Unable to set up wg site-to-site tunnel

I have tried to set up a site-to-site wireguard tunnel without a success. I did not find help from other articles and I have to turn to the forum for help.

I have a home network 10.0.0.0/24 and a remote network 10.10.10.0/24, both having Archer C7 routers with OpenWrt 19.07.7 running on them.

What can relate to my issue is that the remote site has a 4G modem and the ISP uses carrier grade NAT for my 4G internet connection. Therefore, I do not have a public IP for the remote site. For my home I have dyndns -service by dy.fi. I am expecting my remote site to establish the connection which should be kept alive with the appropriate setting.

The result is, however, that the first handshake never happened. I did check the keys and even tried reset some, but no result. The tunnel should be in the lan-zone, and incoming traffic to the wg port allowed. In the firewall setting for the remote site there are some residuals of me trying to set up an ipsec vpn before the wireguard. I do not believe it affects, though.

The tunnel has IP 10.0.3.0/24 and the endpoints for home and remote 10.0.3.1 and 10.0.3.2 respectively.

Below is my configuration files for the network and firewall for both sites. I may have missed something but I do not get what is wrong here.

Below is my network configuraiton for home:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4a:f243:f09a::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.2'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '70:4f:57:10:32:00'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'Tunneli'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key 'key ..WU='
	list addresses '10.0.3.1/32'

config wireguard_Tunneli
	option description 'Remote'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	option public_key 'key ...SA='
	list allowed_ips '10.10.10.0/24'
	list allowed_ips '10.0.3.2/32'

This is the firewall for home

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan Tunneli'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option dest_port '51820'
	option src 'wan'
	option name 'Allow-WireGuard'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'

And the network configuration for the remote:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc4:ddb0:c12b::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.10.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '50:d4:f7:14:d6:49'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'Koti'
	option proto 'wireguard'
	option listen_port '51820'
	option private_key 'Key ...3Y='
	list addresses '10.0.3.2/32'

config wireguard_Koti
	option description 'Koti'
	option persistent_keepalive '25'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	option endpoint_host 'anttila.dy.fi'
	option public_key 'Key..Bw='
	list allowed_ips '10.0.0.0/24'
	list allowed_ips '10.0.3.1/32'

And the firewall for the remote

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan Koti'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'

config forwarding
	option dest 'vpn'
	option src 'lan'

config rule
	option src 'vpn'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'esp'
	option name 'Allow-vpn-ESP'

config rule
	option src 'vpn'
	option name 'Allow-vpn-ISAKMP'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '500'

config rule
	option src 'vpn'
	option name 'Allow-vpn-NAT-T'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '4500'

config rule
	option src 'wan'
	option name 'Allow-wireGuard'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '51820'

What might be wrong ?

Remove that from both firewall rules for the wireguard port.

Thank you for the advice.
I will be able to make the changes on both sites over the weekend. Hope it fixes the issue. Thanks for a prompt reply.

Tested. It works !
For home I just edited the configuration file directly and removed the "option dest 'lan' " as suggested by krazeh.
For remote I checked how to modify the settings in Luci. In the firewall rules I could not find on how not to specify the destination. I did choose 'to any zone'. That created a rule "option dest '*' " to the configuration file.

It is interesting that the zone lan did not work as a destination, as the tunnel interface is a part of the lan zone.

Thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.