WireGuard connection issues

Hello everyone,

I am looking for some assistance regarding my WireGuard installation.

I have an ISP router acting as my NAT and DHCP server. Inside that I have an OpenWrt install in AP mode that supplies internet to the rest of my network. I have the WireGuard port forwarded to OpenWrt.

I am trying to set up a WireGuard connection to my phone so I can access my network from outside.

I am able to get a handshake between my device and network over the internet. I am not able to access the internet through the tunnel however. Nor am I able to ping anything on my local network through the tunnel. Any ideas? What am I doing wrong?

# network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd17:fcf6:8c80::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.2'
        list dns '192.168.0.1'
        option ifname 'eth0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '2451'
        list addresses '192.168.81.1/24'

config wireguard_wg0
        option public_key 'xxx'
        option description 'phone'
        list allowed_ips '0.0.0.0/0'
# firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        list network 'wg0'
        option output 'ACCEPT'
        option masq '1'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option dest 'vpn'
        option src 'lan'

What is the output of the following:

ubus call system board

Your peer config needs to be adjusted so that it looks like this:

config wireguard_wg0
        option public_key 'xxx'
        option description 'phone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.81.2/32'

Your remote peer device must have the same address (192.168.81.2) in its interface definition. The allowed IPs on that peer should be set to either 0.0.0.0/0 for all traffic to use the tunnel, or 192.168.0.0/24 for just your lan.

enable masquerading on the lan zone

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

and disable it on the vpn zone... also, if you trust the remote peers, you can allow input and forward here (if not, leave those as is):

config zone
        option name 'vpn'
        list network 'wg0'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

Output:

{
        "kernel": "4.14.221",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA8300 (Dallas)",
        "board_name": "linksys,ea8300",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}

I have updated configurations to what is below. After a restart, there seems to be no change. I get a handshake but am not able to access anything.

cat /etc/config/network


config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd17:fcf6:8c80::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.2'
        list dns '192.168.0.1'
        option ifname 'eth0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '2451'
        list addresses '192.168.81.1/32'

config wireguard_wg0
        option public_key 'xxx'
        option description 'phone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.81.2/32'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        list network 'wg0'
        option output 'ACCEPT'
        option input 'DROP'
        option forward 'DROP'

config forwarding
        option dest 'vpn'
        option src 'lan'

19.07 is EOL and unsupported. You should seriously consider upgrading to 22.03
https://firmware-selector.openwrt.org/?version=22.03.5&target=ipq40xx%2Fgeneric&id=linksys_ea8300

this should be /24

Let's see your other peer's complete config.
And also, what is the output of wg show

I will update my installation. Thank you for letting me know.

I have changed the the "list addresses" back to /24.

Peer config from phone:

[Interface]
Address = 192.168.82.2/32
DNS = 192.168.0.1
PrivateKey = xxx

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [my ddns].com:2451
PublicKey = xxx

Output of wg show:

interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 2451

peer: xxx
  endpoint: [Phone External IP]:46430
  allowed ips: 192.168.81.2/32
  latest handshake: 33 seconds ago
  transfer: 148 B received, 156 B sent

Everything looks fine here.

What is the result of a ping test to 192.168.0.1, 8.8.8.8, and google.com (from your phone)

Ping to 192.168.0.1 hangs and there is no output
Ping to 8.8.8.8 is the same
Ping to google.com

ping: unknown host google.com

let's see the latest network and firewall files. Also, did you run the upgrade to 22.03?

I just finished the upgrade to 22.03.5 and migrated my interfaces.

Handshake works as before but no contact with anything once again.

After upgrade config files:

cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd17:fcf6:8c80::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.0.1'
        option ipaddr '192.168.0.2'
        list dns '192.168.0.1'
        option device 'br-lan'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '2451'
        list addresses '192.168.81.1/24'

config wireguard_wg0
        option public_key 'xxx'
        option description 'phone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.81.2/32'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        list network 'wg0'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option dest 'vpn'
        option src 'lan'

This is backwards...

it should be like this:

config forwarding
        option dest 'lan'
        option src 'vpn'

Updated and restarted. I was hoping that would fix the issue but there was no change.

