Wireguard client is connected but I can't browse the internet

Hi,

I'm using Openwrt 18.06.2 and I want to use this router as a wireguard client, I have a wireguard server on my VPS setup correctly. I followed this tutorial to setup my router as a wireguard client. It can connect to my server but I can't browse the web, the chrome browser says DNS_PROBE_FINISHED_NO_INTERNET

Please also note that I have an interface named "HiLink" for my Huawei E3372 4G modem and I'm using nextdns.io for my DNS server (/etc/config/dhcp). here are my config files:

(UPDATED)
Wireguard Client Config File:

[Interface]
PrivateKey = 2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ=
Address = 10.88.0.13/16
DNS = 8.8.8.8

[Peer]
PublicKey = zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM=
PresharedKey = 4vzCXXKpynxI1jMx2lemmUbn5PfcFT3a5CBdJj1RToc=
AllowedIPs = 0.0.0.0/0
Endpoint = wg-sg3.myip.id:443
PersistentKeepalive = 25

Network config:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd09:a84e:7aba::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config interface 'HiLink'
        option proto 'dhcp'
        option ifname 'eth2'

config wireguard_WireGuard
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'wg-sg3.myip.id'
        option endpoint_port '443'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key '2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ='
        list addresses '10.88.0.13/32'

Firewall Config:


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 HiLink WireGuard'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'


DHCP config:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option noresolv '1'
        list server '45.90.28.33'
        list server '45.90.30.33'
        list server '8.8.8.8'
        list server '8.8.4.4'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

How do I solve this ?

Make this /32; and BTW, you didn't assign an IP from the IPv6 network - use /128 for that.

Can't be the same IP on both ends. That will never work in a normal circumstance, let alone while using Wireguard cryptokey routing technology.

Try .2 and .1 respectively for both ends of the tunnel.

Thank you for the reply, since there's a problem on my VPS server, now I've changed to another wireguard config file on another server, now it looks like this:
Wireguard_client.conf:

[Interface]
PrivateKey = [MY PRIVATE KEY]
Address = 10.88.0.13/16
DNS = 8.8.8.8

[Peer]
PublicKey = zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM=
PresharedKey = 4vzCXXKpynxI1jMx2lemmUbn5PfcFT3a5CBdJj1RToc=
AllowedIPs = 0.0.0.0/0
Endpoint = wg-sg3.myip.id:443
PersistentKeepalive = 25

When wireguard is connected I always get DNS_PROBE_FINISHED_NO_INTERNET on my chrome browser, how do I fix it ?
2020-05-12-024433_558x339_scrot

To be clear, which end is your VPN server?

My server now is wg-sg3.myip.id:443

I don't use the configuration on my first post anymore

:man_facepalming: ...Then, need to see your whole new config.

Then Address should be 10.88.0.13 /32

I have updated my first post with the new config file, please take a look

You said the original post is now updated with the current configuration... As has been stated earlier by at least one or two other people, this is wrong. It must be /32.

Pro-tip: don't update the original post to reflect progressive changes... it confuses both current and future readers of this thread. The best option is to provide the update in-line in the thread so that everyone can see the changes and understand the most current status and/or fixes.

1 Like

You must be referring to the wireguard config file, on my openwrt router I have used '10.88.0.13/32'

config interface 'WireGuard'
        option proto 'wireguard'
        option private_key '2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ='
        list addresses '10.88.0.13/32'
1 Like

He's referring to what he quoted. Simply hit the dropdown to see what's quoted.

Is this your server????

If so, that is wrong.

See...this is why you shouldn't edit Post No 1's configs.

I'm son confused...

Can you please (if you seek my assistance) - make a simple post:

  • Explain where the OpenWrt is involved
  • Post configs for all devices involved
  • Explain which device you desire to be the server
1 Like

On server side you are using address 10.88.0.1/16 and for peer 10.88.0.13/32
On OpenWrt side you should use 10.88.0.13/16

Fix that and post the following from OpenWrt:

uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.*; head -n -0 /etc/resolv.* /tmp/resolv.*

Remember to redact passwords, MAC addresses and any public IP addresses you may have

Here's the output:

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:a84e:7aba::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0'
	option proto 'dhcpv6'

config interface 'HiLink'
	option proto 'dhcp'
	option ifname 'eth2'

config wireguard_WireGuard
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'zdQBd+tRYBUvPMmOCGFFbfNMlPD9ttBqEU9ahHlrSgM='
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'wg-sg3.myip.id'
	option endpoint_port '443'

config interface 'WireGuard'
	option proto 'wireguard'
	option private_key '2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ='
	list addresses '10.88.0.13/16'

package wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ar933x_wmac'
	option htmode 'HT20'
	option disabled '0'
	option country 'US'
	option legacy_rates '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'root'
	option encryption 'psk2'
	option key 'password'

package dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option noresolv '1'
	list server '45.90.28.33'
	list server '45.90.30.33'
	list server '8.8.8.8'
	list server '8.8.4.4'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv6 'server'
	option ra 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 HiLink WireGuard'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.6.2 on Wed May 13 09:48:58 2020
*nat
:PREROUTING ACCEPT [91:17920]
:INPUT ACCEPT [36:2397]
:OUTPUT ACCEPT [180:11876]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[91:17920] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[52:4264] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_wan_prerouting
[39:13656] -A PREROUTING -i eth2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i WireGuard -m comment --comment "!fw3" -j zone_wan_prerouting
[224:14863] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o eth2 -m comment --comment "!fw3" -j zone_wan_postrouting
[224:14863] -A POSTROUTING -o WireGuard -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[52:4264] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[224:14863] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[224:14863] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[39:13656] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Wed May 13 09:48:58 2020
# Generated by iptables-save v1.6.2 on Wed May 13 09:48:58 2020
*mangle
:PREROUTING ACCEPT [366:66965]
:INPUT ACCEPT [214:23982]
:FORWARD ACCEPT [140:36306]
:OUTPUT ACCEPT [403:57615]
:POSTROUTING ACCEPT [508:92437]
[0:0] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -o eth2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[6:360] -A FORWARD -o WireGuard -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed May 13 09:48:58 2020
# Generated by iptables-save v1.6.2 on Wed May 13 09:48:58 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[214:23982] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[115:10642] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:120] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[49:3251] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_wan_input
[50:10089] -A INPUT -i eth2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i WireGuard -m comment --comment "!fw3" -j zone_wan_input
[140:36306] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[40:4657] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[100:31649] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i eth2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i WireGuard -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[403:57615] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[153:41698] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o eth2 -m comment --comment "!fw3" -j zone_wan_output
[250:15917] -A OUTPUT -o WireGuard -m comment --comment "!fw3" -j zone_wan_output
[50:10089] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[2:120] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[100:31649] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[100:31649] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49:3251] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[49:3251] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[49:3251] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o eth2 -m comment --comment "!fw3" -j ACCEPT
[35:1484] -A zone_wan_dest_ACCEPT -o WireGuard -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[315:46082] -A zone_wan_dest_ACCEPT -o WireGuard -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o eth2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_dest_REJECT -o WireGuard -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[50:10089] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[50:10089] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[250:15917] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[250:15917] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i eth0 -m comment --comment "!fw3" -j reject
[50:10089] -A zone_wan_src_REJECT -i eth2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_src_REJECT -i WireGuard -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed May 13 09:48:58 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.8.100/24 brd 192.168.8.255 scope global eth2
       valid_lft forever preferred_lft forever
9: WireGuard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 10.88.0.13/16 brd 10.88.255.255 scope global WireGuard
       valid_lft forever preferred_lft forever
default dev WireGuard proto static scope link 
10.88.0.0/16 dev WireGuard proto kernel scope link src 10.88.0.13 
81.90.188.36 via 192.168.8.1 dev eth2 proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.8.0/24 dev eth2 proto kernel scope link src 192.168.8.100 
broadcast 10.88.0.0 dev WireGuard table local proto kernel scope link src 10.88.0.13 
local 10.88.0.13 dev WireGuard table local proto kernel scope host src 10.88.0.13 
broadcast 10.88.255.255 dev WireGuard table local proto kernel scope link src 10.88.0.13 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.8.0 dev eth2 table local proto kernel scope link src 192.168.8.100 
local 192.168.8.100 dev eth2 table local proto kernel scope host src 192.168.8.100 
broadcast 192.168.8.255 dev eth2 table local proto kernel scope link src 192.168.8.100 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
lrwxrwxrwx    1 root     root            16 Apr 11  2019 /etc/resolv.conf -> /tmp/resolv.conf
lrwxrwxrwx    1 root     root            21 May 12 04:56 /tmp/resolv.conf -> /tmp/resolv.conf.auto
-rw-r--r--    1 root     root            65 May 13 05:27 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
# Interface HiLink
nameserver 192.168.8.1
nameserver 192.168.8.1

==> /tmp/resolv.conf <==
# Interface HiLink
nameserver 192.168.8.1
nameserver 192.168.8.1

==> /tmp/resolv.conf.auto <==
# Interface HiLink
nameserver 192.168.8.1
nameserver 192.168.8.1

And here's the screenshot after wireguard is connected:

Have you tested it with clients such Wireguard or Tunsafe?!!! Is it working flawlessly?!! if the answer is yes and everything is ok, then you made mistake while configuring your server via OpenWRT


leave DNS Forwarding empty

uncheck Ignore resolve file


then in wan uncheck Use DNS Servers advertised by peer and set your desired DNS Servers,save and reboot your router then test againg
Everything Should be work correctly

You do realize you failed to explain again, correct?

So now, we have an OpenWrt config...and don't know the server config.

:man_facepalming:

Nontheless...if your Post #1 is up to date, then the [PEER] config is wrong. You need to use the Public Key of the OpenWrt.

  • Private configured in your OpenWrt: 2EQhES6x06J1H3LA7atYKwZ/s5vi7uyGX7jlOeVLImQ=
  • Peer Public Key at server: grvqfXzTyxP1OFAxVxHfDTUeV3EB39QtuY5VufIZel4= :point_left:

Next:

You have a preshared key configured for the OpenWrt on the server; but you did not add it to the OpenWrt's interface config.

  • Add to Openwrt
config wireguard_WireGuard
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key '<NEW_PUBLIC_KEY_FOR_SERVER>'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'wg-sg3.myip.id'
	option endpoint_port '443'
	option preshared_key '4vzCXXKpynxI1jMx2lemmUbn5PfcFT3a5CBdJj1RToc='

:warning:

  • You also need to make a new keypair for the server-side...apply its public key in the spot noted above - you used the same Private Key for both ends of the connection.

Also fix all addressing issues already noted above.

Server:

  • List address: xxx.xxx.xxx.xxa/16 (BTW, a /16 way too large for 2 IPs)
  • Allowed IPs on [PEER]: xxx.xxx.xxx.xxb/32

OpenWrt:

  • List address: xxx.xxx.xxx.xxb/32
  • Allowed IPs on peer (from server): 0.0.0.0/0 (or use 0.0.0.0/1 and 128.0.0.0/1 together instead)

It's fixed, after upgrading to 19.07.2 wireguard is working fine, thanks for all the help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.