Wireguard Android client/peer doesnt get internet from router connected to ISP through Wifi

Hello all

The OpenWrt router is connecting to the internet through the ISP router with Wifi with this setup.

It seems the phone Wireguard connects to the Openwrt router as in there are some few packets logged but it doesn't have internet whatsoever which is the problem.

root@OpenWrt:~# wg show
interface: wg011
  public key: yewRI0hkIqlIMdv+A6Xr1hEYPrNPzL53P4kTEGFEglo=
  private key: (hidden)
  listening port: 1234

peer: nEifTJcEEiKbJWMlMgtWLAMJq1yQaoxL8o8DmTWAt0c=
  endpoint: 192.168.1.91:36899
  allowed ips: 10.0.1.8/32
  latest handshake: 3 minutes, 5 seconds ago
  transfer: 1.63 KiB received, 2.43 KiB sent

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd8d:4a38:64fc::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.14.1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'wg011'
	option proto 'wireguard'
	option private_key '...='
	option listen_port '1234'
	list addresses '10.1.0.4/24'

config wireguard_wg011
	option description 'last2'
	option public_key 'nEifTJcEEiKbJWMlMgtWLAMJq1yQaoxL8o8DmTWAt0c='
	option private_key '...='
	list allowed_ips '10.0.1.8/32'

What can be done?

You need route_allowed_ips='1' on the peer. Otherwise there won't be a route to the peer since the peer's IP address (10.0.1.8/32) isn't within the subnet assigned to the WireGuard interface (10.1.0.4/24).

1 Like

As @mikma stated, you need to enable the route allowed IPs. But this is true even if your peer is on the same subnet.... which... it is recommended that your peer be on the same subnet as the main interface. So change your peer accordingly (10.0.1.8/32)

Let's also see your firewall file and the output of:

wg show

Finally please post your remote peer config (i.e. your phone's config).

There are more packets flowing now but still no internet at Android client.

The difference in subnet was a mistake.
Here is info again:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd8d:4a38:64fc::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.14.1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth1'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wwan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'wg011'
	option proto 'wireguard'
	option private_key '...='
	option listen_port '1234'
	list addresses '10.0.1.4/24'

config wireguard_wg011
	option description 'tlm02'
	option public_key 'Umi8LksSvWkfj/eDNjXJ3d3Wr2c3gJgYQzG+rQo39jQ='
	option private_key '...='
	list allowed_ips '10.1.0.5/32'

config wireguard_wg011
	option description 'last2'
	option public_key 'nEifTJcEEiKbJWMlMgtWLAMJq1yQaoxL8o8DmTWAt0c='
	option private_key '...='
	list allowed_ips '10.0.1.8/32'
	option route_allowed_ips '1'

Firewall is a little messed up with the trying I've done.

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'wg011'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'Wireguard2'
	option src 'wan'
	option dest_ip '192.168.14.1'
	option src_dport '1234'
	option dest 'lan'
	option dest_port '1234'
	list proto 'tcp'
	list proto 'udp'

config zone
	option name 'vpnwg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'vpnwg0'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'vpnwg0'

config zone
	option name 'teste1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'teste1'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'teste1'

root@OpenWrt:~# wg show
interface: wg011
  public key: yewRI0hkIqlIMdv+A6Xr1hEYPrNPzL53P4kTEGFEglo=
  private key: (hidden)
  listening port: 1234

peer: nEifTJcEEiKbJWMlMgtWLAMJq1yQaoxL8o8DmTWAt0c=
  endpoint: 192.168.1.91:48605
  allowed ips: 10.0.1.8/32
  latest handshake: 1 minute, 19 seconds ago
  transfer: 23.12 KiB received, 20.47 KiB sent

Android Wireguard

Remove the wg011 network from the wan zone.

And then add wg011 to the lan zone.

Remove all of this:

Add a rule for accepting wireguard like this:

config rule
        option name 'Allow-Wireguard-Inbound'
        list proto 'udp'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '1234'

You still have a typo in one of the other peers... you probably want this to be 10.0.1.5/32

Restart your router and test again.

2 Likes

Thanks a lot! It is working flawlessly.

That peer was not being used for testing right now, that's why I left it unchanged.

May I ask why a Traffic Rule instead of Port Forwarding? The tutorials for Openwrt/Wireguard in the internet seem to go for Port Forwarding.

If the listening host is a device behind the router, you use port forwarding (which, as it sounds, forwards a port from the wan to a host on the lan). When the listening host is actually the router itself, it is a traffic rule which simply allows the router to respond to a connection from the wan.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.