Wireguard Client with LuCI

Installing and Using OpenWrt
1

I set up Wireguard on a TP-Link WR902AC V3, OpenWRT 23.05.5, using the 2nd half of these instructions. (I was looking for LuCI-oriented instructions vs command-line instructions.) I also have a conf file from my server (not Surfshark).

It looks like everything is in place correctly, but... The router's connecting to the wifi, but it's not connecting to the VPN server.

  1. Did 'Update Lists', and installed wireguard-tools, kmod-wireguard, and luci-proto-wireguard:

01_SoftwareInstall
01_SoftwareInstall980×531 68.4 KB

  1. Rebooted router.

  2. Using the 'Import configuration' option at the bottom to load the VPN server's .conf file, I added a new 'wireguard0' interface, specifying it in the Firewall Settings tab:

02_Interface-1
02_Interface-1642×725 61.8 KB

02_Interface-2
02_Interface-2903×947 126 KB

02_Interface-3
02_Interface-3900×225 37 KB

02_Interface-4
02_Interface-4899×336 40.9 KB

  1. In Network -> Firewall, I updated the 'vpn' zone to match the 'wan' zone, edited the 'lan -> wan' zone, checking MSS Clamping and adding the 'vpn' zone to the Allow forward to destination zone field:

03_Zones-1
03_Zones-1902×754 106 KB

03_Zones-2
03_Zones-2974×304 41.6 KB

  1. I Save & Apply at the end of each, and rebooted the router. Now, in Interfaces, LuCI shows the wireguard, but it's not moving any packets, and it's not connected to the wireguard server:

04_Interfaces
04_Interfaces961×504 63.1 KB

What did I miss?

2

See: WireGuard Client setup guide

Check that on the Peer you have Route Allowed IPs enabled

If that does not help check your keys e.g. by importing your config on a WireGuard app on your phone on cellular and see if that works.

It can also help if you show your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
3

Awesome! Used your latest committed notes. Most everything looked fine; however, I matched the following to the instructions:

  • Edited Peer: changed Persistent Keep Alive from 0 to 25, and checked the box for Route Allowed IPs (it hadn't been checked)
  • Firewall Zones: added the Wireguard0 interface to the 'wan' zone's Covered Networks list; removed the Wireguard0 interface from the 'lan' zone; and, deleted the 'vpn' zone.
  • Saved, Save & Apply, System -> Reboot for good measure: came right up on the VPN.

I appreciate the thorough LuCI-based instructions!

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.