[solved] Wireguard config for noobies

First of all this thread is about wireguard, if this is the wrong forum please move it.
I was following this guide since it seems the more updated and to the point for my use case:
https://casept.github.io/post/wireguard-server-on-openwrt-router/
but i cant connect and i dont know why, from what i can see everything seems fine on the router side so my guess is that im doing something wrong on the android device...or maybe because im not really trying to connect from the outside? im not sure but apparently those instructions include a firewall zone to allow connection from anywhere...i never see any rx/tx on the wg0 interface on the router so im guessing that the problem is on wireguard and not on the routing afterward, maybe im screwing when exchanging keys? if i understand the key exchange correctly the private keys are never exchanged and only need to cross the public keys...since the guide is pretty much complete on the lede side im going to go thru option by option on the android side to see if i set any field wrongly:
interface:
-name: any i like
-priv key and pub key: press generate and leave the generated value (i copy the public key to the peer section on the router, is that correct?)
-adress: 192.168.1.81/32 (its a free addess on my router subnet, totaly sure there are no conflicts here, its also different from the adddess set on interface on the router wich i have set 192.168.1.80, its correct?)
-port and mtu: left blank
-dns server: 192.168.1.1 (router dns ofc)

peer:

• public key: i copy here the public key generated on the router during the guide, NOT the private one shown on the interface)
• pre-shared key: left blank
• allowed ips: 0.0.0.0/0, ::/0 (if i understand the process correctly this makes any ip allowed so it allows the one set on interface on the router)
• exclude private ip: not checked
• endpoint: this is the ip on the wan side of the router, i tested both the ipv4 and the domain i have from a ddns, i also tried 192.168.1.1 all attempts adding :1234
• keepalive: i set this at 25 since its suggested in several guides but IMO its not important since im not losing conection after a time, im not connecting at all

I tested this inside my network on all attempts, the interface is enables on the android client and i have the key on the status bar, i allways save after changing anything too, i try any site on firefox and also the router ip, as said before ive never managed to get any rx/tx on the wg interface on the router...

Hope anyone can help me and thanks in advance...

Also where can i do a feature request for the wireguard package? (i would suggest the option to generate and show both keys from the wireguard interface creation ui and the option to generete either the wg.conf to easily setup on other devices the keys and ips and/or generate the QR code to make it even easier for noobies like me to set this all up (but at least the .conf file will help anyone, even expert people to streamline)

Some Wireguard concepts:

Address - the virtual address used by the VPN. All endpoints must have Address configured in the same subnet, otherwise they cannot talk to each other.

Port - At least one of the two endpoints must have a listen port defined, otherwise how will the other endpoint know what to connect to? You can specify a listen port on each endpoint, if you wish, but you must specify a listen port on at least one.

Endpoint - the real, public IP address of the other device. If the other device is behind NAT, you may have to configure some port-forwarding.

Allowed IPs: which IP addresses will be sent across the VPN from this endpoint? If you set Allowed IPs to 0.0.0.0/0 on an endpoint then that endpoint will try to send all traffic across the VPN. If you set Allowed IPs to the same subnet as Address, then only the VPN-specific IP addresses will be routed across the VPN. You can mix and match to your heart's content, depending on which traffic you want to traverse the VPN.

wg0 traffic sniffing: you'll only see traffic on wg0 (or whatever you called it) after the VPN is up. Instead, sniff your WAN interface for incoming traffic on the WireGuard listen port. If your WAN interface isn't receiving traffic, then the VPN will never be established.

Here is a minimal configuration for a "client-server" scenario. Note: all WireGuard VPNs are peer-to-peer, but some configuration items are optional which allows for the concept of "client-server".

config interface 'foo'
	option proto 'wireguard'
	option private_key 'xxxx'
	option listen_port '51820'
	list addresses '10.0.0.1'

config wireguard_foo
	option public_key 'yyyy'
	list allowed_ips '10.0.0.2/24'

This for the "server". The server's private key is explicitly configured. The corresponding public key is implied and calculated on the fly. The server's listen port is configured. The virtual IP address for the VPN is configured. Then, the next section defines the "client" - the other peer. At a minimum, the client's public key (derived from the client's private key, as you've already worked out) and the client's VPN virtual IP address/subnet. The "client's" public IP address is unknown, which is what gives the "client-server" scenario.

Here is a more complete configuration, for a site-to-site/peer-to-peer VPN:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'this endpoint's private key'
	option listen_port '51280'
	list addresses '192.168.71.5'

config wireguard_wg0
	option public_key 'other endpoint's public key'
	list allowed_ips '192.168.71.0/24'
	list allowed_ips '192.168.68.0/24'
	option route_allowed_ips '1'
	option endpoint_host 'other endpoint's IP address'
	option endpoint_port '51280'
	option persistent_keepalive '25'
	option description 'other endpoint's description'
	option preshared_key 'pre-shared key'

In this configuration both endpoint IP addresses are defined, so if the other endpoint attempts to connect from a different IP address it won't work.