After restart:

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config include
        option path '/etc/firewall.user'

config zone
        option name 'vpn'
        list network 'wg0'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

I'm not really sure why it isn't working. I think you should start from scratch...

Make a backup and then reset to defaults. From there, don't change anything that doesn't need to be adjusted... you should be changing the following things:

  • lan interface settings (set IP, gateway, and dns)
  • disable to DHCP server on the lan interface
  • install wireguard packages
  • add your wg interface and peer config (just copy/paste these sections from your backup -- they should be valid)
  • Add the wg related firewall zone and forwarding rule (copy/paste this from the backup, as well).
  • enable masquerading on the lan firewall zone.

Then restart and try again.

If I understand your setup correctly:

  • Your ISP box is the default router and NAT box.
  • The openwrt is connected via LAN and not via WAN?
    (wired and wireless clients on the openwrt can each WAN and LAN?)

My recommendation:

  • Remove the MASQ from the VPN zone because your ISP router does not know how to reach 192.168.81.0/24 (so the MASQ from LAN should then be used.)
  • OR set a static route on the ISP box for 192.168.81.0/24 via 192.168.0.2

You could also still set the static route, and disable the firewall on openwrt.

BTW:

Port 0 (most of the time the CPU), should be 0t, doesn't it?

This has been done already.

I would recommend against this for the time being. Masquerading on the lan zone is the simplest and should work.

Often true, but may not be required here sine there is only one network and the general network stack is working in general.

1 Like

Network topology:

Internet -> ISP modem/router 192.168.0.1 -> OpenWrt 192.168.0.2

OpenWrt supplies wireless as well as wired network to all devices. There are no devices between .0.1 and .0.2, they are all connected to OpenWrt. They wanted to charge me $15 extra a month for their wireless service. I opted to supply my own.

I will try starting from fresh tonight and see if that works. I will report back as soon as it is done. I appreciate your suggestions.

I have finally found the time to wipe my OpenWrt instance and restart fresh.

No change still. I get a handshake but am unable to reach any devices on the local network or the internet. Any other ideas?

Cat of Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7c:4717:1884::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '2451'
        list addresses '192.168.81.1/24'

config wireguard_wg0
        option public_key 'xxx'
        option description 'phone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.81.2/32'

Cat of Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg0'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

No effect.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'vpn'

Since this device is not the main router, you need to have the wireguard network assigned to its own firewall zone, and you need masquerading enabled on the lan zone. This is what you had in this post... return to that configuration.

Then, you're missing the fowarding for the vpn > lan. Add this:

config forwarding
        option src 'vpn'
        option dest 'lan'

If that doesn't work, let's take a look at your other peer (your phone or compuer) -- screenshots or a copy/paste of the config on that device. Also, please show the output of wg show.

Here is my current config. No change. Handshake is working, no access to internal or external network.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd7c:4717:1884::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        option listen_port '2451'
        list addresses '192.168.81.1/24'

config wireguard_wg0
        option public_key 'xxx'
        option description 'phone'
        option route_allowed_ips '1'
        list allowed_ips '192.168.81.2/32'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

wg show

interface: wg0
  public key: XXX
  private key: (hidden)
  listening port: 2451

peer: XXX
  endpoint: 166.194.146.51:37119
  allowed ips: 192.168.81.2/32
  latest handshake: 45 seconds ago
  transfer: 508 B received, 948 B sent

phone config

[Interface]
Address = 192.168.82.2/32
DNS = 192.168.0.1
PrivateKey = xxx

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = [DDNS]:2451
PublicKey = xxx

Remove the ipv6 entry here.

AllowedIPs = 0.0.0.0/0