What do you recommended for creating a secure VPN server to be used with OpenWRT and are you aware of any configuration guidelines?
Wireguard is great. Easy to configure, secure, and performant.
https://openwrt.org/docs/guide-user/services/vpn/wireguard/basics
1 Like
Thank you for the suggestion! Any others? I will say I have some experience with OpenVPN.
+1 for wireguard. OpenVPN is pretty antiquated.
OpenVPN configs:
- OpenVPN Server & Client: https://openwrt.org/docs/guide-user/services/vpn/openvpn/start
- OpenVPN Site-to-Site: https://www.i-programmer.info/projects/27-networking/14745-setting-up-site-to-site-openvpn-.html
ocserv
openconnect
So took advice to setup WireGuard but man oh man am I struggling. I just don't know what I'm doing wrong. I basically am failing the handshake initiation.
Any suggestions for where I would get some support for Wireguard?
Let's take a look to see what's going on:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
ifstatus wan | grep address
For the last command (ifstatus wan), please only post the first two octets (in bold: aaa.bbb.ccc.ddd)
root@OpenWrt:/# cat /etc/config/network
atus wan | grep address
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd20:49f0:d732::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.123.254'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option device 'lan0'
option proto 'dhcp'
config interface 'wan6'
option device 'lan0'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key '4BMf***************************'
option listen_port '8081'
list dns '9.9.9.9'
list addresses '10.0.0.1/24'
config wireguard_wg0
option description 'Client1'
option public_key 'sCDrB7Q***************************'
list allowed_ips '10.0.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg0
option description 'PC_Client2'
option public_key '+vZ4aEBmdRQCmNz***************************'
option private_key 'aE/9***************************'
list allowed_ips '10.0.0.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
root@OpenWrt:/# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option name 'Internal'
list network 'lan'
config forwarding
option dest 'lan'
config forwarding
option src 'lan'
config forwarding
option src 'Internal'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'Internal'
config rule
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option name 'Allow-Wireguard-Inbound'
option src_port '8081'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'VPN'
list proto 'udp'
option src 'wan'
option src_dport '8081'
option dest_ip '192.168.123.254'
option dest_port '8081'
option family 'ipv4'
root@OpenWrt:/# wg show
interface: wg0
public key: AnOKOVJE***************************
private key: (hidden)
listening port: 8081
peer: sCDrB7Q***************************
allowed ips: 10.0.0.2/32
persistent keepalive: every 25 seconds
peer: +vZ4aEBmdRQCmNz***************************
allowed ips: 10.0.0.3/32
persistent keepalive: every 25 seconds
root@OpenWrt:/# ifstatus wan | grep address
"addresses",
"ipv4-address": [
"address": "100.102.*.*",
"ipv6-address": [
"ipv4-address": [
"ipv6-address": [
You are behind CG-NAT. This means that your OpenWrt wan does not have an actual public IP address. You can see this by Googling "what's my IP" and comparing that against the IP address you see above.
As a result, you will not be able to connect from the outside using Wireguard without additional complications.
You may instead want to look at:
- Asking your ISP for a public IP (they may or may not be able to help with that and they may charge).
- IPv6 assuming you have a proper dual stack
- Tailscale or ZeroTier which can handle this NAT/CG-NAT obstacle. (sorry for leading you down a potential dead end with WG).
You know when I obtained this data I noticed that was different from what I see as my public IP. It is not your fault I have this complication. I would have this issue with any vpn choice.