Here, I am using OpenWRT as a repeater with Wiredguard.
Repeater seems to be working good, but I don't see any traffic through VPN Interface.
Following is the Interface Screenshot:
Please post here the output of the following command, copy and paste the whole block:
uci show network; uci show wireless; \
uci show firewall; uci show dhcp; \
ip -4 addr ; ip -4 ro ; ip -4 ru; \
iptables-save; head -n -0 /etc/firewall.user;
Please use "Preformatted text </>" for logs, scripts, configs and general console output.
Thank you for your reply trendy
I know its a lot to take, but here you go:
uci show network:
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda8:eff7:af91::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0'
network.lan_dev.macaddr=''
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='0'
network.wwan=interface
network.wwan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key=''
network.wg0.listen_port='51820'
network.wg0.addresses='192.168.9.1/24' 'fdf1:7610:d152:3a9c::1/64'
network.wgclient=wireguard_wg0
network.wgclient.preshared_key=''
network.wgclient.allowed_ips='192.168.9.0/24' 'fdf1:7610:d152:3a9c::1/64'
network.wgclient.public_key=''
uci show wireless:
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/10300000.wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='0'
wireless.radio0.country='00'
wireless.radio0.legacy_rates='1'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='OpenWrt'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key=''
wireless.@wifi-iface[1]=wifi-iface
wireless.@wifi-iface[1].network='wwan'
wireless.@wifi-iface[1].ssid='#2'
wireless.@wifi-iface[1].encryption='psk2'
wireless.@wifi-iface[1].device='radio0'
wireless.@wifi-iface[1].mode='sta'
wireless.@wifi-iface[1].bssid=''
wireless.@wifi-iface[1].key=''
uci show firewall:
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan' 'wg0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wan6 wwan'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51820'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
uci show dhcp
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.start='100'
dhcp.lan.limit='150'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
5: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.9.1/24 brd 192.168.1.255 scope global wg0
valid_lft forever preferred_lft forever
6: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.64/24 brd 192.168.9.255 scope global wlan0
valid_lft forever preferred_lft forever
ip -4 ro
default via 192.168.0.1 dev wlan0 proto static src 192.168.0.64
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.64
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.9.0/24 dev wg0 proto kernel scope link src 192.168.9.1
ip -4 ru
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
iptables-save
# Generated by iptables-save v1.6.2 on Sat Nov 2 21:07:50 2019
*nat
:PREROUTING ACCEPT [1646:370580]
:INPUT ACCEPT [66:4739]
:OUTPUT ACCEPT [204:14775]
:POSTROUTING ACCEPT [8:1202]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i wlan0 -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o wlan0 -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Sat Nov 2 21:07:50 2019
# Generated by iptables-save v1.6.2 on Sat Nov 2 21:07:50 2019
*mangle
:PREROUTING ACCEPT [6990:3027419]
:INPUT ACCEPT [2417:301796]
:FORWARD ACCEPT [3523:2452361]
:OUTPUT ACCEPT [1817:457130]
:POSTROUTING ACCEPT [5340:2909491]
-A FORWARD -o wlan0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sat Nov 2 21:07:50 2019
# Generated by iptables-save v1.6.2 on Sat Nov 2 21:07:50 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i wlan0 -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i wlan0 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o wlan0 -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o wlan0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o wlan0 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o wlan0 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i wlan0 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sat Nov 2 21:07:50 2019
head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
You may want to change that to fdf1:7610:d152:3a9c::/64
Other than that I don't see anything wrong there.
Does your client connect fine?
What is the output of command wg in OpenWrt?
Does ping work from client to OpenWrt?
Is your configuration intended to 1) allow a remote peer to connect to your LAN and/or the internet via your OpenWrt router (this is how mine is configured), or 2) is this supposed to connect to a remote peer such as a VPN service for your general internet access/access to remote resources?
The WG section of your network file doesn't look quite right to me, both in terms of formatting and the allowed IPs. I assume that you have redacted the keys. I've posted mine below as a reference.
Regarding the WG allowed IPs -- Assuming use case 1 from above, I did a bit of experimentation and it appears that the allowed IPs must be set as /32 (IPv4) -- so you should assign an actual IP in the 192.168.9.0/24 network --> say 192.168.9.2/32 to the Allowed IPs. The IP address of the peer on the other side must match. And in this use case, the remote peer Allowed IPs is effectively the IP addresses that should be routed through the tunnel. So, for example, if you just want to access your LAN, you would have 192.168.1.0/24 in that field (on the remote peer); for all traffic, it would be 0.0.0.0/0.
