WireGuard Configuration

Hi all,

I used to have wireguard connected to my openwrt router WRT32X with no issues at all accessing it via my surface pro and iphone while traveling. I do not what happened or when I changed my settings or update the firmware but I noticed it was not connected anymore.

I will try to list my settings and hope someone could help me. Thanks in advance.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:4e7f:aba8::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.20'

config device
        option name 'wan'

config interface 'wan'
        option proto 'pppoe'
        option device 'wan.10'
        option username 'xxxx'
        option password 'xxxx'
        option ipv6 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '10.20.30.40'
        option netmask '255.255.255.0'
        option type 'bridge'
        option device 'br-lan.40'

config interface 'IoT'
        option proto 'static'
        option type 'bridge'
        option netmask '255.255.255.0'
        option device 'br-lan.30'
        option ipaddr '172.16.98.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan3:t'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan3:t'

config interface 'purevpntun'
        option proto 'none'
        option device 'tun0'

config interface 'wan_6'
        option proto 'dhcpv6'
        option device '@wan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxx'
        option listen_port '51820'
        list addresses '192.168.10.1/24'
        list addresses 'fd00:10::1/64'

config wireguard_wg0
        option description 'Surface Pro 8'
        option preshared_key 'xxxx'
        option route_allowed_ips '1'
        option endpoint_host 'nayif.duckdns.org'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'xxxx'
        list allowed_ips '192.168.10.2/32'
        list allowed_ips 'fd00:10::2/128'

config wireguard_wg0
        option description 'iPhone'
        option public_key 'xxxx'
        option preshared_key 'xxxx'
        option route_allowed_ips '1'
        option endpoint_host 'nayif.duckdns.org'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '192.168.10.3/32'
        list allowed_ips 'fd00:10::3/128'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan_6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'GuestZone'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'GUEST'

config zone
        option name 'IoTZone'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'IoT'

config forwarding
        option src 'GuestZone'
        option dest 'wan'

config rule
        option name 'Guest DHCP and DNS'
        option src 'GuestZone'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'IoTZone'
        option dest 'wan'

config rule
        option name 'IoT DHCP and DNS'
        option src 'IoTZone'
        option target 'ACCEPT'
        option dest_port '53 67 68'

config zone
        option name 'vpnfirewall'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'REJECT'
        list network 'purevpntun'

config forwarding
        option src 'lan'
        option dest 'vpnfirewall'

config forwarding
        option src 'IoTZone'
        option dest 'vpnfirewall'

config forwarding
        option src 'GuestZone'
        option dest 'vpnfirewall'

config forwarding
        option src 'lan'
        option dest 'IoTZone'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_port '51820'
        option target 'ACCEPT'

config redirect
        option dest 'IoTZone'
        option target 'DNAT'
        option name 'Allow-qBittorrent'
        option src 'wan'
        option src_dport '6881'
        option dest_ip '172.16.98.4'
        option dest_port '6881'

config forwarding
        option src 'lan'
        option dest 'GuestZone'

wg show

interface: wg0
  public key: xxxx
  private key: (hidden)
  listening port: 51820

peer: xxxx
  preshared key: (hidden)
  endpoint: 2.90.48.79:51820
  allowed ips: 192.168.10.2/32, fd00:10::2/128
  transfer: 0 B received, 60.85 KiB sent
  persistent keepalive: every 25 seconds

peer: xxxx
  preshared key: (hidden)
  endpoint: 2.90.48.79:51820
  allowed ips: 192.168.10.3/32, fd00:10::3/128
  transfer: 0 B received, 60.70 KiB sent
  persistent keepalive: every 25 seconds

Interfaces:

image944×934 62.9 KB

Sorry, as a new user, I could only be able to upload one media at the time.

Can you explain why you have 2 peer configurations for the same endpoint?

Road warriors will initiate the connections to your router on your public IP and listen_port. They should not be configured with endpoint_host / endpoint_port at all.

It appears you've posted the private key, so you need to stop using this compromised key and install a new one.

@lleachii The firest one is for my Surface Pro while the second one is for my iPhone.

The config is wrong. Let me try to explain again:

Your Surface Pro and iPhone endpoints are not located at nayif.duckdns.org (they're mobile). This config is incorrect. If you're not connecting to some DuckDNS VPN, it's unclear why this config exists twice.

The peer configs you posted couldn't have worked for your Surface Pro and iPhone.

Lastly, you don't need to set a port for the remote peer.

Road warriors senario is new to me since I was not familiar with those terms . However, I followed YouTube gudie.

Thanks for let me know that. I will change it but for troubleshooting purpose and to give you the full information.

I already used DuckDNS to DDNS my router Public IP to be used by WireGuard.

How could my peer devices connecting my router without DDNS address $ port number?!

• You already configured the OpenWrt's port

• We're telling you not to configure the mobile device ports

It's not clear how your DDNS statement relates to the WireGuard configuration of the Surface Pro and iPhone peers incorrectly configured as nayif.duckdns.org:51820.

If you're having separate issues with DDNS setup, feel free to elaborate in a separate post.

