WireGuard help needed

My setup : phone on 4G > DDns > ISP modem > DMZ > OpenWRT with Wireguard Server

My phone keeps waiting at Sending Handshake Initiation, and then "Handshake did not complete"

I did the "do this" :

uci export network; uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg


package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'tralalalalala::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.135'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg_lan'
	option proto 'wireguard'
	option private_key 'tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala'
	option listen_port '51820'
	list addresses '10.0.5.1/24'
	option mtu '1420'

config wireguard_wg_lan
	option public_key 'tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala'
	option preshared_key 'tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala'
	option description '1_lan_Alpha'
	list allowed_ips '10.0.5.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'


package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	list server '10.0.0.135#5553'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option leasetime '12h'
	option start '180'
	option limit '50'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'


package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg_lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 10.0.0.135:5553
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 10.0.0.135:5553
# Generated by iptables-save v1.8.3 on Fri Jun 11 15:47:32 2021
*nat
:PREROUTING ACCEPT [2447:833953]
:INPUT ACCEPT [270:23075]
:OUTPUT ACCEPT [1413:105737]
:POSTROUTING ACCEPT [425:31489]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[219:16476] -A PREROUTING -i br-lan -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.135:5553
[0:0] -A PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.135:5553
[2447:833953] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[2214:785535] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg_lan -m comment --comment "!fw3" -j zone_lan_prerouting
[233:48418] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[2083:330094] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[13:1700] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg_lan -m comment --comment "!fw3" -j zone_lan_postrouting
[1658:298605] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[13:1700] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[2214:785535] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[1658:298605] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1658:298605] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[233:48418] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Jun 11 15:47:32 2021
# Generated by iptables-save v1.8.3 on Fri Jun 11 15:47:32 2021
*raw
:PREROUTING ACCEPT [72995:54558697]
:OUTPUT ACCEPT [5219:1346264]
:zone_lan_helper - [0:0]
[23617:4719267] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i wg_lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Fri Jun 11 15:47:32 2021
# Generated by iptables-save v1.8.3 on Fri Jun 11 15:47:32 2021
*mangle
:PREROUTING ACCEPT [72995:54558697]
:INPUT ACCEPT [5459:819904]
:FORWARD ACCEPT [65810:53137099]
:OUTPUT ACCEPT [5220:1347484]
:POSTROUTING ACCEPT [70958:54482659]
[350:21000] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[355:20788] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jun 11 15:47:32 2021
# Generated by iptables-save v1.8.3 on Fri Jun 11 15:47:32 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[1531:157240] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3931:662884] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[3192:560732] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[100:4540] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[529:89873] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg_lan -m comment --comment "!fw3" -j zone_lan_input
[210:12279] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[65810:53137099] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[65039:52850404] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[771:286695] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg_lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[1531:157240] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[3691:1191324] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[2627:1112856] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[13:1700] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg_lan -m comment --comment "!fw3" -j zone_lan_output
[1051:76768] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[176:9063] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[100:4540] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[13:1700] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg_lan -m comment --comment "!fw3" -j ACCEPT
[771:286695] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[771:286695] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[529:89873] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[238:17697] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[291:72176] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[13:1700] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[13:1700] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[291:72176] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg_lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[84:3492] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1738:359971] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[210:12279] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[18:576] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[16:2640] -A zone_wan_input -p udp -m comment --comment "!fw3: Allow-WireGuard-lan" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[176:9063] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1051:76768] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[1051:76768] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[176:9063] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun 11 15:47:32 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.135/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet 10.0.100.10/24 brd 10.0.100.255 scope global eth0.2
       valid_lft forever preferred_lft forever
23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.0.200.1/24 brd 10.0.200.255 scope global tun0
       valid_lft forever preferred_lft forever
32: wg_lan: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.0.5.1/24 brd 10.0.5.255 scope global wg_lan
       valid_lft forever preferred_lft forever
default via 10.0.100.1 dev eth0.2 proto static src 10.0.100.10 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.135 
10.0.5.0/24 dev wg_lan proto kernel scope link src 10.0.5.1 
10.0.5.2 dev wg_lan proto static scope link 
10.0.5.3 dev wg_lan proto static scope link 
10.0.5.4 dev wg_lan proto static scope link 
10.0.5.5 dev wg_lan proto static scope link 
10.0.100.0/24 dev eth0.2 proto kernel scope link src 10.0.100.10 
10.0.200.0/24 dev tun0 proto kernel scope link src 10.0.200.1 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.135 
local 10.0.0.135 dev br-lan table local proto kernel scope host src 10.0.0.135 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.135 
broadcast 10.0.5.0 dev wg_lan table local proto kernel scope link src 10.0.5.1 
local 10.0.5.1 dev wg_lan table local proto kernel scope host src 10.0.5.1 
broadcast 10.0.5.255 dev wg_lan table local proto kernel scope link src 10.0.5.1 
broadcast 10.0.100.0 dev eth0.2 table local proto kernel scope link src 10.0.100.10 
local 10.0.100.10 dev eth0.2 table local proto kernel scope host src 10.0.100.10 
broadcast 10.0.100.255 dev eth0.2 table local proto kernel scope link src 10.0.100.10 
broadcast 10.0.200.0 dev tun0 table local proto kernel scope link src 10.0.200.1 
local 10.0.200.1 dev tun0 table local proto kernel scope host src 10.0.200.1 
broadcast 10.0.200.255 dev tun0 table local proto kernel scope link src 10.0.200.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
interface: wg_lan
  public key: tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala
  private key: (hidden)
  listening port: 51820

peer: tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala
  preshared key: (hidden)
  allowed ips: 10.0.5.2/32
  persistent keepalive: every 25 seconds