Also, unless IPv6 is critical, you might remove those addresses for the moment to ensure that you can get IPv4 working properly. Then add IPv6 after everything is proven (just fewer variables).
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.listen_port='8444'
network.wg0.addresses='10.0.5.1/24'
network.wg0.private_key='[REDACTED]'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='peer1'
network.@wireguard_wg0[0].public_key='[REDACTED]'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].preshared_key='[REDACTED]'
network.@wireguard_wg0[0].allowed_ips='10.0.5.2/32'
My Client is connecting fine and its working as a repeater perfectly, but it seems like traffic is not routed through VPN.
root@OpenWrt:~# wg
interface: wg0
public key: 4yMHMxY=RQPLFV0izoOX4oF1PLFV0iB0UKq4PLFV0
private key: (hidden)
listening port: 51820
So, My configuration is intended to 1) allow a remote peer to connect to your LAN and/or the internet via your OpenWrt router, as yours.
I did few changes in network, as you can see below:
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='redacted '
network.wg0.listen_port='51820'
network.wg0.addresses='192.168.9.1/24' 'fdf1:7610:d152:3a9c::1/64'
network.wgclient=wireguard_wg0
network.wgclient.preshared_key='redacted '
network.wgclient.public_key='redacted '
network.wgclient.allowed_ips='192.168.9.3/24'
network.wgclient.route_allowed_ips='1
But, it doesn't seem to work
This is the configuration at my client side.
Where's the peer config on client side?
That's the interface. You need to hit 'add peer' in that screenshot and populate that section (e.g. with the Pre-Shared Key from one of your previous posts)
1 Like
Thanks for pointing it out @tectonic, I tried adding peer
But, it still doesn't seem to work
Is this issue arising, because I'm using it as a Repeater??
- You don't specify the OpenWrt's FQDN (or IP) and listening port (cannot contact router currently)
- Also, if you want to use the OpenWrt as a VPN to reach the Internet, the Allowed IPs need to be 0.0.0.0/0 (cannot use to reach Internet currently)
- You don't specify the preshared key (cannot send encrypted traffic to the OpenWrt currently)
2 Likes
- I have changed Allowed IPs to 0.0.0.0/0
- I am not using Pre shared Key
- Can you be more clear about " You don't specify the OpenWrt's FQDN (or IP) and listening port (cannot contact router currently)". I assume it means I don't have to put IP and port in Client Interface Configuration - which is throwing me some Android Java error
@FriedChipsTellNoTale - you'll want to do these things one step at a time to avoid confusion. One potentially confusing aspect of WG is that it considers all connections "peers" -- there isn't really a 'server' or 'client' from the perspective of the WG configuration. However, because it is often easier to talk about a server/client configuration to understand the desired connectivity, we'll do that here.
Let's start with your router - the server. Take a look at this page -- create your private and public keys for WG on your router. You will use the private key in your WG interface configuration on the router. You will also need to copy the public key from this process for the android phone configuration.
On your phone, use the Generate button to create your private and public keys for that device. You will need to copy the public key from the android device over to your OpenWrt router's WG peer configuration -- this can happen later, though. Populate the address with the following: 192.168.9.2/32 and leave the listen port empty. Click Add Peer and then take the public key you generated on the router and copy that value key into the android phone's configuration for peer public key. There will be a field for "Endpoint" -- this will be the domain name or public IP (likely the WAN) address of your router (if you don't have a true publicly routable IP address, it will not work). For testing purposes only, and assuming you are doing this from within your network (i.e. phone is on the same wifi network as your router), you can actually use the LAN address of the router itself -- 192.168.1.1 -- but remember that this will only work while you are on your wifi). If you wish to push all traffic through the Wireguard tunnel, enter the allowed IPs as 0.0.0.0/0 (this is still on the phone). Persistent keepalive 25 is recommended for most configurations like these (according to the main wireugard documentation).
Putting it all together now, you'll go back to your router and add a peer under the wireguard interface. The public key from the phone will be copied over to this section. Allowed IPs (for the peer config on the router) will be 192.168.9.2/32. You will want to enable "route allowed IPs" and set the keep alive value to 25 (same as on the client/phone).
