Unable to use WireGuard Server on GL.iNet GL-MT6000 (Flint 2)

I installed all the necessary Wireguard packages: wireguard-tools, kmod-wireguard, and luci-proto-wireguard. I then configured the Wireguard interface with a listen port of 51820 and IPv4 address 10.0.0.1. I added all the different peers (using a configuration that had previously worked on a Debian server), feeding it my home’s public IP address, port, and the Wireguard server’s public key—just your standard Wireguard setup.

Next, I added the firewall rules, and you can find a screenshot of them below. Basically, I enabled forwarding from the Wireguard interface to both the WAN and the internal LAN. After that, I set up port forwarding to 10.0.0.1 on external port 51820 to allow traffic from outside the local network.

Everything seemed to be in place. In fact, the first time I installed Wireguard, it worked perfectly. But after I had to reboot the router, the HANDSHAKE still works (which is quite puzzling!), but neither the local network nor the internet is reachable. Additionally, the connected device isn’t even pingable (though I’m aware Android might block pings as a firewall rule, I’m not entirely sure about that).

I found some references online to the NTP server, but the time is perfectly synchronized, and as they suggest, I don’t enable Wireguard at boot but only after synchronization with the NTP server. Yet, even after restarting the interface, the server still doesn’t work. What am I missing?

Other screenshots: https://www.swisstransfer.com/d/7fdbf559-087c-4d42-a047-bb57b89f8128

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
{
        "kernel": "5.15.162",
        "hostname": "myfqdn.example.com",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr 'mac'

config device
        option name 'lan2'
        option macaddr 'mac'

config device
        option name 'lan3'
        option macaddr 'mac'

config device
        option name 'lan4'
        option macaddr 'mac'

config device
        option name 'lan5'
        option macaddr 'mac'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option delegate '0'
        list ipaddr '192.168.1.1/24'
        option ipv6 '0'

config device
        option name 'eth1'
        option macaddr 'mac'

config interface 'wan'
        option device 'eth1.835'
        option proto 'dhcp'
        option vendorid 'askey_HW_ES1_SW_0.00.67/dslforum.org'
        option ipv6 '0'

config interface 'wan6'
        option device 'eth1.835'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option disabled '1'
        option auto '0'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '835'
        option name 'eth1.835'
        option macaddr 'mac_address'

config interface 'WireGuardHome'
        option proto 'wireguard'
        option private_key 'mypubkey_server'
        option listen_port '51820'
        list addresses '10.0.0.1/32'

config wireguard_WireGuardHome
        option description 'Imported peer configuration'
        option public_key 'mypubkey'
        list allowed_ips '10.0.0.2/32'

config wireguard_WireGuardHome
        option description 'Imported peer configuration'
        option public_key 'mypubkey'
        list allowed_ips '10.0.0.3/32'

config wireguard_WireGuardHome
        option description 'Imported peer configuration'
        option public_key 'mypubkey'
        list allowed_ips '10.0.0.4/32'

config wireguard_WireGuardHome
        option description 'Imported peer configuration'
        option public_key 'mypubkey'
        list allowed_ips '10.0.0.5/32'
        option route_allowed_ips '1'

config wireguard_WireGuardHome
        option description 'Imported peer configuration'
        option public_key 'mypubkey'
        list allowed_ips '10.0.0.6/32'

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'WiFi'
        option encryption 'psk2'
        option key 'pass'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'WiFi'
        option encryption 'psk2'
        option key 'pass'

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/mydomain.com/'
        option domain 'mydomain.com'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'openwrt.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myservice.mydomain.com'
        option ip '192.168.1.5'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config domain
        option name 'myservice.mydomain.com'
        option ip '192.168.1.11'

config domain
        option name 'myreverseproxy.mydomain.com'
        option ip '192.168.1.8'

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'WireGuardH'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuardHome'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'WireGuardH'
        option dest 'wan'

config redirect
        option dest 'WireGuardH'
        option target 'DNAT'
        option name 'WireGuardF'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.0.0.1'
        option dest_port '51820'
        option family 'ipv4'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'otherserviceIamhosting'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport 'myport'
        option dest_ip 'my_internal_ip'
        option dest_port 'myport'

config forwarding
        option src 'WireGuardH'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'WireGuardH'

With your current "list allowed_ips" you are only allowing traffic from router to router, and not the networks behind. You have to add your networks there.

1 Like

Change the main WG interface address to a /24 (10.0.0.1/24)

Add option route_allowed_ips '1' to all of the peers (there is only one that currently has this line):

Delete this (in favor of the rule below):

It should look like this, instead:

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-WireGuard-Inbound'

Reboot and test again.

If it still doesn't work, let's see one of the remote peer configs as well as the output of wg show after you make a connection attempt.

From my understanding list allow_ips means the IP the public key is allowed to connect from, not the network it can access. By the way I already tried to put 0.0.0.0/0, 10.0.0.0/24 and 192.168.1.0/24, but nothing of these rules works.

I already tried this setting but was not working

The one peer that had this rule was the one I was trying to connect from, because I tried even that

Probably it was after this changed that I got it working. Thank you very much. But I still don't get the difference from port forwarding and traffic rules and when I should use one or another. The other service is working perfectly with port forwarding for example.

No, it means the latter.

Traffic rules are used where the packets are already addressed to the correct final host but would otherwise be blocked by the firewall. So used when devices on the LAN side have public addresses (either ipv4 or IPv6) or when the traffic is destined for the router.

Port forwards are used when NAT is involved and the destination (and port, if necessary) needs to be rewritten to get the traffic to the correct device.

So why I can reach my networks from my clients if each clients have only one IP assigned in the allow_ips section?
for example I can connect from 10.0.0.5/32 to all the 10.0.0.0/24 and 192.168.1.0/24 subnets.

Thank you very much for the explanation!

The allowed_ips relates more to the IP address at the remote of the tunnel. It sets the permitted source address of packets that are allowed out of the tunnel at the local end, as well as the destination address of packets allowed into the tunnel at the local end.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.