[solved] Wireguard Firewall config

Hi Guys,

i try to setup wireguard. i tried so many configurations and im sure its messy now :frowning:

the handshake works.

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'xxxxxxx'
        option listen_port '51820'
        option delegate '0'
        list addresses '10.5.0.1/24'

config wireguard_vpn 'wireguard_laptop'
        option public_key 'xxxx'
        option preshared_key 'xxxxx'
        list allowed_ips '10.5.0.2/32'

config wireguard_vpn 'wireguard_phone'
        option public_key 'xxxxx'
        option preshared_key 'xxxxx'
        list allowed_ips '10.5.0.3/32'

handshake is done and transfer seems to work. but i have no internet or local network access.

my network is 192.168.0.1/24

first i tried the lan firewall an made a traffic rule to allow from wan to this device. like the openwrt guide said.

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'wireguard'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn'

config forwarding
        option src 'wireguard'
        option dest 'lan'

thanks for any help

You need a forwarding wireguard-> wan in firewall
And in the clients (not in OpenWrt!!!) configure allowed IPs 0.0.0.0/0, plus to route them.

1 Like

i added

config forwarding
        option src 'wireguard'
        option dest 'wan'

its not working :frowning:

all my clients have all ips allowed. what do you mean with "route them"

When you configure on allowed IPs as 0.0.0.0/0 on your client it will automatically create a route that routes all traffic through the wireguard interface

2 Likes

ok i read the wiregard docs again.

this is my config for laptop and mobilephone. its works now.

/etc/config/network

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '51820'
        option delegate '0'
        list addresses '10.0.5.1/24'

config wireguard_vpn 'wireguard_laptop'
        option public_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '10.0.5.2/32'
        option description 'laptop'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_vpn 'wireguard_phone'
        option public_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '10.0.5.3/32'
        option description 'phone'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

/etc/config/firewall


config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

thank you

1 Like

addition:

another possible solution that works, just set vpn interface to lan firewall

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan vpn'

makes the following obsolete


config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpn'

config forwarding
        option src 'wireguard'
        option dest 'lan'

config forwarding
        option src 'wireguard'
        option dest 'wan'

maybe this config help someone too :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.