wireGuard behind ISP router

Hello, I had been readding as much as posible, but I can find a good explanation on how to solve my issue.

Here is a diagram of my actual home network:

and here is wha I am looking to do:

I install Wireguard and follow the instuctions on this document:

https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

After configuring my phone I don't see any trafict comming to the VPN interface.

Here is my Firewall configuration:

root@Main_RT:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        list network 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

here is my Network configuration:

root@Main_RT:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'Edited'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr 'Edited'

config device
        option name 'lan2'
        option macaddr 'Edited'

config device
        option name 'lan3'
        option macaddr 'Edited'

config device
        option name 'lan4'
        option macaddr 'Edited'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'Edited'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'Edited'
        list addresses '192.168.9.2/24'
        list addresses 'fd00:9::2/64'

config wireguard_vpn 'wgserver'
        option public_key 'Edited'
        option preshared_key 'Edited'
        option endpoint_host 'SERVER_ADDRESS'
        option endpoint_port 'Edited'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '192.168.9.3/24'

config wireguard_vpn
        option public_key 'Edited'
        option private_key 'Edited'
        option route_allowed_ips '1'
        option description 'phone'
        list allowed_ips '192.168.9.4/32'

I think the VPN interface is not up....

Please any help will be really appreciated.

Put your CPE in passthrough/dmz/fullcone mode.

Sorry for my ignorance, how do I do that or do you mean to put my ISP router in gateway mode?

I can't put my ISP router in gateway mode for now.

Thanks

How do I guess ways to open a public port on your blinded router?
Call their paid support since you are protecting it.

  1. Do you actually need the isp router?
  2. Is the WAN IP address in the ISP router a public address or private address?

If you don’t have access to a public wan ip address to begin with this will be very hard to accomplish.

1 Like

If the wan ip address start with either:
192.
172.
10.
the problem will really start to grow.
The first two still have some very very small hope on the second byte, but you generally don’t want to see these three numbers if you dream about your own public wan IP address.

My WAN IP is 10.0.0.x

???

This indicates that you are behind NAT. Chances are that this is the ISP router itself, but we need to verify more info:

  1. What kind of internet service (physical) do you have -- cable, DSL, cellular, fiber, or just an ethernet jack in your home coming from some other system upstream?
  2. is the ISP router required? This will certainly be the case if it is a media converter/modem.
  3. Can the ISP router be put into bridge mode? This would make the ISP router just a modem device and would pass the IP address from the ISP directly to the wan of your OpenWrt router?
  4. If the answer to 3 is no, does the ISP router have the ability to see the IP address from the ISP (i.e. the wan of the ISP router) and does the ISP router have port forwarding capabilities exposed to the user? (bonus -- while you're looking, does the ISP router support static routes)

There are some issues with the config you shared, but the above information is critical before trying to fix the other issues.

Port forwarding Yes

This will be necessary, but we still need to verify that you have a public IP on your ISP router (assuming you're leaving it in routing mode). Can you find the WAN IP address in the status of the ISP router? What are the first two octets (in bold: aaa.bbb.ccc.ddd)?

could it be 69.136?

Yes, that could be... that is a public IP. How did you find it? Was it in a status page of your ISP router, or was it from some other method?

I don't think it is, because it is on the remote managment. I do have it desable.

I'm not sure I understand what you mean by "on the remote management" and that you have it disabled. Can you elaborate?

There is an option in the ISP router to enable remote management. and in there is showing the address I will need to use to connect to the router remotely.

Oh... ok. I am going to guess that the address is valid and correct even if the remote management is disabled (and I'd recommend you keep that turned off).

There are several things that need to be done...

First, in the network config, I see WG being used for what appears to be an outbound connection as well as one listening for inbound. Can you clarify if this is connecting to another endpoint, listening, or both?

No that I know. As I mentioned I followed the instruction on the document at the top.

I have two peer

You may have been following the wrong guide.

Let me ask it another way...
Based on your diagram, it appears that the purpose of your WG setup is to allow remote access to your network when out of your home?

Can you confirm that this is the use case you have in mind?

you are exactly right

Ok.... good. So there are a number of changes to make.

First, we'll edit the main WG interface stanza to add a listen port. We'll remove the IPv6 and change the main address to 192.168.9.1.

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'Edited'
        list addresses '192.168.9.1/24'
        option listen_port '51820'

Next, we'll delete the unnecessary peer config:

Next, we need to adjust the firewall:

Remove the vpn network from the wan firewall zone:

Then add it to the lan zone:

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

Next, we need to add an inbound rule to allow the traffic on the wan.

config rule
	option name 'Allow-wg'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Once that is complete, reboot your router. Then, show us the updated results of:

cat /etc/config/network
cat /etc/config/firewall
wg show

And finally, we need to look at your remote peer config (i.e. your phone). Post a screen shot of the config page from the phone's WG app.