Im going to post my network and firewall settings on lede to see if you can see any mistake, to at least rule that out, only posting the part related to wg and removing the keys, ips/ports and all other info is exact copy:

etc/config/network
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxxxx'
option listen_port '1234'
list addresses '192.168.1.80'

config wireguard_wg0
option public_key 'yyyyy'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option description 'wgcelugabi'

xxxx is ofc unique and yyyy is copied from interface - public key on the android device

/etc/config/firewall
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'

config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'wg0'

config forwarding
option src 'wg'
option dest 'wan'

config forwarding
option src 'wg'
option dest 'lan'

config forwarding
option src 'lan'
option dest 'wg'

config forwarding
option src 'wan'
option dest 'wg'

My use case is to use it as client server with the server being the router with lede and 2 android phones as clients, maybe a 3rd at some point in the future, i have no idea how to sniff on the wan side, or if there are other suggestions, but if you point me in the right direction ill google/try anything, thank you very much in advance for any help

If i make a mistake on any of the keys i should see rx/tx on the interface anyway even if the packets are dropped? because i checked several times the keys but sometimes an l (lowercase L) can look like an I (uppercase i) or 0 (zero) like O (upper o) and there are other similar possible mistakes.

Well, i keep trying things and i get this on the router:
ping 192.168.1.81
PING 192.168.1.81 (192.168.1.81): 56 data bytes
64 bytes from 192.168.1.81: seq=0 ttl=64 time=152.518 ms
64 bytes from 192.168.1.81: seq=1 ttl=64 time=177.939 ms
64 bytes from 192.168.1.81: seq=2 ttl=64 time=1836.645 ms
numbers seems a bit high but lets ignore that a second, im sure its "working" at least from the lede point of view because as soon as i turn off the wg interface on the android device the pings stop going thru, any idea of what can be wrong? and why even if the pings go thru im still not seeing any tx/rx on the wireguard interface on lede?
im sure its not pinging itself because i actually tried to ping the lede wg interface and it gives me far faster pings and also no matter if i turn on or off the interface on android it keeps going...

See my previous comment regarding 0.0.0.0/0.

That directive, if on your OpenWRT router, tells your router to send all traffic from the router through the Android device. In short, your Android device becomes your router's next hop. In a client-server scenario, are you absolutely sure you want to do that?

In a client-server configuration, you would normally configure the client, not the server, to send all traffic through the VPN. And you could do that by configuring Allowed IPs on the Android app to 0.0.0.0/0

Your ping test suggests that you've configured the VPN correctly, in as much as you can get two discrete, unrelated interfaces to talk to each other. So that's some good news. As for the response times, cellular data is slow. Ignore the guff from the mobile providers; mobile data is slow compared to Ethernet.

As for sniffing traffic, you'll need to install the package "tcpdump". An example of a command to see traffic might be tcpdump -ni wg0 to see all traffic going across the VPN, or tcpdump -ni wg0 host 192.168.1.80 to see all traffic to or from 192.168.1.80. If you wanted to see traffic on your WAN interface, you could use tcpdump -ni eth0 (assuming your WAN interface is eth0 - change it to suit your specific configuration). There are many other permutations of options for tcpdump; you can experiment freely.

Well, i removed those 2 lines from the network file and restarted the network and didnt solve the issue, what did solve the issue was to also remove the 0.0.0.0/0 on peer on the phone and set the wg ip of lede (192.168.1.80/32), now i have connection and thanks to your suggestion a saner network BUT i still see no rx/tx on the wg interface on luci, then i decided to dig the issue and i found this on ifconfig:

wg0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.80 P-t-P:192.168.1.80 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:10587 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

0rx but 10k tx errors? im browsing correctly on the phone, something smells really fishy here, the number goes up as i open pages on the phone...now im not sure if im really using the secure tunnel or the packets are sliping thru somehow

Easy enough to test. Use tcpdump to sniff traffic on all of your router's interfaces in turn, including the WireGuard interface, and observe the flow of the traffic.

DNS lookups happen on port 53. You can also see traffic on other ports, e.g. 80 (HTTP) and 443 (HTTPS). You can see the origin and destination addresses and work out whether or not your traffic is using the VPN.

root@OpenWrt:~# tcpdump -ni wg0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# tcpdump -ni wg0 host 192.168.1.80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

but still the phone can browse all the time, so i screwed it up somehow somewhere, the phone is actually connected to my home wifi, not the cellphone provider network, does that do any difference? also it was unable to browse anything when i turned off the wireguard phone app interface...in the meantime im going to remove everything wg related and test again tomorrow since i need to leave in a few minutes...

