Wireguard config for on the road

Hi all,

I'd like to use OpenWRT on an old laptop (https://downloads.openwrt.org/releases/23.05.3/targets/x86/64/) to allow connectivity from outside the home using wireguard mainly to access the web from my home IP.

What I would like to do is not replace my ISP router and connect via a single ethernet cable the PC and run OpenWrt (OW). I've got a static internet IP and will port forward the UDP to the LAN side.

My question is what should the config / topology be for this? Current setup ip is:

Internet --> ISP router --> LAN 10.40.40.2/24 --> OW ( LAN[eth0] 192.168.1.1 / WAN[alias of eth0] 10.50.50.10/24 / WireGuard 10.60.60.1/24 )

The ISP router is nat forwarding traffic from port 57257 UDP -> 10.50.50.10 which is the regular LAN subnet of my ISP. When I configure a mobile with wireguard is reports connected (not that meaningful) but I'm not observing any traffic on the wireguard interface.

In a nutshell I'd like to use OW as a device on my existing LAN to permit wireguard access from outside back onto the internet. Any (constructive) comments welcome.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Also please show us the config of the remote peer (i.e. your phone).

Thanks psherman - here is the config. Rather than me trying to change the IP addresses to suit my attempt at hiding them I will leave them in tact. So, my home normal lan d/g is 10.42.42.2/24 and the wan of the openwrt is 10.42.42.251/24 which is the target of the ISP router UDP redirect.

ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz",
        "model": "Dell Inc. OptiPlex 390",
        "board_name": "dell-inc-optiplex-390",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "x86/64",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:02a6:ef2f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'static'
        option device '@lan'
        option ipaddr '10.42.42.251'
        option netmask '255.255.255.0'
        option gateway '10.42.42.2'
        list dns '10.42.42.2'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'OBrPjUXlnuu2nrR1HNtyaDTkLnGjmTRPuCwTFp9TiEY='
        option listen_port '59257'
        list addresses '10.42.0.10/24'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option log '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'

wg show
interface: wg0
  public key: Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
  private key: (hidden)
  listening port: 59257


Phone config
[Interface]
PrivateKey = OPOMCE8fVy0m9iNAUUEUKJ+12BNSj6rAO8mA2UGDClA=
Address = 0.0.0.0/0
# ListenPort not defined
DNS = 192.168.1.1

[Peer]
PublicKey = Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = !MyStaticIPaddress!:59257
# PersistentKeepAlive not defined

Wireguard must be on a unique subnet.

You could change the address to something like 10.10.10.1/24 as an example, but 10.42.0.10/24 is not valid.

You're also missing the peer config section entirely. You need that in order to make a connection.

Unless you've obfuscated the key, you should throw it away and create a new one since it's not exposed.

In the firewall, you'll need forwards from vpn > wan (and maybe also vpn > lan, depending on your needs.

The address must be the same as what should be defined in your peer config on the router. This one is invalid.

DNS won't work since your firewall zone for the VPN doesn't accept input.

Thank you Peter for the quick and thorough response. I will redo the keys/certs once I can get a proof of concept working, but thanks for raising this.
I'm not entirely sure what you mean about WG needing to be on a unique subnet, the 10.42.0.10/24 was I thought but I'm more than happy to change to 10.10.10.1/24.
I've wiped and tried so many setups I neglected to set the vpn > wan which has now been done.

After making these changes it still isn't working, but what I have noticed is that there is no traffic on the wg0 interface.

The wan interface has a valid IP in my regular home LAN (10.42.42.251/24) with the lan and wireguard in their own subnets. From my regular network I was a little surprised to see that I can connect to the OpenWrt management page since this theoretically is WAN facing.

Does the UDP port specified on the wireguard interface get 'opened' an all interfaces, i.e. lan and wan? The behaviour I see is almost like 10.42.42.251:59257 is not accepting UDP.

I'm concerned that I am missing something quite basic here, and that is if the wg0 interface is on it's own subnet then how does another wireguard connect to it - I assumed that the wireguard software on the openWrt would receive traffic on the WAN interface.

