My purpose to creating a wireguard tunnel is so that:
I can access my Home internal network
Appear to Amazon / Banks that I am in US when overseas.
Use Netflix (US Content) when overseas.
I have a TP-Link 1900 on which I installed DDNS with the goal of receiving incoming connection and it is now working fine. The upstream ISP router's firewall is disabled and the IP Passthrough is configured.
I have installed wireguard using Luci and here is the network, firewall details:
I have used the QR code scan to configure my Android client. My wireguard connection does not make and the wireguard interface shows zero rx, tx. The android client only shows TX.
Please repost your configs in text format and provide the following so that we can better understand what is happening:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
And also please show only the first two octets (in bold: aaa.bbb.ccc.ddd) of the following:
root@ONHUB-5A0B:/etc/config# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd84:a75f:3d3d::/48'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1t 6t'
option vid '1'
option description 'SOS'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '10'
option description 'WAN'
option ports '0t 2'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '5'
option description 'LAN'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '6'
option description 'IOT'
option ports '1t 6t'
config device
option type '8021q'
option ifname 'eth0'
option vid '10'
option name 'eth0.10'
option ipv6 '0'
config device
option name 'eth0'
config device
option type 'bridge'
option name 'br-wan'
list ports 'eth0'
list ports 'eth0.10'
option multicast_querier '1'
option ipv6 '0'
config interface 'wan'
option proto 'dhcp'
option device 'br-wan'
option delegate '0'
option peerdns '0'
list dns '8.8.8.8'
list dns '9.9.9.9'
config device
option type '8021q'
option ifname 'eth1'
option vid '6'
option name 'eth1.6'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth1'
list ports 'eth1.6'
option ipv6 '0'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.116.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option type 'bridge'
option name 'br-lan'
list ports 'eth1'
list ports 'eth1.5'
option ipv6 '0'
config interface 'lan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
option delegate '0'
list dns '8.8.8.8'
list dns '9.9.9.9'
config device
option name 'br-sos'
option type 'bridge'
list ports 'eth1'
list ports 'eth1.1'
option ipv6 '0'
config interface 'sos'
option proto 'static'
option device 'br-sos'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'eth1.1'
option type '8021q'
option ifname 'eth1'
option vid '1'
option ipv6 '0'
config device
option name 'eth1.5'
option type '8021q'
option ifname 'eth1'
option vid '5'
option ipv6 '0'
config interface 'wg_sfo'
option proto 'wireguard'
option private_key '<REDACTED>'
option listen_port '51820'
list addresses '10.100.1.1/24'
option delegate '0'
option defaultroute '0'
config wireguard_wg_sfo
option description 'ag_phone'
option public_key 'oiBWyPXhhEvcGaOE2vUR9QiwC5LIvu8w9YPO0Zr4s04='
option private_key '<REDACTED>'
list allowed_ips '10.100.1.3/32'
option endpoint_port '51820'
option persistent_keepalive '25'
option route_allowed_ips '1'
root@ONHUB-5A0B:/etc/config#
cat /etc/config/firewall: (luci-app-pbr was added in firmware selector but not configured, stopped, and disabled )
root@ONHUB-5A0B:/etc/config# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_sfo'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'allow-wg-inbound'
list proto 'udp'
option src 'wan'
option src_port '51820'
option dest 'lan'
list dest_ip '10.100.1.1/24'
option dest_port '51820'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Block NEP Internet'
list src_ip '192.168.116.66'
option dest 'wan'
option target 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config zone
option name 'sos'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'sos'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'sos'
config forwarding
option src 'iot'
option dest 'wan'
root@ONHUB-5A0B:/etc/config#
wg show:
root@ONHUB-5A0B:/etc/config# wg show
interface: wg_sfo
public key: oiBWyPXhhEvcGaOE2vUR9QiwC5LIvu8w9YPO0Zr4s04=
private key: (hidden)
listening port: 51820
root@ONHUB-5A0B:/etc/config#
I don't have time to go through it in detail now (I can try to get to this tomorrow if your problem isn't solved by then)...
You've got a bunch of issues with your bridges... I'm not sure why you've got eth1 and eth1.6 bridged here, and you have a similar thing for your other bridges. This is almost certainly wrong, but may not be the cause of your issue. It should be fixed, though.
Remove the last 2 lines here:
Remove the endpoint port from the peer config:
D
Remove the dest, dest_ip, and dest_port lines below:
Then restart and try again.
If it doesn't work, try connecting while on your lan with the endpoint address (defined on the actually remote peer) as 192.168.1.1. Then show us the result of wg show.
Iād be surprised if the default configuration had the VLANs bridged like that. Make a backup and then you can easily reset to see what was there in the default state.
Yes, I will do that. However, I found it odd too. First time I saw a br-wan device too. I was timid to take these bridges to eth0 and eth1 out.
Thanks. I will test your suggested mods.
I took a backup, removed the eth0 from br-wan and eth1 from br-lan, br-iot, and br-sos and rebooted.
No trouble. It works as expected. I will try the default configs as well.
Is there a place where I should post this as a defect?
Also on these devices, if there is a USB storage attached at reboot, the router just hangs. Remove the USB and reboot, and it works fine.
I tried this lan connection test, and before during and after wg show is attached. It did not work,
In my case the end point defined on my phone was 192.168.111.1:51820 ( in place of original home.ezpzcooking.com).
root@ONHUB-5A0B:~# wg show
interface: wg_sfo
public key: oiBWyPXhhEvcGaOE2vUR9QiwC5LIvu8w9YPO0Zr4s04=
private key: (hidden)
listening port: 51820
root@ONHUB-5A0B:~# wg show
interface: wg_sfo
public key: oiBWyPXhhEvcGaOE2vUR9QiwC5LIvu8w9YPO0Zr4s04=
private key: (hidden)
listening port: 51820
root@ONHUB-5A0B:~# wg show
interface: wg_sfo
public key: oiBWyPXhhEvcGaOE2vUR9QiwC5LIvu8w9YPO0Zr4s04=
private key: (hidden)
listening port: 51820
root@ONHUB-5A0B:~# wg show
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
Reboot and test again, if that does not help please show the first two octets of your WAN IP: aaa.bbb do not show the rest
So that we can see if you have a public IP address on your router
I am sorry for missing to answer. The private key on the phone is not visible.
So I deleted, and then created another tunnel "from scratch" and in there I was able to enter the private key for the wg phone interface and it created a public key as soon as I was done. I then completed the peer data. Tried connecting. Still no luck.
Just now, I am taking another older router Netgear R6100 and flashing with 23.5 and then I will change the Mac address on AT&T for pass through.
Then I will test for wireguard using the same exact steps. And, then report. This is perhaps something stupid I am doing and will soon find out.
Yes I removed the redundant bridge last night. The device worked fine despite removing those bridges. However the wireguard did not. Will post revised date again shortly.
My most sincere apologies to all of you. My settings key were wrongly entered. I made a mistake on Capital O and Zero 0.
The wireguard from phone connected fine over the 5G (after I fixed the error in key)
It is not serving the content but that may be some firewall glitch. I am looking into it and would post the results soon.
