Hi there, I'm trying to get Wireguard for some time to work. Years ago I used OpenVPN without problems. Now I want to use Wireguard but I think I have a problem understanding some basics of Wireguard.
At home I'm using an OpenWRT router. This should be the server. Next I want to get my Android phone to be a client and a second client which is a Win10 notebook with the Wireguard Windows client. In the next step I'm trying to get a site-to-site VPN to work (where every site should have a unique private network ID).
I followed this tutorial to get a first small victory: https://casept.github.io/post/wireguard-server-on-openwrt-router/
Following this I can get a handshake between my Android client and the server. Unfortunaly I can only test a Windows-client which is sitting in the lan behind the OpenWRT router. It should connect but then the same client config from the Android phone isn't working on the Windows machine.
Here are my server config:
config interface 'lan'
option type 'bridge'
option igmp_snooping '1'
option ifname 'eth1.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
[...]
config interface 'wg0'
option proto 'wireguard'
option private_key '<private key>'
option listen_port '1234'
list addresses '10.14.0.0/16'
list addresses 'eeee:1234:8790::/60'
config wireguard_wg0
option public_key '<public key of client 1>'
option persistent_keepalive '25'
option description 'Android'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
#config wireguard_wg0
# option public_key '<public key of client 2>'
# option persistent_keepalive '25'
# option description 'BZ'
# option route_allowed_ips '1'
# list allowed_ips '0.0.0.0/0'
# list allowed_ips '::/0'
I commented out the section for the 2nd client, both clients at the same time won't work. I think it's because under list allowed ips there should not be 0.0.0.0/0 and instead there should be the VPN IP of the client (same as configured in the client config below interface). But when I try it I can't even get a handshake. When I try to use both peer config in the server at the same time, one of the peers has 'none' allowed ip. So I'm really thinking the tutorial in the link above isn't correct.
/etc/config/firewall I added following:
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1234'
option name 'Allow-Wireguard-Inbound'
The wg0 interface is in the same Firewall-Zone of my lan. DynDNS-Lookup is also working.
Android config:
[Interface]
PrivateKey = <private key of the 1st client>
Address = 10.14.0.3/32, eeee:1234:8790::/64
DNS = 192.168.1.1
[Peer]
PublicKey = <public key of the server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <dyndns-name>:1234
Windows client config:
[Interface]
PrivateKey = <private key of the 2nd client>
Address = 10.14.0.4/32, eeee:1234:8791::/64
DNS = 192.168.1.1
[Peer]
PublicKey = <public key of the server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <dyndns-name>:1234
With the false configs from above I can get my Android phone to work but not the Windows client. And I know that the configs are wrong because I'm searching and reading the forums now for quite some time:
[SOLVED] Problems setting up wireguard <-- tried without success, removed the routing option in the server config and changed the allowed IPs to 10.14.0.3/32 and 10.14.0.4/32 in the server.
Wireguard OpenWrt <-> OpenWrt tunnel for travel router - #5 by psherman <-- this describes exactly my problem
I'm running out of ideas what I can try, maybe some of you have the perfect idea.
PS: If the Windows-Client sits in a private lan with the same network ID of my LAN (192.168.1.0/24) is there a way it could work without changing the whole subnet?