Any help would be appreciated - whilst I understand that this configuration may not be typically for openWrt it shouldnt be that rare, i.e. having a device on your home network that you forward wireguard UDP traffic to for VPN services.

Maybe I overlooked but you need to open up the WG port on the router and if this router is not facing the internet you need to port forward from the main router also
/etc/config/firewall:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '59257'
	option proto 'udp'
	option target 'ACCEPT'

Edit:
If you want to have full access to your home network and have internet access from your WG clients you need the following firewall rules:

# for access to lan clients
config forwarding
	option dest 'lan'
	option src 'vpn'

# only for bidirectional traffic
config forwarding
	option dest 'vpn'
	option src 'lan'

# if you want to allow internet access from attached clients then allow to forward from WG to WAN
config forwarding
	option src 'vpn'
	option dest 'wan'

After rebooting please share current config

Thanks egr,

Config as requested below, including private keys that I will refresh when I have a working config.

I am already forwarding from my isp router, although now to 10.42.42.50:59257 since I wanted to test something out.
I'm still not seeing any packets on the wg0 interface when I bring wireguard up on the mobile. I have also to test tried changing on the mobile the target address to 10.42.42.50:59257 when the phone is on the home wifi (same subnet) and still not seeing any wg0 packets. I thought you had cracked it with the missing/ill configured config rule to permit WAN udp traffic.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9f:02a6:ef2f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'static'
	option device '@lan'
	option ipaddr '10.42.42.50'
	option netmask '255.255.255.0'
	option gateway '10.42.42.2'
	list dns '10.42.42.2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'OBrPjUXlnuu2nrR1HNtyaDTkLnGjmTRPuCwTFp9TiEY='
	option listen_port '59257'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option description 'Phone'
	option public_key '53LnpXRqFWHYc1U9sBZOLWtXKn6KiJekJW+gwoh2NDA='
	option private_key 'OPOMCE8fVy0m9iNAUUEUKJ+12BNSj6rAO8mA2UGDClA='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option log '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '59257'


wg show
interface: wg0
  public key: Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
  private key: (hidden)
  listening port: 59257

peer: 53LnpXRqFWHYc1U9sBZOLWtXKn6KiJekJW+gwoh2NDA=
  allowed ips: 0.0.0.0/0
  

Not sure if this is the problem but allowed IPs must be the phones WG address e.g. 10.10.10.x/32

You have only one peer so technically you can allow everything but the possible problem in this case is that you have the Route allowed IPs enabled which will make a default route via the tunnel which is unwanted.

So resolve this, reboot the router and test again

Thanks, I've tried this after saving/rebooting and still not seeing any packets on the wg0 interface. Tried running the vpn client on the mobile on wifi and changing the target address to my external and accessing over 5G.
On the mobile I'm trying the web browser to look at 10.10.10.1, 10.42.42.2, 10.42.42.50 and not seeing any traffic.

[Interface]
PrivateKey = OPOMCE8fVy0m9iNAUUEUKJ+12BNSj6rAO8mA2UGDClA=
Address = 10.10.10.5/32, 0.0.0.0/0
# ListenPort not defined
DNS = 192.168.1.1

[Peer]
PublicKey = Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 10.42.42.50:59257
# PersistentKeepAlive not defined

Not withstanding the fact it doesn't work, but am I trying to do this correctly? i.e. have the openWrt WAN configured on my home LAN and then either try and connect a wireguard client/peer either directly to that WAN ip address on the home network or point it to the internet side which has a isp router redirect to 10.42.42.50:59257 UDP ?

Just a little update, I've restarted the iPhone and over 5G I'm now seeing traffic on the wg0 interface. Will update in a bit. (bless Apple).