I did remove peers and configure a new one for iPhone to test without configuring mobile port and test with only data sent and RX TX in the router are 0.

Please paste the output of:

cat /etc/config/network

and

cat /etc/config/ddns

Please don't hijack someone else's thread. Please respect the user and create a new post for you unique issue. That's what the Original Poster did.

Thank you.

Thanks @lleachii for you help. I really appreciate your efforts.

Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7a:4e7f:aba8::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.20'

config device
        option name 'wan'

config interface 'wan'
        option proto 'pppoe'
        option device 'wan.10'
        option username 'xxxx'
        option password 'xxxx'
        option ipv6 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '10.20.30.40'
        option netmask '255.255.255.0'
        option type 'bridge'
        option device 'br-lan.40'

config interface 'IoT'
        option proto 'static'
        option type 'bridge'
        option netmask '255.255.255.0'
        option device 'br-lan.30'
        option ipaddr '172.16.98.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan3:t'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan3:t'

config interface 'purevpntun'
        option proto 'none'
        option device 'tun0'

config interface 'wan_6'
        option proto 'dhcpv6'
        option device '@wan'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxx'
        option listen_port '51820'
        list addresses '192.168.10.1/24'
        list addresses 'fd00:10::1/64'

config wireguard_wg0
        option description 'iPhone'
        option public_key 'xxxx'
        option private_key 'xxxx'
        option preshared_key 'xxxx'
        list allowed_ips '192.168.10.2/32'

DDNS:

config service 'duckdns'
        option enabled '1'
        option domain 'nayif.duckdns.org'
        option username 'xxxxx'
        option password 'xxxxx'
        option ip_source 'network'
        option ip_network 'wan'
        option force_interval '72'
        option force_unit 'hours'
        option check_interval '10'
        option check_unit 'minutes'
        option update_url 'http://www.duckdns.org/update?domains=[USERNAME]&token=[PASSWORD]&ip=[IP]'
        option lookup_host 'nayif.duckdns.org'

If you have a VPN tunnel running and your traffic being run through that tunnel, the inbound "road warrior" VPN won't work because the return traffic will be routed through the purevpn tunnel.

You need to use policy based routing to ensure that the traffic is routed properly back through the normal wan for your wg interface.

I thought it was on topic. You always get a nag message when you post a new thread that someone else has already talked about it in a prior message. This thread looked like wireguard experts with multiple peers so it looked like a good place to ask the question.

You don't use 'tun0' interface with Wireguard. You have to make a different, specific interface after the wireguard packages are installed and you've rebooted. You likewise have to enter your full configuration information in the interface setup and you have to create a separate firewall zone for wireguard and you have to add it to the lan firewall zone. Lots of tricky stuff different from OpenVPN.

The OP isn't trying to use tun0 with WG. They already have an OpenVPN connection to a commercial VPN provider, but they're trying to setup an inbound WG interface.

The OPs problem requires PBR to resolve.

@psherman
I was trying to follow different guids over the internet and got lost. Also, change the default gateway to wireguard and could not be able to return it to wan unless I stopped wg0 interface.

Please let me know your comments and how to solve my issue

I basically have purevpn for streaming only while wireguard for accessing my network from outside. I believed that I could not use wireguard unless split tunnel using policy based routing. I have no idea how to make it work.

Wireguard is not your default gateway since it is an inbound connection.
You should keep either your standard wan or the OpenVPN/pureVPN connection as the default gateway.

Right -- this will require PBR. The documentation should explain how to achieve this goal.

Thanks all for your replies @psherman, @lleachii, @mk24, and @KSofen.

Finally, I managed it (with some minor issues I will list them below incase someone could help) by deleting all wireguard both server (using home vpn for my surface pro & iphone) and client (using purevpn) interfaces and firewall zones related to them.

I created new wireguard interfaces one for client (using purevpn), another one for server (home vpn). Also, I could be able to create only one firewall zone for server interface while I failed to create another one for home vpn and replace it with assigning my server interface to lan.

To achieve that, I ignored server interface via pbr - advanced configuration. That's enabling me to use both wireguard interfaces server & client at the same time.

My issues till now:

• I noticed when using my pc which is part of lan that purevpn is connected (by browsing one of blocked websites by my ISP which I can I access now) and internet is fine but IP still same ISP IP not changing to purevpn host IP.
• My connected devices via home vpn could access the router IP and internet but could not using purevpn for example I could not access blocked websites by my ISP which already checked as mentioned above.

I hope someone could help with the abovementioned issues.
Thanks in advance.

Just my two cents
One of the more simple solutions when you want to run a WG client and a server simultaneously is doing this:

Firewall:
place client interface in the WAN zone
place server interface in the LAN zone

You need some form of PBR.
On the WG client in the Peer section disable/untick Route Allowed IPs, this will take care that everything is still routed via the WAN and the WG server can receive and send traffic.
Now on to the PBR, make a rule to route the ip address of your PC via the WG client (prerouting rule)

afbeelding1430×82 6.31 KB