Hello there!
I'm currently trying to deploy Wireguard for my mobile devices using the first script detailed in this article of the wiki while running OpenWrt SNAPSHOT r18086-cb18b62206 from wulfy23's custom Raspberry Pi 4 build of OpenWRT, version 3.5.139-21 (kernel Linux OpenWRT-RPi 5.10.79 #0 SMP Sun Nov 14 13:29:47 2021 aarch64 GNU/Linux), and so far it seems deployment was a success, but handshake and actual usage remain a point of conflict.
I am able to probe using netcat the assigned port for the connection from a LAN device and my designated DDNS domain, and I'm able to successfully receive activity on the router's end using tcpdump:
Router's side
tcpdump -ni br-lan port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
02:09:41.987360 IP 192.168.1.252.58492 > 192.168.1.1.51820: UDP, length 1
02:09:41.987364 IP 192.168.1.252.58492 > 192.168.1.1.51820: UDP, length 1
Client's side
netcat -uvz wire.domain.me 51820
But still, even after exporting my configuration from the created folder /etc/wireguard/networks/lan/peers/1_lan_ToastyPenTen/1_lan_ToastyPenTen.conf
using qrencode like so:
qrencode -t ANSIUTF8 < /etc/wireguard/networks/lan/peers/1_lan_ToastyPenTen/1_lan_ToastyPenTen.conf`
I am unable to initiate a handshake from my Android device from outside the LAN.
I'll attach my firewall config, the output of the script and the peer configurations just to be sure:
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan_6'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config zone
option name 'vpnzone'
option input 'REJECT'
option forward 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'vpn_usa'
list network 'vpn_uk'
list network 'vpn_spa'
config forwarding
option src 'lan'
option dest 'vpnzone'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
option reload '1'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config rule
option name 'AllowNGINXPMAdmin'
option src_port '81'
option dest 'lan'
option dest_port '81'
option target 'ACCEPT'
option src 'lan'
list dest_ip '172.18.0.2'
config redirect
option target 'DNAT'
option name 'RProxy'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_port '80'
option dest_ip '172.18.0.2'
config redirect
option target 'DNAT'
option name 'RProxy-SSL'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_port '443'
option dest_ip '172.18.0.2'
config redirect 'adblock_docker53'
option name 'Adblock DNS (docker, 53)'
option src 'docker'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_docker853'
option name 'Adblock DNS (docker, 853)'
option src 'docker'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_docker5353'
option name 'Adblock DNS (docker, 5353)'
option src 'docker'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_lan5353'
option name 'Adblock DNS (lan, 5353)'
option src 'lan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect 'adblock_wan53'
option name 'Adblock DNS (wan, 53)'
option src 'wan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_wan853'
option name 'Adblock DNS (wan, 853)'
option src 'wan'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_wan5353'
option name 'Adblock DNS (wan, 5353)'
option src 'wan'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config redirect
option target 'DNAT'
option name 'RProxy-Admin'
option src 'lan'
option src_dport '81'
option dest 'lan'
option dest_port '81'
option dest_ip '172.18.0.2'
config rule
option name 'RClone-GUI'
option src 'lan'
option src_port '5572'
option dest 'lan'
option dest_port '5572'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
config rule
option name 'HomeAssistant'
option src 'lan'
option src_port '8123'
option dest 'lan'
option dest_port '8123'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
config rule
option name 'Allow-NFS-RPC'
option src 'lan'
option proto 'tcp udp'
option dest_port '111'
option target 'ACCEPT'
config rule
option name 'Allow-NFS'
option src 'lan'
option proto 'tcp udp'
option dest_port '2049'
option target 'ACCEPT'
config rule
option name 'Allow-NFS-Lock'
option src 'lan'
option proto 'tcp udp'
option dest_port '32777:32780'
option target 'ACCEPT'
config rule
option name 'Tautulli'
option src 'lan'
option src_port '8181'
option dest 'lan'
list dest_ip '172.18.0.5'
option dest_port '8181'
option target 'ACCEPT'
config rule
option name 'PiHole-Admin'
option src_port '82'
option dest 'lan'
option dest_port '82'
option target 'ACCEPT'
option src 'lan'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
config nat
option name 'PiHole-DNAT'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
option src 'lan'
option dest_ip '192.168.0.2'
