Hello,
i used this tutorial to install wireguard https://blog.birkhoff.me/setting-up-a-wireguard-server-on-openwrt/
I have an Openwrt Router (Xiaomi 3G) behind a german Telecom Router an it works well.
So installed Wireguard and my iOS Client connects but the router didnt show a connection and i cant access and website on my network at home.
I forwarded port 51820 from the Telecom Router to my openwrt.
I attach my configs as pictures, i hope someone can help me.
I would remove listen port 51820 from the telephone. Most of the time mobile ISPs do CGNAT, so most likely they will not honor the source port you chose. Also remove it from peer in OpenWrt.
Also in OpenWrt peers, allowed IPs is a single host, so you can leave it .2 or .2/32 . Route allowed IPs is not necessary in this case.
Also there is an OpenWrt guide: https://openwrt.org/docs/guide-user/services/vpn/wireguard/basic
Does the same happen when you try this alternative tutorial?
It looks like you are double NAT'd.
Make sure your firewall zone configurations for the WG interface are configured properly, and that there is a traffic rule to allow port 51820 inbound to the OpenWrt (WG) router.
For testing purposes only: change your phone's endpoint configuration -- the address you use depends on your phone's IP address (which depends on how it connects to wifi -- through the OpenWrt router or from the upstream router).
Now, from within your wifi network, make sure you can connect and that you can ping your router (192.168.1.1), an IP on the internet (say 8.8.8.8) and then a domain name (i.e. google.com). Run a traceroute to make sure that the first hop is 192.168.200.1 (which is the WG interface address).
If all of that works, your WG config, in general is working and your issue is simply about getting connectivity from the internet. This means port forwarding from your upstream router must be working and that you must have a public IP address on the WAN of that upstream router (CG-NAT will likely not work).
In cases of DS-Lite (cgNAT IPv4 address plus native IPv6 prefix) wireguard works pretty well over IPv6 as well (at least incoming, outgoing IPv6 traffic is more difficult with dynamic prefixes).
Okay i tested to change my endpoit ip to 192.168.1.1 and used the wifi from my open wrt router.
I can ping my router 192.168.1.1 and all my raspberry via ip in my network
But i cant ping 8.8.8.8 or anything else outside my network.#
I dont see any traffic on the wg0 interface.
There is a picture from my firewall zone and Traffic Rule in my first post.
Btw its the provider is the german telekom and i have a „normal ip“ and no ds lite. I also have an ddns with no-ip.com and this works well (over ip4).
What do you see incoming at wireguard port?
Run this command on the OpenWrt
tcpdump -i any -vvn udp port 51820
Then fire up WG on the phone.
Also wg show can show the config.
Here is the output
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
22:55:22.857051 ethertype IPv4, IP (tos 0x0, ttl 54, id 49023, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:22.857051 IP (tos 0x0, ttl 54, id 49023, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:28.146161 ethertype IPv4, IP (tos 0x0, ttl 54, id 29483, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:28.146161 IP (tos 0x0, ttl 54, id 29483, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:33.311519 ethertype IPv4, IP (tos 0x0, ttl 54, id 42064, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:33.311519 IP (tos 0x0, ttl 54, id 42064, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:38.610300 ethertype IPv4, IP (tos 0x0, ttl 54, id 38133, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:38.610300 IP (tos 0x0, ttl 54, id 38133, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:43.790562 ethertype IPv4, IP (tos 0x0, ttl 54, id 47247, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
22:55:43.790562 IP (tos 0x0, ttl 54, id 47247, offset 0, flags [none], proto UDP (17), length 176)
80.187.118.129.10062 > 192.168.2.106.51820: [udp sum ok] UDP, length 148
And
root@OpenWrt:~# wg show
interface: wg0
public key: XXX
private key: (hidden)
listening port: 51820
peer: XXX
allowed ips: 192.168.200.2/32
persistent keepalive: every 25 seconds
root@OpenWrt:~#
You are getting packets from mobile, but OpenWrt is not replying anything back. My guess is misstyped public-private keys.
Remember that private key goes to interface section.
In peer section we use the public key of the peer, not of the device itself.
So on my open wrt Router
In peer i added the Public key who is generated from my iphone
In common configuration i added i privat server key i created in the installation process
On my phone
On interface is the gernerated key from my phone
In peer i added the public server key
So is this right?
The keys you have used/exchanged should be correct, as long as you didn't mix them up.
You might try adding a new firewall zone for the WG interface on your OpenWrt router. Accept/Accept/Accept is fine if you want (I have input and output accept, forward reject). Then allow forwarding from your wg zone > lan zone, and wg zone > wan zone. The net effect should theoretically be the same as having lan and wg on the same zone, but this will allow you to explicitly specify the forwarding allowances.
Also, try restarting the router -- I seem to recall seeing something about a minor bug in the WG implementation on 18.06.x that basically requires an interface restart to pick up new peers. Just do a full router restart just to make sure all services start as expected.
Yes, correct.
Also make sure that the time is correct with command date
The Time is correct.
And i created a new firewall zone but nothing changed, i also reboot the router without any effect...
This indicates that the connection is not actually working. You should see information about the latest handshake and transfer bandwidth.
Can you post the latest config files (I am most used to reading them in the format in the config files themselves vs the uci format).
/etc/config/network
/etc/config/firewall
and the WG config from the phone.
Sure
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8a:4a9d:ab09::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '50:64:2b:19:2c:dc'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
list dns '80.241.218.68'
list dns '46.182.19.48'
option peerdns '0'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
list dns '2a02:2970:1002::18'
list dns '2a02:c205:3001:4558::1'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'wg0'
option proto 'wireguard'
option private_key 'xxx'
list addresses '192.168.200.1/24'
option listen_port '51820'
config wireguard_wg0
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.200.2/32'
option public_key 'xxx'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '8080'
option src 'wan'
option src_dport '8080'
option target 'DNAT'
option dest 'lan'
option proto 'tcp udp'
option name 'E3_cam'
option dest_ip '192.168.1.246'
config redirect
option dest_port '80'
option src 'wan'
option src_dport '80'
option target 'DNAT'
option dest 'lan'
option proto 'tcp udp'
option name 'e3_info'
option dest_ip '192.168.1.160'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option name 'Allow-Wireguard-Inbound'
option dest_port '51820'
A few things to check/do...
First, make sure that the keys not messed up -- there is no human-readable differences that help distinguish public vs private keys. So it is worth just making sure that you have the keys defined and exchanged properly (I know you said you've done this, but I can speak from experience that I have messed this up even when I thought it was right). Each key should be 44 characters long including the final equals sign (=). There should be no on the OpenWrt side, other than the single quotes (') enclosing the key, there should be no other added characters.
On your phone's configuration:
Turn on WG on your phone and then look at the OpenWrt wg status. You should see the handshake and data transfer data. If you don't, try recreating the keys.
if WG shows successful handshakes, test pings to your LAN and then pings to outside addresses.
Now it works i recreated all keys again and finally it works fine!!!
Thanks all of you for the Help 
If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
