key. If you're copying yhe configuration from another device you have to prevent that device from trying to connect at the same time.
Neither of these configurations is complete.
proto wireguard
your private_key
IP address (/24)
The peer section needs:
their public_key
preshared_key (if used)
endpoint_host and endpoint_port
allowed_ips (usually 0.0.0.0/0 to access the whole Internet via VPN)
route_allowed_ips 1
persistent_keepalive not zero (25 is typical)
Usually a client is allowed to choose a random listen_port. Their instruction tell you to use a particular port perhaps they firewall others.
DNS is another whole can of worms. For now leave the list dns out until you get the basic connection up. The system's DNS should be one that can be reached through the tunnel, that means don't use the ISP's DNS.
system
January 14, 2025, 12:14pm
18
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