Hi, my nano /etc/config/network

Shows a difrence, and mine is working perfect, inside of my LAN, and also if I dial in from outside:

config interface 'WGLAN'
option proto 'wireguard'
option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxx='
option mtu '1420'
option fwmark '0xCA58'
option delegate '0'
option listen_port '51800'
list addresses '10.0.0.1/24

Check each line, I think you should change list addresses from /32 to /24

Attention, I use port 51800 ..so my FW Mark is
option fwmark '0xCA58'

as you use port 51820, your FW mark should be 0xCA6C

Also, Im having a port forward to WGLAN interface to port 51800, for Wireguard can come in and talk to its Interface where your WG Server sits... Endpoint

Good Luck!

Did you forward port 51820 from DMZ to OpenWRT?

1 Like

Also you may want to narrow down the open ports from wan to just 51820. There are

16 hits but we can't tell where were they heading.

1 Like

My representation was perhaps bad. My ISP-modem had a setting DMZ which I turned on and I set (the mac-adress of) the OpenWRT-router as target. You can only enter one.

Isn't that how "a poor mans bridge" works ? The modem becomes transparant and all traffic reaches the router behind the modem.

Do I still need to forward that port ?

So I forwarded port 51820 on the modem to the router. Also I changed the firewall rule to only accept that port instead of the whole WAN.

It made a difference in the line below but I still can't connect.

[0:0] -A zone_wan_input -p udp -m udp --sport 51820 --dport 51820 -m comment --comment "!fw3: Allow-WireGuard-lan" -j ACCEPT

All my settings

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'tralalalalala/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.0.135'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg_lan'
	option proto 'wireguard'
	option private_key 'tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala'
	option listen_port '51820'
	list addresses '10.0.5.1/24'
	option mtu '1420'

config wireguard_wg_lan
	option public_key 'tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala'
	option preshared_key 'tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala'
	option description '1_lan_Alpha'
	list allowed_ips '10.0.5.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'


package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	list server '10.0.0.135#5553'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option leasetime '12h'
	option start '180'
	option limit '50'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'



