Hi,
I try to setup WG server but I'm unable to obtain server - client communication.
I setup at first with the GUI. Then I red the documentation, and check line by line if my configuration is the same as: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server
I think I have a mistake with keys configuration because no packet is exanged.
CLIENT CONFIG:
SERVER CONFIG:
FIREWALL CONFIG:
AFTER CONNECT:
I really have no idear what to check and how to debug.
Thank you for help.
Eliott.
Not sure if it is related but I know My Ubiquity Dream Machine Pro can't create Wire guard server if port forwarding is on for those ports.
Check how you have your port forwarding configured and that there is no conflict.
Wire guard has similar ports to some torrent downloaders. /wink wink/
Hi,
thank you. I deleted the port forward, it was still not working.
But after rebooting the device and reboot the wg0 interface, everything is okay now.
I don't understand why after reboot I need to reboot the wireguard interface to have a working server.
It's seem my windows client crash the server sometimes.
Eliott.
It probably only needed some time, not an actual reboot.
But glad it works for you. 
Windows client is still buggy.
Linux one works fine as well as android one.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
Hi,
after few tests I'm still dealing with lost of wireguard interface.
The button stop is active but I don't see it in "ifconfig".
Do you think "Force link" option could help ?
please find my config below:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.176",
"hostname": "OpenWrt",
"system": "Atheros AR9132 rev 2",
"model": "TP-Link TL-WR1043ND v1",
"board_name": "tplink,tl-wr1043nd-v1",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.5",
"revision": "r20134-5f15225c1e",
"target": "ath79/generic",
"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
}
}
Only available after "wg1" interface restart:
root@OpenWrt:~# wg show
interface: wg1
public key: xxx=
private key: (hidden)
listening port: 64646
peer: xxx=
preshared key: (hidden)
allowed ips: 192.168.3.0/24, 192.168.2.0/24
NETWORK:
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fda2:74cf:9d87::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.254'
option device 'br-lan'
config interface 'wan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.xx.xx'
option gateway '192.168.xx.xx'
option device 'eth0.2'
list dns '192.168.88.88'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'wg1'
option proto 'wireguard'
option listen_port '64646'
option private_key 'xxx='
list addresses '192.168.3.1/24'
config wireguard_wg1
option description 'OpenWRT-Acer-Eliott'
option public_key 'xxx='
option preshared_key 'xxx='
list allowed_ips '192.168.3.2/24'
list allowed_ips '192.168.2.30/24'
option route_allowed_ips '1'
FIREWALL:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'ZONE0'
list network 'lan'
list network 'wg1'
config zone
option name 'wan'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'ZONE0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'ZONE0'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'ZONE0'
config rule
option name 'Allow-Wireguard-Inbound'
list proto 'udp'
option dest_port 'xxxx'
option target 'ACCEPT'
option src 'wan'
Note: "config redirect" deleted.
Note 2: I'll delete everything concerning "3" network, i want to acces to lan aera I don't see the any use to keep 192.168.3.xx:
config interface 'wg1'
option proto 'wireguard'
option listen_port '64646'
option private_key 'xxx='
list addresses '192.168.2.253'
config wireguard_wg1
option description 'OpenWRT-Acer-Eliott'
option public_key 'xxx='
option preshared_key 'xxx='
list allowed_ips '192.168.2.30/24'
option route_allowed_ips '1'
Thank you for help.
Can you repost with the config not redacted like this -- RFC1918 addresses are not secret/sensitive information. Not having this info makes troubleshooting much harder.
Have a look at:
Furthermore your upstream router probably need to port forward
Sorry for the missing information. For me those IP wasn't revelent anyway.
We agree that I have to remove private_key and and preshared_key at least ?
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fda2:74cf:9d87::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.254'
option device 'br-lan'
config interface 'wan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.88.250'
option gateway '192.168.88.88'
option device 'eth0.2'
list dns '192.168.88.88'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'wg1'
option proto 'wireguard'
option listen_port '64646'
option private_key 'xxx='
list addresses '192.168.2.253'
config wireguard_wg1
option description 'OpenWRT-Acer-Eliott'
option public_key 'xxx='
option preshared_key 'xxx='
option route_allowed_ips '1'
list allowed_ips '192.168.2.50'
You can found above my final configuration. Don't need port forwarding.
