First time user of OpenWRT, just got myself a Linksys E8450 wifi6 router and I am loving OpenWRT.
Thank you for creating this, I will never go back to using a regular router again!
I am trying to setup a wireguard Server on my OpenWRT router and connect my mobile devices to it when away from home. My head is spinning trying to get this working.
My configs so far on OpenWRT (server) and iphone (client):
Openwrt interface:
It is best if you post your config files (directions below), but I'll try to address a few of the issues I can see right away;
Openwrt > Wireguard Interface definition, you should specify the listen port (51820 is the default).
OpenWrt > Wireguard > Peer config, your allowed IPs should be 10.16.8.2/32 and the endpoint port should be left blank.
iPhone > Wireguard > Interface port should be blank
iPhone > Wireguard > Interface Addresses should be 10.16.8.2/32
iPhone > Wireguard > Peer allowed IPs should be 0.0.0.0/0 (if you want to send all traffic from your phone through your tunnel)
iPhone > Wireguard > Interface > DNS Servers should be set to your router's primary address or a public DNS such as 8.8.8.8 or another service of your preference.
After making the changes, restart your router and then try again. If it doesn't fix the problem, please post the following files:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
It doesn't look like you implemented any of my recommended changes.
In addition to those changes, you have a 'client' VPN configuration... this will likely prevent your 'server' from working. Disable the windsribe_VPN interface in order to test if this is working. If you plan to use both VPNs simultaneously, you will need to use Policy Based Routing to accommodate.
Also, you have apparently not redacted your keys for your wg0 interface and even the iPhone peer. Therefore, you should delete those keys and create fresh key pairs so that you can remain secure.
I don't see any questions... just the configs (thank you for posting, that makes it much easier to see than screen grabs).
Thank you for your quick response, I just applied to changes you suggested and it seems to still fail.
I will test out disabling the VPN to see if your suggestions are fixed it.
However, I do want to have the client VPN enabled, can you give me an pointers/reference materials on how i can have both running at the same time (i.e. send all wg0 and lan traffic thru my windscribe_vpn interface)? would the Policy Based Routing be used to treat wg0 traffic differently?
Also noted on the keys, I will be refreshing those.
So i was able to get the handshake to work (disabled the other windscribe interface), however I cannot access the internet or other LAN devices. I know that DNS is sending the requests to my adgaurd (as i see the queries show up on there). I added the wg0 interface to the LAN firewall zone.
put the Wireguard network into its own firewall zone (edit: don't forget to remove it from the lan zone). It can be accept for all (input, output, forward). Turn on masquerading. Enable forwarding from the lan zone to the wg zone and from the wg zone > lan zone.
See below firewall - I setup "wg0_fw" zone and did accept for all (in, out and forward), FROM source is LAN and TO source is WAN and LAN (i tried it with just LAN and it didnt work either)
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wg0_fw'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'
option masq '1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.1.4'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.4'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'sftp'
option src 'wan'
option src_dport '222'
option dest_ip '192.168.1.4'
option dest_port '222'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'postgres'
option src 'wan'
option src_dport '5432'
option dest_ip '192.168.1.4'
option dest_port '5432'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Plex'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.1.4'
option dest_port '32400'
config rule
option name 'Allow-Wireguard-Inbound'
list proto 'udp'
option target 'ACCEPT'
option src 'wan'
option dest_port '53510'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option name 'wireguard'
option dest_ip '192.168.1.1'
option src_dport '53510'
option dest_port '53510'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'wg0_fw'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg0_fw'
config forwarding
option src 'wg0_fw'
option dest 'wan'
Remove this... it's not necessary since you have the Allow-Wireguard-Inbound rule.
Meanwhile, I apologize, I may have had my wires crossed... please confirm if this is the 'server' side or the 'client' peer side... that may be clear if you can share the complete network file as it stands now.
The first thing to consider for this project is whether you have a true public IP address on wan or if the ISP is using carrier grade NAT. Incoming connections are not possible with CGNAT.
The test is to run a whatsmyip check and see if the result is the same as the address shown for your WAN interface in the main status page or ip addr show
Yes it is the same and I have duckdns setup as my endpoint to be able to connect. With the help of @psherman I was able to get the client to connect and even send my dns queries to my adguard, however, I am unable to open any website or access other devices on my LAN.
