[Solved]Wireguard config

Good night,

So, I have been trying to setup wireguard, as far as I know I’m following the official tutorial correctly, but I can’t seem to get WG working

ubus call system board
{
        "kernel": "6.6.119",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 ubootmod",
        "board_name": "zyxel,ex5601-t0-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.5",
                "revision": "r29087-d9c5716d1d",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
                "builddate": "1766005702"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'
        option packet_steering '2'
        option steering_flows '128'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option description 'MyPhone'
        list allowed_ips '10.0.0.10/32'
        option persistent_keepalive '25'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option dest 'wan'

config forwarding
        option src 'lan'

config forwarding
        option dest 'wan'

config forwarding
        option src 'lan'

config zone
        option name 'Wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'wan'
        option dest 'Wireguard'

config rule
        option src 'wan'
        option name 'Wireguard-incoming'
        list proto 'udp'
        option dest_port '51820'
        option target 'ACCEPT'

On my phone I just imported the generated config via the QR code:

[Interface]
PrivateKey = REDACTED
Address = 10.0.0.10/32
# ListenPort not defined
DNS = 192.168.1.1

[Peer]
PublicKey = REDACTED
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = REDACTED:51820
PersistentKeepAlive = 25

I have tried this for a couple times now, followed some video tutorials that got way too complicated at the firewall step (because they were from like 2021 and I suspect things have changed since then), and maybe I have some remnant from previous tries that is breaking WireGuard?

Thanks for your time, best regards!

A few things come to mind as potential issues. You do have some config errors:

Delete all of this:

And delete this:

Remove masquerading from here:

And you'll want to add forwarding..,

• If the remote WG peers are fully trusted and should have access to your lan as well as the internet via the tunnel, you can simply delete the above wireguard zone and then add network wg0 to the lan firewall zone.
• If the WG peers are not fully trusted and should only get to the internet, add a forwarding stanza like this:

config forwarding
        option src 'Wireguard'
        option dest 'wan'

Next, you need to make sure you have a public IP on your OpenWrt wan. What are the first to octets (in bold: aaa.bbb.ccc.ddd) of the following: ifstatus wan | grep address

And finally, let's make sure your WG interface is running properly:

wg show

Thanks for the quick reply.

I will try all your suggestions tomorrow, its a bit late today.

Just to keep you/everyone in the loop, I rebooted my router and without changing any of my initial settings WG0 connected and I can access my router page (192.168.1.1) while on 4G, but only that address loads, no internet working, and no other devices are accessible.

To partially reply, the first octets are 188.82.x.y.

And you'll want to add forwarding..,

• If the remote WG peers are fully trusted and should have access to your lan as well as the internet via the tunnel, you can simply delete the above wireguard zone and then add network wg0 to the lan firewall zone.

• If the WG peers are not fully trusted and should only get to the internet, add a forwarding stanza like this:

Regarding the above quote, can you explain how can I add the wg0 network to the lan firewall zone, sorry for being a bit dense..

And since you explain it so well, I would love to have some WG peers that can only access a specific IP (my server, with IP 192.168.1.10 and if it could be narrowed down to just port 8096 even better, to share jellyfin with them), and some WG peers to have full network access. Is it possible to achieve such tiered solution?

And again, thanks for your time and knowledge. Best regards!

This is good. It means your WG interface is working, obviously. The restart was probably what fixed the initial issue -- you need to restart the Wireguard interface after you add each peer... restarting the router does that, too.

That is because you don't have the right forwards set up currently.

Good, that' a public IP.

Based on this, I'd recommend keeping WG in its own zone.

The forwards are:

config forwarding
        option src 'Wireguard'
        option dest 'wan'

config forwarding
        option src 'Wireguard'
        option dest 'lan'

Later, you can setup the more granular allowances for the WG peers as needed.

This is how I do it, maybe it is helpful:
WireGuard Server Setup Guide

Finally got some time to tackle this again.

So, I just needed to fix my firewall config like psherman said and it all works fine now!

I will read the suggested pdf, but seems a bit more complex than I was expecting. Thanks for the info none the less.

Best regards to all that helped me!

Glad it's working now.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!