After connexion with WG client I do "ping 192.168.2.200 -t" through WG Tunnel and I see when the interface crash after around 1 minute and 30 seconds.
I ran this test twice, after that:
"wg show" is empty
"ifconfig" no more wg1 interface.
If I restart the interface everything is fine again (sometimes I need to do it twice).
EDIT:
I just see after aroud 2 minutes stable:
RĂ©ponse de 192.168.2.200 : octets=32 temps=25 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=29 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=24 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=718 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=80 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=546 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=175 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=27 ms TTL=63
RĂ©ponse de 192.168.2.200 : octets=32 temps=24 ms TTL=63
suddenly a high ping, and the WG client reset the connection time.
EDIT2:
at last reset (around 3 minutes) the WG lost definitely the connection.
Eliott
Yes, these do need to be redacted. As do public IPs or other credentials. Just not RFC1918 addresses.
The problem, as stated by @egc, is that you've got your lan and the WG networks on the same subnet. They must be different.
Your WG config appears to be a 'client' type connection, whereas the OP is trying to setup a server. I don't think your configuration will help the OP.
Ah, my mistake 
I changed my configuration.
My client is on 192.168.10.1
I cannot reach network 192.168.2.0 even with the config route.
Interface still crashing with different networks.
config interface 'wg1'
option proto 'wireguard'
option listen_port '64646'
option private_key ''
list addresses '192.168.9.1/24'
config wireguard_wg1
option description 'OpenWRT-Acer-Eliott'
option public_key '='
option preshared_key ''
option route_allowed_ips '1'
list allowed_ips '192.168.2.0/24'
config route
option interface 'wg1'
option target '192.168.2.0/24'
option gateway '192.168.2.254'
remove the route, it's unnecessary:
If this is a 'server' configuration, the peer should be in the same subnet but as a /32 (such as 192.168.9.2/32)
I hope these keys have are partially redacted or otherwise obscured.
Please post your complete network config file (with keys redacted)
Hi,
I forgot to obscure keys. Can we set a file path instead of key ? It will be easyer to avoid that mistake.
I just renew all keys.
If I understand all interface are able to communicate by default because of the routing rules. Only firewall can allow or block that.
EG: computer on 192.168.1.50 on interface 1 can ping computer on interface 2 192.168.2.30 if both interface are in the same firewall zone.
So for WGSERVER/CLIENT we only have to connect client to server together and by default every equipemts can communicate because my lan is in the same firewall zone of wg1 ?
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'fda2:74cf:9d87::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.254'
option device 'br-lan'
config interface 'wan'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.88.250'
option gateway '192.168.88.88'
option device 'eth0.2'
list dns '192.168.88.88'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'wg1'
option proto 'wireguard'
option listen_port '64646'
option private_key '='
list addresses '192.168.9.1/24'
config wireguard_wg1
option description 'OpenWRT-Acer-Eliott'
option public_key '='
option preshared_key '='
option allowed_ips '192.168.9.2/32'
option route_allowed_ips '1'
I think I made mistake while saving my network config and now my router is down. I have yo wait until thursday to have physical access and hard reset the configuration. I'll let you know next week.
This config looks fine. The next steps:
/etc/config/firewall fileHi,
yes 192.168.88.xx is my ISP router who forward from IP public:64646 to router IP 192.168.88.250:64646 on UDP.
Finally I configured the wireguard on my second TPLINK Router.
The main issue for me was the firewall and interfaces are not correctely set after apply on lua.
After system reboot everything is set and work as expected.
Now I have:
LAN1 (port 1&2 via VLAN) can join LAN2,WG interface and Openwrt.
LAN 2 (port 2&3 via VLAN) has acces to nothing.
WG can joint LAN2 and Openwrt, but no internet.
But to have a working rooting between interfaces I need MSS clamping and Maskerading option activated. I saw this on other openwrt post.
Is thas normal ?
I don't care about private keys because this config is on my test router, the WIREGUARD is not routed on the INTERNET:
ISP ROUTER<>LAN ---1---> WAN<>OPENWRT<>LAN ---2---> WG, LAN1, LAN2
My computer is connected to 1 (via WIFI) to test WIREGUARD.
