I installed all the necessary Wireguard packages: wireguard-tools, kmod-wireguard, and luci-proto-wireguard. I then configured the Wireguard interface with a listen port of 51820 and IPv4 address 10.0.0.1. I added all the different peers (using a configuration that had previously worked on a Debian server), feeding it my home’s public IP address, port, and the Wireguard server’s public key—just your standard Wireguard setup.
Next, I added the firewall rules, and you can find a screenshot of them below. Basically, I enabled forwarding from the Wireguard interface to both the WAN and the internal LAN. After that, I set up port forwarding to 10.0.0.1 on external port 51820 to allow traffic from outside the local network.
Everything seemed to be in place. In fact, the first time I installed Wireguard, it worked perfectly. But after I had to reboot the router, the HANDSHAKE still works (which is quite puzzling!), but neither the local network nor the internet is reachable. Additionally, the connected device isn’t even pingable (though I’m aware Android might block pings as a firewall rule, I’m not entirely sure about that).
I found some references online to the NTP server, but the time is perfectly synchronized, and as they suggest, I don’t enable Wireguard at boot but only after synchronization with the NTP server. Yet, even after restarting the interface, the server still doesn’t work. What am I missing?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
With your current "list allowed_ips" you are only allowing traffic from router to router, and not the networks behind. You have to add your networks there.
From my understanding list allow_ips means the IP the public key is allowed to connect from, not the network it can access. By the way I already tried to put 0.0.0.0/0, 10.0.0.0/24 and 192.168.1.0/24, but nothing of these rules works.
The one peer that had this rule was the one I was trying to connect from, because I tried even that
Probably it was after this changed that I got it working. Thank you very much. But I still don't get the difference from port forwarding and traffic rules and when I should use one or another. The other service is working perfectly with port forwarding for example.
Traffic rules are used where the packets are already addressed to the correct final host but would otherwise be blocked by the firewall. So used when devices on the LAN side have public addresses (either ipv4 or IPv6) or when the traffic is destined for the router.
Port forwards are used when NAT is involved and the destination (and port, if necessary) needs to be rewritten to get the traffic to the correct device.
So why I can reach my networks from my clients if each clients have only one IP assigned in the allow_ips section?
for example I can connect from 10.0.0.5/32 to all the 10.0.0.0/24 and 192.168.1.0/24 subnets.
The allowed_ips relates more to the IP address at the remote of the tunnel. It sets the permitted source address of packets that are allowed out of the tunnel at the local end, as well as the destination address of packets allowed into the tunnel at the local end.