Wireguard as a client does not want to work

Installing and Using OpenWrt
1

Hello,
i have a remote wireguard server and a .conf file working (i tried it in my lan pc). So, i uploaded to openwrt via web, but there are not tx/rx packets in the wireguard interface.

Here is the configuration:

root@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.63",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "ASUS TUF-AX4200",
        "board_name": "asus,tuf-ax4200",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0-rc2",
                "revision": "r28161-ea17e958b9",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.0-rc2 r28161-ea17e958b9",
                "builddate": "1733226068"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:2d44:fd0d::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan'
        option device 'eth1.20'
        option ifname 'eth1.20'
        option _orig_bridge 'false'
        option _orig_ifname 'eth1'
        option proto 'pppoe'
        option username '***'
        option password '****'
        option ipv6 'auto'
        option keepalive '0 1'

config interface 'wan6'
        option device 'eth1'
        option ifname 'eth1.20'
        option _orig_ifname 'eth1'
        option proto 'dhcpv6'
        option _orig_bridge 'false'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'conexionapucela'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.154.196.2/24'
        list dns '9.9.9.9'
        list dns '149.112.112.112'

config wireguard_conexionapucela
        option description 'Imported peer configuration'
        option public_key 'Gd+vLeZIJDZB7/YKwUIpyAhXeNi6Z0to+T9kEcW/0xo='
        option preshared_key 'BddgwwsldndzjMayCEbHZLHsDDcq9PQyFeCTPSMKykA='
        list allowed_ips '192.168.1.0/24'
        option endpoint_host '*******'
        option endpoint_port '51820'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'conexionapucela'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~# wg show
interface: conexionapucela
  public key: (hidden)
  private key: (hidden)
  listening port: 44614

peer: Gd+vLeZIJDZB7/YKwUIpyAhXeNi6Z0to+T9kEcW/0xo=
  preshared key: (hidden)
  endpoint: *********:51820
  allowed ips: 192.168.1.0/24
root@OpenWrt:~#
root@OpenWrt:~#
2

The best method is for us to look at your configs.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
3

i added the config in preformated text

4

while not the immediate issue, this looks very odd...

these 4 lines should be removed:

Likewise, in wan6, remove:

And edit:

to be:

        option device 'eth1.20'

Next, you can remove these from the Wireguard interface definition:

Then, on this:

you need to add:

        option route_allowed_ips '1'

But, you're not getting a handshake... so check that the keys and address are correct.

5

i dont know why, but i changed what you suggested, rebooted, and worked. Thanks!

pd: i had to activate masquerading in the fw zone in order to lan pcs reach the remote lan

6

This is expected if the other side doesn't have static routes pointing back towards your network.

Glad it works now!

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.