Glad you found the issue with the O vs 0.
If you're unable to resolve the final issues, post your updated configs and we'll take a look.
I give up. I am unable to see, from the phone, login page of my router after wireguard connects.
http://192.168.111.1
I was also unable to ssh 192.168.111.1:22
Here are my details:
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo# ls -lh
-rw-r--r-- 1 root root 45 Dec 26 14:49 ag_phone-privatekey
-rw-r--r-- 1 root root 45 Dec 26 14:49 ag_phone-publickey
-rw-r--r-- 1 root root 45 Dec 26 14:38 home_privatekey
-rw-r--r-- 1 root root 45 Dec 26 14:37 home_publickey
-rw-r--r-- 1 root root 45 Dec 26 14:33 router1-privatekey
-rw-r--r-- 1 root root 45 Dec 26 14:33 router1-publickey
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo#
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo# ubus call system board
{
"kernel": "5.15.167",
"hostname": "ONHUB-5A0B",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "TP-Link OnHub",
"board_name": "tplink,onhub",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "ipq806x/chromium",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo#
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd84:a75f:3d3d::/48'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1t 6t'
option vid '1'
option description 'SOS'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '10'
option description 'WAN'
option ports '0t 2'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '5'
option description 'LAN'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '6'
option description 'IOT'
option ports '1t 6t'
config device
option type '8021q'
option ifname 'eth0'
option vid '10'
option name 'eth0.10'
option ipv6 '0'
config device
option name 'eth0'
config device
option type 'bridge'
option name 'br-wan'
option multicast_querier '1'
option ipv6 '0'
list ports 'eth0.10'
config interface 'wan'
option proto 'dhcp'
option device 'br-wan'
option delegate '0'
option peerdns '0'
list dns '8.8.8.8'
list dns '9.9.9.9'
config device
option type '8021q'
option ifname 'eth1'
option vid '6'
option name 'eth1.6'
option ipv6 '0'
config device
option type 'bridge'
option name 'br-iot'
option ipv6 '0'
list ports 'eth1.6'
config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.116.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option type 'bridge'
option name 'br-lan'
option ipv6 '0'
list ports 'eth1.5'
config interface 'lan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'
option delegate '0'
list dns '8.8.8.8'
list dns '9.9.9.9'
config device
option name 'br-sos'
option type 'bridge'
option ipv6 '0'
list ports 'eth1.1'
config interface 'sos'
option proto 'static'
option device 'br-sos'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option name 'eth1.1'
option type '8021q'
option ifname 'eth1'
option vid '1'
option ipv6 '0'
config device
option name 'eth1.5'
option type '8021q'
option ifname 'eth1'
option vid '5'
option ipv6 '0'
config interface 'wg_sfo'
option proto 'wireguard'
option private_key <redacted>
option listen_port '51820'
list addresses '10.100.1.1/24'
config wireguard_wg_sfo
option description 'ag_phone'
option public_key <redacted>
option private_key 'SJ0LQ+6j8x19uzsbNXMhhw/5RytaE7XtKnOC2Mnr72E='
list allowed_ips '10.100.1.3/32'
option persistent_keepalive '25'
option route_allowed_ips '1'
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_sfo'
config forwarding
option src 'lan'
option dest 'wan'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Block NEP Internet'
list src_ip '192.168.116.66'
option dest 'wan'
option target 'DROP'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'
config zone
option name 'sos'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'sos'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'iot'
config forwarding
option src 'lan'
option dest 'sos'
config forwarding
option src 'iot'
option dest 'wan'
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo#
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo# wg show
interface: wg_sfo
public key: oiBWyPXhhEvcGaOE2vUR9QiwC5LIvu8w9YPO0Zr4s04=
private key: (hidden)
listening port: 51820
peer: tYRWj6s/Mdac/NACLUKQvdeyH64fqr6PNpY5WOyuISw=
endpoint: 172.59.129.108:62184
allowed ips: 10.100.1.3/32
latest handshake: 21 seconds ago
transfer: 5.36 KiB received, 9.05 KiB sent
persistent keepalive: every 25 seconds
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo#
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo# ifstatus wan | grep address
"addresses",
"ipv4-address": [
"address": "76.218.XXX.XX",
"ipv6-address": [
"ipv4-address": [
"ipv6-address": [
root@ONHUB-5A0B:/etc/config/wireguard/wg_sfo#
There are some things that can be cleaned up, but nothing that sees to impact your Wireguard issue....
it looks like your wireguard connection is working in general. Let's see the phone's configuration -- that's the missing part right now.
What are the allowed_ips on the phone?
Typically it is set to 0.0.0.0/0 to redirect all Internet usage through the tunnel. If you only want to use it for access to the home LAN, that lan needs to be an allowed_ip on the phone.
2 Likes
Thats it....
Genius!!
It was blank. I changed to 0.0.0.0/0 and now router page appeared!
my ssh also connected.
As did my zbox linux server (acting as NAS).
Does this mean all my browsing will now appear to go over the AT&T DSL and not my Google FI phone?
Amazing rockstar you are!!
Anil
1 Like
Peter, Mike, lleachii, egc112.. The whole community owe you a lot.
Thanks.
1 Like
What's why I asked for the phone's wg config... I figured there was likely an issue like that.
Yes.
You're welcome.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
2 Likes
There were many suggestions but I can only mark one as the solution. I will write a write up and post on my experience and put a date for indication on current nature.
Thanks again.
Anil
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.