If the phone and router are on the same network, then WireGuard (or any VPN, really) is pointless. Unless you're in a super-secure corporate or government location, a LAN-based VPN is rather, um, extreme.

However, you can still test it, and verify if you've configured it correctly, by telling your phone to connect to your router's LAN interface instead of the WAN interface. By default WireGuard listens on all interfaces. Make sure your router's firewall is configured with appropriate rules to allow traffic flow between the LAN and WireGuard zones.

Yea i know that, my idea is to set up wireguard to access my tvshows/music on my samba share on my nas when im travelling, afaik its a VERY bad idea to expose anything samba on internet...but ofc when setting something you want to test it before actually using it...ill do more tests tomorrow

Unless you have a crippling data plan from your provider, just turn off WiFi on your phone and test it as if you're travelling. Then you can test it - and troubleshoot it - with live configuration details instead of having to do a "proof of concept" whose details will only change anyway.

So im getting to this again since i can reboot the router as many times i want atm and i decided to start from scratch and keep it simple and add extras later testing every step, doing this addition to the network file

and restarting im able to connect, i still dont see any RX/TX neither on luci or on ifconfig but ill keep that on hold for now since im getting traffic correctly, cant test actually the connection from outside (and yea, cellphone provider is mega restricting in this shitty country, BUT i get wifi on the metro/train so i was planing to use that with wireguard, you get the idea) but i was wondering, other guides also suggest to create a firewall zone, and a different guide i see here tells to simply add the wg interface to the lan zone, for my use case seems the easier solution but it is needed at all? also, since wireguard is on the router itself, do i also need to open a port for the service to work or it can handle the port opening itself being in the same device? thanks in advance for any help

Your choices for firewall zones will depend on your use case. In my use case I specifically put the VPN in a separate zone and use the firewall to govern which traffic I'm willing to permit. Decide what you want to allow, then base your configuration on that choice.

As for allowing the connection from the outside, the default OpenWRT configuration will block unsolicited connections from the WAN. If you haven't changed that, then you'll need to allow an inbound connection on the WireGuard port. If you're configuring with LuCI, if you omit the destination zone then it will default to the destination being the router. If you're configuring on the command line, omit the "option dest" directive.

Setting it as part of the lan zone i can set any rule on that lan zone and will also apply to wireguard im guessing, right? this is a home network so usually i try to keep things simple so placing wireguard on the lan zone is enough for me, after all if the device allready have the keys its because i trusted the decive when copying the key myself...
So, for my use im gonna place wireguard on the lan zone and also open the port and report later today or tomorrow about the tx/rx weird thing (wich its probably related to the fact that im testing it from inside the network and maybe there are some forwarding rule acting before wireguard)

So i was still being unable to get rx/tx and also i was unable to actually connect from outside (so it wasnt actually using the wg interface apparently, luckily from outside i wasnt getting any packet thru so apparently security wasnt compromised) and i wasnt sure why, i was using the @iplaywithtoys first super simple setup and didnt work until i set the /32 on both ip addresses (i also set "0.0.0.0/0, ::/0" on the android client on the peer section for allowed ips), i now i have what seems a working setup (with rx/tx and all) BUT i may have a small problem in the future, my wan ipv4 is probably not fixed and i have a ddns client set on my router and its working fine, if i access the address it goes to my ip and all but if i use that address on the android client endpoint field i get no traffic at all, i know that this is totally NOT RELATED to openwrt but maybe someone can give me some tips of what to do in this situation, as example i was thinking, usually ISPs give static ipv6 nowadays? if i understand correctly the information provided by the router i get an ipv6 PD of /64, assuming my ipv6 is static (not sure yet if its an industry standard, if i understand ipv6 correctly my isp needs to be super cheap and shitty not to give me a static PD to the point of making his own job more complex just because) i can set the router with the external ipv6:port and my problem is solved?

If you're worried about your IPv4 address changing, then a dynamic DNS provider might be useful.

As for IPv6, I haven't yet played with WireGuard and IPv6 so can't offer specific advice there.

Yea, i actually have a dyndns with dynu, i have it set to update on the same router and all, but when i use the dyn adress instead of the ip on the endpoint field on the phone the problem is that it dont work and i dont know why, the ip adress works fine...(and again, i totally know its some issue with the android client and totally NOT RELATED to openwrt, maybe someone had the same problem and could help)

Are you testing this hostname from inside your network, or outside?

You have to test the hostname from outside of your network, likely.