ivamar
January 17, 2021, 10:37am
1
Hi Guys,
i try to setup wireguard. i tried so many configurations and im sure its messy now
the handshake works.
config interface 'vpn'
option proto 'wireguard'
option private_key 'xxxxxxx'
option listen_port '51820'
option delegate '0'
list addresses '10.5.0.1/24'
config wireguard_vpn 'wireguard_laptop'
option public_key 'xxxx'
option preshared_key 'xxxxx'
list allowed_ips '10.5.0.2/32'
config wireguard_vpn 'wireguard_phone'
option public_key 'xxxxx'
option preshared_key 'xxxxx'
list allowed_ips '10.5.0.3/32'
handshake is done and transfer seems to work. but i have no internet or local network access.
my network is 192.168.0.1/24
first i tried the lan firewall an made a traffic rule to allow from wan to this device. like the openwrt guide said.
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
option dest 'wireguard'
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpn'
config forwarding
option src 'wireguard'
option dest 'lan'
thanks for any help
trendy
January 17, 2021, 11:39am
2
You need a forwarding wireguard-> wan in firewall
And in the clients (not in OpenWrt!!!) configure allowed IPs 0.0.0.0/0, plus to route them.
1 Like
ivamar
January 17, 2021, 11:51am
3
i added
config forwarding
option src 'wireguard'
option dest 'wan'
its not working
all my clients have all ips allowed. what do you mean with "route them"
faser
January 17, 2021, 12:04pm
4
When you configure on allowed IPs as 0.0.0.0/0 on your client it will automatically create a route that routes all traffic through the wireguard interface
2 Likes
ivamar
January 17, 2021, 12:21pm
5
ok i read the wiregard docs again.
this is my config for laptop and mobilephone. its works now.
/etc/config/network
config interface 'vpn'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
option delegate '0'
list addresses '10.0.5.1/24'
config wireguard_vpn 'wireguard_laptop'
option public_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '10.0.5.2/32'
option description 'laptop'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_vpn 'wireguard_phone'
option public_key 'xxx'
option preshared_key 'xxx'
list allowed_ips '10.0.5.3/32'
option description 'phone'
option route_allowed_ips '1'
option persistent_keepalive '25'
/etc/config/firewall
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpn'
config forwarding
option src 'wireguard'
option dest 'lan'
config forwarding
option src 'wireguard'
option dest 'wan'
thank you
1 Like
ivamar
January 17, 2021, 1:48pm
6
addition:
another possible solution that works, just set vpn interface to lan firewall
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn'
makes the following obsolete
config zone
option name 'wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpn'
config forwarding
option src 'wireguard'
option dest 'lan'
config forwarding
option src 'wireguard'
option dest 'wan'
maybe this config help someone too
1 Like
tmomas
Closed
January 27, 2021, 1:48pm
7
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.