Final config NETWORK:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd37:7f2e:5de3::/48'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 4 3'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '0t 2 1'
config interface 'wwan'
option proto 'dhcp'
config interface 'LAN1'
option proto 'static'
option type 'bridge'
option ifname 'eth1.1'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
config interface 'LAN2'
option proto 'static'
option type 'bridge'
option ifname 'eth1.2'
option ipaddr '192.168.3.254'
option netmask '255.255.255.0'
config interface 'vpn'
option proto 'wireguard'
option private_key 'qPzK/eDn+XsU5i/sRcA+f9UStTQSU2InChqgI9Li0Xs='
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_vpn 'wgclient'
option public_key 'pzo4894P4XPZLH7ON+VKuZD94hSB1C+KDaSVwjxgCGg='
option preshared_key 'L6re2wV5YP/CWKHdn4QnFC62E6X/0aKE+jbyB0QJ0+Q='
list allowed_ips '192.168.9.2/32'
FIREWALL:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option name 'LAN1'
option network 'LAN1'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
config forwarding
option dest 'wan'
option src 'LAN1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'LAN1'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'LAN1'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option forward 'REJECT'
option name 'LAN2'
option network 'LAN2'
option masq '1'
option input 'DROP'
option output 'DROP'
config forwarding
option dest 'LAN2'
option src 'LAN1'
config zone
option name 'WIREGUARD'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option network 'vpn'
option mtu_fix '1'
config forwarding
option src 'WIREGUARD'
option dest 'LAN1'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'LAN1'
option dest 'WIREGUARD'
For it to work without masquerade, you need to set up symmetric routing. A prerequisite for that is that all of the LANs (at both sites) must have IP subnets that don't conflict with the LANs at the other site, as well as the upstream and the tunnel itself.
Then configure the other site's LANs as allowed_ips on each wireguard peer, and enable route_allowed_ips. This will set up routing table entries that go to the other site via the wireguard interface. Place the wireguard interface into the lan zone on both sites, at least initially where you trust everything in all lans and want to allow forwarding in any direction. Later, after you've confirmed the routing works, you can write more restrictive firewall rules if you want.
What firmware is running on this device? And what specific model is it?
ubus call system board
Hi,
happy new year all.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.4.91",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
"model": "TP-Link TL-WR1043ND v2",
"board_name": "tplink,tl-wr1043nd-v2",
"release": {
"distribution": "OpenWrt",
"version": "SFE",
"revision": "r15569-2d8422842c",
"target": "ath79/generic",
"description": "OpenWrt SFE r15569-2d8422842c"
}
}
Adding routes was my first test, I switched to maskerading because it wasn't working with route.
I tested again today:
With maskerading: computer on 192.168.9.1 (VPN) can ping 192.168.2.50 (LAN1)
For me that mean firewall is correctely set.
My WIRGRUARD client and server IP allowed is correctly configured.
If I disable maskerading, I can't ping 192.168.2.50.
If I set my route and reboot the router, can't ping. I also can't see my route in status:
Is my route is correctly configured ? Tryed with the on link option to "yes"
Config:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd37:7f2e:5de3::/48'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 4 3 2 1'
config interface 'wwan'
option proto 'dhcp'
config interface 'LAN1'
option proto 'static'
option type 'bridge'
option ifname 'eth1.1'
option ipaddr '192.168.2.254'
option netmask '255.255.255.0'
config interface 'vpn'
option proto 'wireguard'
option private_key 'qPzK/eDn+XsU5i/sRcA+f9UStTQSU2InChqgI9Li0Xs='
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_vpn 'wgclient'
option public_key 'pzo4894P4XPZLH7ON+VKuZD94hSB1C+KDaSVwjxgCGg='
option preshared_key 'L6re2wV5YP/CWKHdn4QnFC62E6X/0aKE+jbyB0QJ0+Q='
list allowed_ips '192.168.9.2/32'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option forward 'REJECT'
option name 'LAN1'
option network 'LAN1'
option input 'REJECT'
option output 'REJECT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wwan'
option input 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
option dest 'LAN1'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option dest 'LAN1'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'WIREGUARD'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'vpn'
option mtu_fix '1'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'WIREGUARD'
option dest 'LAN1'
config rule
option name 'Allo internet on IP 50'
list proto 'all'
option src 'LAN1'
list src_ip '192.168.2.50'
option dest 'wan'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'HTTP WEB'
list proto 'tcp'
option src 'wan'
option src_dport '23456'
option dest 'WIREGUARD'
option dest_ip '192.168.9.1'
option dest_port '80'
Thank you.