If you are using this as endpoint then it could work if your phone is connected to your main network.
On cellular you have to use the Public IP address of your internet connected router.
Of course I assume your internet connected router has a public IPv4 address and not a CGNat address ( IP addresses from 100.64.0.0 to 100.127.255.255)

So I can get a connection that exchanges packets over 5G with my home static IP address but I'm not able to access any internal devices on anything. Tried 10.42.42.2 for my isp management page. Also tried 10.10.10.1 to see if OpenWrt page would work.
In reality what I want when this works is for the mobile to route all traffic via wireguard and have the choice whether to allow access to my home (real) lan on 10.42.42.0/24 (which is on the openWrt wan interface) or just to use it as a route to the internet which will show as originating from my home network.

Appreciate any help. The lack of a peer IP address seems to have been a definite issue.

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9f:02a6:ef2f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'static'
	option device '@lan'
	option ipaddr '10.42.42.50'
	option netmask '255.255.255.0'
	option gateway '10.42.42.2'
	list dns '10.42.42.2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'OBrPjUXlnuu2nrR1HNtyaDTkLnGjmTRPuCwTFp9TiEY='
	option listen_port '59257'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option description 'Phone'
	option public_key '53LnpXRqFWHYc1U9sBZOLWtXKn6KiJekJW+gwoh2NDA='
	option private_key 'OPOMCE8fVy0m9iNAUUEUKJ+12BNSj6rAO8mA2UGDClA='
	option route_allowed_ips '1'
	list allowed_ips '10.10.10.5/32'
	list allowed_ips '0.0.0.0/0'
cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option log '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '59257'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'wan'
	option dest 'vpn'

wg show
interface: wg0
  public key: Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
  private key: (hidden)
  listening port: 59257

peer: 53LnpXRqFWHYc1U9sBZOLWtXKn6KiJekJW+gwoh2NDA=
  endpoint: 82.xxx.xxx.xxx:12779
  allowed ips: 10.10.10.5/32, 0.0.0.0/0
  transfer: 9.97 KiB received, 18.34 KiB sent


I did fiddle about with the firewall setting trying to enable forwarding etc in a rush of excitement.

It is possible that you cannot connect to any internal devices because you are on the same subnet.
To elaborate if your phone is on 10.42.42.0/24 you cannot connect to any 10.42.42.0/24 via WG

Edit: as a short test this is good as you now know that WG is working but the golden rule is always test from outside e.g. with phone /laptop on cellular :slight_smile:

I've taken a bit of a break on this, but it still isn't working. Thanks everyone for help so far.

I have on a ubuntu laptop (tosh) configured the client so I could do a little more diagnostics when the interface is up.

The laptop is only attempting to connect from an external hotspot address. When I start the connection I can see on openwrt the client connects and traffic on wg0.

On the tosh client I can only ping it's wg0 address 10.10.10.6, no response on 10.10.10.1, 10.42.42.50 (openwrt 'wan' address) or 10.42.42.2 (my isp router). As before my isp router has a udp forward to 10.42.42.50 which is working since I can see when the tosh connects and packets, but no connectivity. Obviously DNS isn't working.

I've also tried pinging a known host on the internet 151.101.0.81 (bbc.co.uk) and this fails too.

Anyone any ideas? I did try toggling the option in firewall (openwrt) vpn to masquerade, restarting openwrt each time since I wasn't sure if NAT would be needed - but it didn't yield any improvements.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9f:02a6:ef2f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'static'
	option device '@lan'
	option ipaddr '10.42.42.50'
	option netmask '255.255.255.0'
	option gateway '10.42.42.2'
	list dns '10.42.42.2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '*** priv key removed ***'
	option listen_port '59257'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option description 'Phone'
	option public_key '53LnpXRqFWHYc1U9sBZOLWtXKn6KiJekJW+gwoh2NDA='
	option te_key '*** priv key removed ***'
	option route_allowed_ips '1'
	list allowed_ips '10.10.10.5/32'
	list allowed_ips '0.0.0.0/0'

config wireguard_wg0
	option description 'tosh'
	option public_key 'dXsEKuEQOCwgDYtiB4MOp62x1Cs643EsVH6R51YBhBU='
	option private_key '***priv key removed***'
	list allowed_ips '10.10.10.6/32'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'


cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'
	option masq '1'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option log '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '59257'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'wan'
	option dest 'vpn'


wg show
interface: wg0
  public key: Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
  private key: (hidden)
  listening port: 59257

peer: 53LnpXRqFWHYc1U9sBZOLWtXKn6KiJekJW+gwoh2NDA=
  allowed ips: 10.10.10.5/32

peer: dXsEKuEQOCwgDYtiB4MOp62x1Cs643EsVH6R51YBhBU=
  endpoint: 82.132.225.82:55272
  allowed ips: 10.10.10.6/32, 0.0.0.0/0
  transfer: 12.00 KiB received, 16.85 KiB sent
  
  
On ubuntu client / peer:

cat /etc/wireguard/wg0.conf 
[Interface]
Address = 10.10.10.6/32
SaveConfig = true
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp2s0 -j MASQUERADE
ListenPort = 40167
FwMark = 0xca6c
PrivateKey = ***priv-key-removed***

[Peer]
PublicKey = Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ***staticIP address removed***:59257


remove the list allowed_ips '0.0.0.0/0'

Remove this:

Remove option masq '1' :

Reboot and test again

1 Like

Done. It is getting better, the tosh client can now ping 10.10.10.1 (openwrt vpn) and ssh. DNS appears to work also. Cannot ping 10.42.42.2 (openwrt WAN network, and ISP home router gateway) and can't ping anything on the internet.

Can also ping 192.168.1.1 (openwrt LAN) - but ideally would like to have connectivity to 10.42.42.0/24 which is the home lan and the subnet the openwrt WAN is connected to.

Making more progress on this. I've added on my isp router (10.42.42.2) a static route for 10.10.10.0/24 > 10.42.42.50 and from the iphone client I have connectivity to 10.42.42.0 (or more to the point, that network has a route to respond to 10.10.10.0/24.

I'd doing some more tests but I think that it could be sorted. I will update in a bit.

This is unusual...

Can you explain what is happening here? Why is your wan on an alias of your lan port?

Let's see the updated configs:

cat /etc/config/network
cat /etc/config/firewall

And let's also see the phone's config.

The pc running openWrt is on the home LAN (10.42.42.50/24) with the home isp router forwarding the wg UDP traffic to it. The isp router now has a static route for 10.10.10.0/24

After several frustrating attempts before reaching out I arrived at the conclusion that perhaps I needed the WAN of openwrt to be on the home LAN and for openWRT.

Perhaps on reflection now that this seems to be working the configuration could be further simplified with the removal of the openwrt WAN altogether and putting the 10.42.42.50 for the openwrt LAN. It was already getting complicated and this just seemed one step further into the twilight zone to start talking about openwrt receiving external clients directly onto it's LAN interface that then want to talk to devices on the same subnet & route back onto the internet.

cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd9f:02a6:ef2f::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'static'
	option device '@lan'
	option ipaddr '10.42.42.50'
	option netmask '255.255.255.0'
	option gateway '10.42.42.2'
	list dns '10.42.42.2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'Oxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '59257'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option description 'tosh'
	option public_key 'dXsEKuEQOCwgDYtiB4MOp62x1Cs643EsVH6R51YBhBU='
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxx='
	option route_allowed_ips '1'
	list allowed_ips '10.10.10.6/32'

config wireguard_wg0
	option description 'IphoneMay'
	option public_key 'KogNFwMLbr9VE7njDFIL5ejBPTAwoEeMVqv29VjfPCk='
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list allowed_ips '10.10.10.5/32'


cat /etc/config/firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option log '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '59257'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'vpn'


iPhone config:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 10.10.10.5/32
# ListenPort not defined
DNS = 192.168.1.1

[Peer]
PublicKey = Jq/KnFW8xf504AP3l5eErTFF4LXwRCvO+KAePjlS4nM=
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <staticExternalIP>:59257
# PersistentKeepAlive not defined