option dest_port '80'
option target 'SNAT'
option snat_ip '192.168.1.1'
option snat_port '82'
config rule
option name 'Transmission-GUI'
option src 'lan'
option dest 'lan'
option target 'ACCEPT'
list dest_ip '192.168.1.1'
list dest_ip 'fd04:52a5:a38a::1'
option src_port '9091'
option dest_port '9091'
config redirect 'adblock_vpnzone53'
option name 'Adblock DNS (vpnzone, 53)'
option src 'vpnzone'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
config redirect 'adblock_vpnzone853'
option name 'Adblock DNS (vpnzone, 853)'
option src 'vpnzone'
option proto 'tcp udp'
option src_dport '853'
option dest_port '853'
option target 'DNAT'
config redirect 'adblock_vpnzone5353'
option name 'Adblock DNS (vpnzone, 5353)'
option src 'vpnzone'
option proto 'tcp udp'
option src_dport '5353'
option dest_port '5353'
option target 'DNAT'
config rule
option name 'NGINXPM-DB'
option src 'lan'
list src_ip '172.18.0.2'
option src_port '3306'
option dest 'lan'
list dest_ip '172.18.0.3'
option dest_port '3306'
option target 'ACCEPT'
config rule
option name 'Adguard-Admin'
option src 'wan'
option src_port '82'
option dest 'lan'
option dest_port '82'
option target 'ACCEPT'
list dest_ip '172.18.0.6'
list dest_ip '2001:3984:3989::6'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '51820'
option dest 'lan'
option dest_port '51820'
option name 'Wireguard'
option dest_ip '192.168.1.1'
config rule 'wg'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
option name 'Allow-WireGuard-lan'
list proto 'tcp'
list proto 'udp'
config defaults
option input 'REJECT'
option output 'REJECT'
option forward 'REJECT'
Peer Configuration
Address = 10.0.5.2/32
PrivateKey = REDACTED # Peer's private key
DNS = 10.0.5.1
[Peer]
PublicKey = REDACTED # Server's public key
PresharedKey = REDACTED # Peer's pre-shared key
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wire.domain.me:51820
Script's output
======================================
| Automated WireGuard Script |
| Named Peers with IDs |
======================================
Defining variables... Done
Creating directories and pre-defining permissions on those directories... Done
Removing pre-existing WireGuard interface... Done
Generating WireGuard server keys for 'lan' network... Done
Rename firewall.@zone[0] to lan and firewall.@zone[1] to wan... Done
Creating WireGuard interface for 'lan' network... Done
Adding firewall rule for 'lan' network... Done
Removing pre-existing peers... Done
======================================
| Automated WireGuard Script |
| Named Peers with IDs |
======================================
Defining variables... Done
Creating directories and pre-defining permissions on those directories... Done
Removing pre-existing WireGuard interface... Done
Generating WireGuard server keys for 'lan' network... Done
Rename firewall.@zone[0] to lan and firewall.@zone[1] to wan... Done
Creating WireGuard interface for 'lan' network... Done
Adding firewall rule for 'lan' network... Done
Removing pre-existing peers... Done
Creating directory for peer '1_lan_ToastyPenTen'... Done
Generating peer keys for '1_lan_ToastyPenTen'... Done
Generating peer PSK for '1_lan_ToastyPenTen'... Done
Adding '1_lan_ToastyPenTen' to WireGuard server... Done
Creating config for '1_lan_ToastyPenTen'... Done
Creating directory for peer '2_lan_ToastyUFO'... Done
Generating peer keys for '2_lan_ToastyUFO'... Done
Generating peer PSK for '2_lan_ToastyUFO'... Done
Adding '2_lan_ToastyUFO' to WireGuard server... Done
Creating config for '2_lan_ToastyUFO'... Done
Creating directory for peer '3_lan_MotoOneLiz'... Done
Generating peer keys for '3_lan_MotoOneLiz'... Done
Generating peer PSK for '3_lan_MotoOneLiz'... Done
Adding '3_lan_MotoOneLiz' to WireGuard server... Done
Creating config for '3_lan_MotoOneLiz'... Done
Creating directory for peer '4_lan_LizPC'... Done
Generating peer keys for '4_lan_LizPC'... Done
Generating peer PSK for '4_lan_LizPC'... Done
Adding '4_lan_LizPC' to WireGuard server... Done
Creating config for '4_lan_LizPC'... Done
Creating directory for peer '5_lan_MotoOneCelia'... Done
Generating peer keys for '5_lan_MotoOneCelia'... Done
Generating peer PSK for '5_lan_MotoOneCelia'... Done
Adding '5_lan_MotoOneCelia' to WireGuard server... Done
Creating config for '5_lan_MotoOneCelia'... Done
Commiting changes... uci: Parse error (invalid character in name field) at line 38, byte 36
Done
Restarting WireGuard interface... Done
Restarting firewall... Done
So I'd like to ask for help in how to fix this (If I missed anything just say the word and I'll add it).
Thanks in advance!