Wireguard help

Trying to get remote access to a few servers behind my openwrt router. Its the only router on my home network. Was under the impression wireguard would be the best for this, but I've failed to get it working. Android client seems to connect, but has no routes to any other devices. Though I fail to think it is actually connecting because I never see any packets hitting the firewall rule.

WG show indicates its listing on correct port.

ifstatus shows the port up.

I assume these would be the applicable uci show lines

firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg0'

firewall.@rule[9]=rule
firewall.@rule[9].dest_port='51820'
firewall.@rule[9].name='allow wireguard'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].dest='*'
firewall.@rule[9].src='*'

network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='<REDACTED>'
network.wg0.listen_port='51820'
network.wg0.addresses='10.14.0.1/16'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='<REDACTED>'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='10.14.0.3/32'

Here I assume I should see packets hitting the firewall.

`Chain FORWARD (policy DROP 0 packets, 0 bytes)`

`pkts bytes target prot opt in out source destination`

`5061 704K forwarding_rule all -- any any anywhere anywhere /* !fw3: Custom forwarding rule chain */`

`4133 614K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED /* !fw3 */`

`0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:51820 /* !fw3: allow wireguard */`

Route table has both the /24 and /32 entries.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.14.0.0       *               255.255.0.0     U     0      0        0 wg0
10.14.0.3       *               255.255.255.255 UH    0      0        0 wg0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

Remove this.

Thank you, indeed that made the firewall show packets.

78 13728 ACCEPT udp -- any any anywhere anywhere udp dpt:51820 /* !fw3: allow wireguard */

However, the android device still can't ping anything on the network. ANd LUCI for wg0 shows no packets.

**Protocol:**  WireGuard VPN
**Uptime:**  1d 7h 47m 51s
**MAC:**  00:00:00:00:00:00
**RX:**  0 B (0 Pkts.)
**TX:**  0 B (0 Pkts.)
**IPv4:**  10.14.0.1/16

Make sure the client configuration specifies:

AllowedIPs = 10.14.0.1/32, 192.168.1.0/24

And the destination host firewall should allow incoming traffic from outside the local subnet.

Attached was the old client config.

So i guess it has to be more specific. After changing to the above you suggested, while wireguard is active, I can get to the internet. But I can't ping any LAN devices including the 192.168.1.1 LAN IP of the opewrt Router. I have a feeling traffic isn't flowing through the VPN because a quick traceroute from the phone shows my next hop as one from my celluar carrier, nothing to do with my home internet provider.

I am not aware of anything blocking ICMP/Ping on the opewrt.

WG0 RX and TX still show 0 packets.

Not really.

AllowedIPs is fine, but Addresses is incorrect.
Change the server address to 10.14.0.1/24 and the client to 10.14.0.3/24.

1 Like

You mean in openwrt? So
uci del network.wg0. addresses
uci add_list network.wg0.addresses= '10.14.0.1/24'
uci del network.cfg0a96fc. allowed_ips
uci add_list network.cfg0a96fc.allowed_ips= '10.14.0.3/24'

And the client with the previous changes looks like this:
Untitled%201

Shouldn't all the 10.14.X.X address be /24 on the android client as well?

With the above changes, ping still fails to hit any 192. or 10. address.

  • Use /32 in the allowed IPs section for the peer on OpenWrt
  • Use /24 on the mobile device. (as @vgaetera noted above)

Reason: you incorrectly configured the router to find the /24 on both itself and its peer.

See:

2 Likes

BTW, thank you to those looking at this, even if we haven't solved it yet.

Updated openwrt config

network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='<REDACTED>'
network.wg0.listen_port='51820'
network.wg0.addresses='10.14.0.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='<REDACTED>'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='10.14.0.3/24'

latest android wireguard client
Untitled%201

I assume I missed something from the advice.

Testing iptables -L -v | grep wg

    5   880 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:51820 /* !fw3: allow wg wireguard */
    0     0 zone_lan_input  all  --  wg0    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_lan_forward  all  --  wg0    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_lan_output  all  --  any    wg0     anywhere             anywhere             /* !fw3 */
    0     0 ACCEPT     all  --  any    wg0     anywhere             anywhere             /* !fw3 */
    0     0 ACCEPT     all  --  wg0    any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */
  • You still haven't changed the client to /24.
  • Change allowed_ips='10.14.0.3/32'
2 Likes

This (which was unsuccessful)?
image

:man_facepalming:

Why did you edit the Allowed IPs on the Android?

To save on confusion, I'll give you the full config instead.

On OpenWrt:

config interface 'wg0'                 
        option proto 'wireguard'
        option private_key '<REDACTED>'
        option listen_port '51820'
        list addresses '10.14.0.1/24'

config wireguard_wg0              
        option public_key '<REDACTED>'
        list allowed_ips '10.14.0.3/32'

On Android:

[Interface]
Address = 10.14.0.3/24
DNS = 8.8.8.8
PrivateKey = <REDACTED>

[Peer]
# use 0.0.0.0/0 for testing
AllowedIPs = 0.0.0.0/0
Endpoint = xxxxx.xxxxx.org:51820
PublicKey = <REDACTED>

This is based on my working config, hope this helps.

Note: to use the DNS server 8.8.8.8, you have to allow that IP on the Android, hence, I used 0.0.0.0/0 for this config.

2 Likes

I swear I am trying to follow instructions. :frowning: But still no go.

uci show | grep wg

firewall.@zone[0].network='lan wg0'
firewall.@rule[9].name='allow wg wireguard'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='<REDACTED>'
network.wg0.listen_port='51820'
network.wg0.addresses='10.14.0.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='<REDACTED>'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='10.14.0.3/32'

android client
image
iptables -L -v | grep wg

    4   704 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:51820 /* !fw3: allow wg wireguard */
    0     0 zone_lan_input  all  --  wg0    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_lan_forward  all  --  wg0    any     anywhere             anywhere             /* !fw3 */
    0     0 zone_lan_output  all  --  any    wg0     anywhere             anywhere             /* !fw3 */
    0     0 ACCEPT     all  --  any    wg0     anywhere             anywhere             /* !fw3 */
    0     0 ACCEPT     all  --  wg0    any     anywhere             anywhere             ctstate NEW,UNTRACKED /* !fw3 */

Luci/admin/network/network
Protocol: WireGuard VPN
Uptime: 0h 9m 46s
MAC: 00:00:00:00:00:00
RX: 0 B (0 Pkts.)
TX: 0 B (0 Pkts.)
IPv4: 10.14.0.1/24

Are you sure that:

You created 2 Private Keys:

  • for the OpenWrt
  • for the Android

That you placed the Public Keys of:

  • the OpenWrt in the Android's peer section
  • the Android in the OpenWrt peer section

Basically, make sure you're using 2 different private keys for each device.

2 Likes

That fixed it!!!!
I had put network.@wireguard_wg0[0].public_key as the routers public key instead of android's public key.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.