package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg_lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option src_port '51820'
	option dest_port '51820'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 10.0.0.135:5553
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 10.0.0.135:5553
# Generated by iptables-save v1.8.3 on Fri Jun 11 19:40:03 2021
*nat
:PREROUTING ACCEPT [650:140998]
:INPUT ACCEPT [56:4723]
:OUTPUT ACCEPT [190:14306]
:POSTROUTING ACCEPT [53:3905]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1001:81343] -A PREROUTING -i br-lan -p udp -m udp --dport 53 -j DNAT --to-destination 10.0.0.135:5553
[1:40] -A PREROUTING -i br-lan -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.0.0.135:5553
[650:140998] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[579:125799] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg_lan -m comment --comment "!fw3" -j zone_lan_prerouting
[71:15199] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[479:46834] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[2:156] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg_lan -m comment --comment "!fw3" -j zone_lan_postrouting
[426:42929] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[2:156] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[579:125799] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[426:42929] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[426:42929] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[71:15199] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Fri Jun 11 19:40:03 2021
# Generated by iptables-save v1.8.3 on Fri Jun 11 19:40:03 2021
*raw
:PREROUTING ACCEPT [12441:5296549]
:OUTPUT ACCEPT [1548:258586]
:zone_lan_helper - [0:0]
[5801:1963360] -A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
[0:0] -A PREROUTING -i wg_lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Fri Jun 11 19:40:03 2021
# Generated by iptables-save v1.8.3 on Fri Jun 11 19:40:03 2021
*mangle
:PREROUTING ACCEPT [12443:5296653]
:INPUT ACCEPT [1246:150591]
:FORWARD ACCEPT [10849:5039220]
:OUTPUT ACCEPT [1551:259590]
:POSTROUTING ACCEPT [12401:5298914]
[242:14520] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[242:14520] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Fri Jun 11 19:40:03 2021
# Generated by iptables-save v1.8.3 on Fri Jun 11 19:40:03 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[154:19068] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1094:131627] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[926:105843] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[36:1640] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[128:23881] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg_lan -m comment --comment "!fw3" -j zone_lan_input
[40:1903] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[10849:5039220] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[10577:4998541] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[272:40679] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg_lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[154:19068] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[1401:241946] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[1262:231389] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2:156] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg_lan -m comment --comment "!fw3" -j zone_lan_output
[137:10401] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[33:1460] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[2:283] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[36:1640] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[2:156] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg_lan -m comment --comment "!fw3" -j ACCEPT
[272:40679] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[272:40679] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[128:23881] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[49:3772] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[79:20109] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[2:156] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[2:156] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[79:20109] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg_lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:52] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[408:51028] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[40:1903] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[5:160] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --sport 51820 --dport 51820 -m comment --comment "!fw3: Allow-WireGuard-lan" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[35:1743] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[137:10401] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[137:10401] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[35:1743] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jun 11 19:40:03 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 10.0.0.135/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet 10.0.100.10/24 brd 10.0.100.255 scope global eth0.2
       valid_lft forever preferred_lft forever
23: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    inet 10.0.200.1/24 brd 10.0.200.255 scope global tun0
       valid_lft forever preferred_lft forever
32: wg_lan: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.0.5.1/24 brd 10.0.5.255 scope global wg_lan
       valid_lft forever preferred_lft forever
default via 10.0.100.1 dev eth0.2 proto static src 10.0.100.10 
10.0.0.0/24 dev br-lan proto kernel scope link src 10.0.0.135 
10.0.5.0/24 dev wg_lan proto kernel scope link src 10.0.5.1 
10.0.5.2 dev wg_lan proto static scope link 
10.0.5.3 dev wg_lan proto static scope link 
10.0.5.4 dev wg_lan proto static scope link 
10.0.5.5 dev wg_lan proto static scope link 
10.0.100.0/24 dev eth0.2 proto kernel scope link src 10.0.100.10 
10.0.200.0/24 dev tun0 proto kernel scope link src 10.0.200.1 
broadcast 10.0.0.0 dev br-lan table local proto kernel scope link src 10.0.0.135 
local 10.0.0.135 dev br-lan table local proto kernel scope host src 10.0.0.135 
broadcast 10.0.0.255 dev br-lan table local proto kernel scope link src 10.0.0.135 
broadcast 10.0.5.0 dev wg_lan table local proto kernel scope link src 10.0.5.1 
local 10.0.5.1 dev wg_lan table local proto kernel scope host src 10.0.5.1 
broadcast 10.0.5.255 dev wg_lan table local proto kernel scope link src 10.0.5.1 
broadcast 10.0.100.0 dev eth0.2 table local proto kernel scope link src 10.0.100.10 
local 10.0.100.10 dev eth0.2 table local proto kernel scope host src 10.0.100.10 
broadcast 10.0.100.255 dev eth0.2 table local proto kernel scope link src 10.0.100.10 
broadcast 10.0.200.0 dev tun0 table local proto kernel scope link src 10.0.200.1 
local 10.0.200.1 dev tun0 table local proto kernel scope host src 10.0.200.1 
broadcast 10.0.200.255 dev tun0 table local proto kernel scope link src 10.0.200.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
interface: wg_lan
  public key: tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala
  private key: (hidden)
  listening port: 51820

peer: tralalalalalatralalalalalatralalalalalatralalalalalatralalalalala
  preshared key: (hidden)
  allowed ips: 10.0.5.2/32
  persistent keepalive: every 25 seconds

This is from my /etc/config/network

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'llklksjflkjflajflksajflkjsalkfj'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'

Here the mask is /24 for the interface of the endpoint. But below that

config wireguard_wg_lan
        option public_key 'llklksjflkjflajflksajflkjsalkfj'
        option preshared_key 'llklksjflkjflajflksajflkjsalkfj'
        option description '1_lan_Alpha'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

the mask is /32 which is correct I guess because these are named peers that can only get that one adress.

And I don't have that option fwmark. Is it needed ?

Don't use source port, only dest port.

1 Like

Not sure what the mac-address plays at that setting.
Is your ISP-modem just a Modem or a router? Means do you have a public IP on your OpenWRT or only on your "ISP-Modem"?

Its an ISP modem with connections for tv and two lan ports. You can do port-forwarding and then the modem has the public ip. So the DMZ works as you would expect, but it's connected to the mac-adress of the router it's forwarding everything to...

I wanted to say thanks for al the help I got. I got WireGuard working.

First I got rid of my modem as a man in the middle by using OpenWRT to login via pppoe with my isp.

I used a script on the github of OneMarcFifty because of his video.

Instead of creating the peers on the OpenWRT-router, he explains how to use the WireGuard-app on your phone to scan the enpoint-qr. Than in the app the public key for the phone gets created, which you enter in the router when you add that peer.

Things were straightforward after that.

Something very stupid which interfered with my previous attempts could have been my DDNS not working. Very stupid, I know #facepalm.

Thanks again.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

The Firewallmark, have a read here -> https://www.linux.org/docs/man8/tc-fw.html

fwmarks are usefull if you use QOs. But its OPTIONAL, not requiered.

Screenshot shows INTERFACE of my WGLAN (WireguardInterface which inmy case uses port 51800), its in the ADVANCED SETTINGS Tab

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.