Your router's configuration should look something like this:
Wireguard section of your /etc/config/network file
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
list addresses '192.168.9.1/24'
option private_key '<INSERT_THE_GENERATED_PRIVATE_KEY>'
config wireguard_wg0
option description 'Phone'
option public_key '<INSERT_THE_PUBLIC_KEY_FROM_YOUR_PHONE>'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.9.2/32'
Give it a shot. Let us know what happens.
1 Like
- Then be sure to remove the preshared key config
2 Likes
Adding to this:
To be clear, the configuration for each peer requires a private key for itself (part of the key pair generation process) and the public key for each remote peer. The preshared key is optional, but adds an additional layer of cryptographic security/privacy.
If using a preshared key, the same exact key must be used on both peers. If you are not using it, remove the line entirely.
All keys are algorithmically generated and are 44 characters long and may contain numerals, letters, and symbols. They all end with an equals sign (=). Here is an example key (one that I generated just for this example and won't be using):
f01xMlO52XwB/fEUmoLTfoWus2cSn8ynBjnB2F/QQv0=
In the config file, it wold look like this:
option public_key 'f01xMlO52XwB/fEUmoLTfoWus2cSn8ynBjnB2F/QQv0='
(Note that there are 44 characters inside the single quotes, no brackets or any other added symbols beyond the ones that are part of the key itself).
2 Likes
Thank you @psherman for detailed steps.
I tried the peer configuration as described in your answer for both Router and smartphone, but It still doesn't seem to work, although It stops internet connectivity after activating VPN on smartphone.
@lleachii I even tried Removing Pre shared key.
Please share the latest contents of the /etc/config/network and /etc/config/firewall files as well as the phone WG config. Redact private information, but be sure that it is clear what is redacted vs what was empty.
And please verify:
- that you OpenWrt router is directly connected to the internet (no upstream routers on your network and that your modem (if applicable) is in true bridge mode)
- that you are getting a true publicly routable IP address on the WAN -- if it is an RFC1918 or CG-NAT address, it will not work. If you wouldn't mind sharing the first octet, that will hopefully give us enough information to guess if you might have an issue there.
1 Like
Here is the recent configuration:
# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda8:eff7:af91::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0'
network.lan_dev.macaddr='REDACTED'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='0'
network.wwan=interface
network.wwan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='REDACTED'
network.wg0.listen_port='51820'
network.wg0.addresses='192.168.9.1/24'
network.wgclient=wireguard_wg0
network.wgclient.route_allowed_ips='1'
network.wgclient.public_key='REDACTED-same as generated by mobile client'
network.wgclient.allowed_ips='192.168.9.2/32'
network.wgclient.persistent_keepalive='25'
# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan' 'wg0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan wan6 wwan'
firewall.lan_wan=forwarding
firewall.lan_wan.src='lan'
firewall.lan_wan.dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-so licitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertise ment'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable ' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51820'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
# uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='platform/10300000.wmac'
wireless.radio0.htmode='HT20'
wireless.radio0.disabled='0'
wireless.radio0.country='00'
wireless.radio0.legacy_rates='1'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='OpenWrt'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='REDACTED'
wireless.@wifi-iface[1]=wifi-iface
wireless.@wifi-iface[1].network='wwan'
wireless.@wifi-iface[1].ssid='REDACTED'
wireless.@wifi-iface[1].encryption='psk2'
wireless.@wifi-iface[1].device='radio0'
wireless.@wifi-iface[1].mode='sta'
wireless.@wifi-iface[1].bssid='AC:84:C6:88:87:18'
wireless.@wifi-iface[1].key='REDACTED'
Following is my Client configuration:
- But, my OpenWrt router is not connected to Internet directly, its working as a repeater over wifi through one tp link router.
- I don't know how to check for it.
This could certainly be part of the issue. Have you done the necessary port forwarding on your tp-link router to send UDP 51820 from the internet to the OpenWrt router?
Since your OpenWrt router is not directly connected to the internet, the WAN IP address on that device is relevant, but certainly not a public IP. You need to look at the IP address on the TP-Link router's WAN interface. And you can then google "IP check" (this will show your current IP address as seen from the internet)... hopefully those numbers match.
1 Like