Wireguard help

I am trying to setup wireguard in Linksys EA7500 using this guide or this. I am not getting any connection or handshake using either android or iOS as peer. Is there something missing? Any help is much appreciated.

config interface 'wg0'                    
        option proto 'wireguard'           
        option private_key 'redacted'
        option listen_port '51820'         
        list addresses '10.200.200.1/24'                                 
                                          
config wireguard_wg0                      
        option description 'My Peer'                                     
        option public_key 'redacted'
        option route_allowed_ips '1'      
        option persistent_keepalive '25'                                 
        list allowed_ips '10.200.200.1/32'

config zone 'lan'                
        option name 'lan'      
        option input 'ACCEPT'    
        option output 'ACCEPT'   
        option forward 'ACCEPT'       
        option network 'lan wg0' 

config rule                                     
        option src '*'                       
        option target 'ACCEPT'                  
        option proto 'udp'                      
        option dest_port '51820'             
        option name 'Allow-Wireguard-Inbound'

Refer to my settings

/etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'blahblah'
        option listen_port '31194'
        list addresses '10.9.0.1/24'

config wireguard_wg0
        option description 'client1(office)'
        option public_key 'blahblah''
        option endpoint_port '31194'
        option persistent_keepalive '25'
        list allowed_ips '10.9.0.2/32'

config wireguard_wg0
        option description 'client2(mobile)'
        option public_key ''blahblah"
        option endpoint_port '31194'
        list allowed_ips '10.9.0.3/32'

/etc/config/firewall

config zone
        option name 'vpn'
        list network 'tun0'
        list network 'wg0'
        list network 'ipsec0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

config rule
        option name 'Allow-WireGuard'
        option src 'wan'
        option proto 'udp'
        option dest_port '31194'
        option target 'ACCEPT'

1 Like

Do you have a true public IP address on your WAN? if you're not sure, please post the first two octets of your WAN (aaa.bbb.ccc.ddd -- just aaa.bbb is enough to know).

Please post your Android side configuration.

And also, verify that you have generated the keys properly.

EDIT:
Just noticed this:

    list allowed_ips '10.200.200.1/32'

This is wrong -- try 10.200.200.2/32

3 Likes

Fantastic, it works!

The key thing is the /32 notation which you highlighted and @qquack's settings.

Big thanks to both of you.

1 Like

A noob regarding remote access, is it possible to use wireguard for not Public IP address?

@forests_gump - what are you trying to achieve?

If your goal is to be able to set up a Wireguard 'server' on your OpenWrt router (to allow remote access to your network or to use when on a public/untrusted network as a bit of security by setting up a secure tunnel to your home and then out to the internet), you cannot do this without a public IP address.

If you are intending to connect to a remote peer from your OpenWrt router (such as to a commercial VPN provider or similar), you do not need to have a public IP address.

1 Like

thks psherman, i am home consumer, which is served by ISP thru a Fiber-modem wired to my openwrt router; router has usb ports, which connected to external harddisk to serve contents to local network. Am trying to see how if possible to access this router's content from outside remote network.

In general case, to access some service remotely, the service must have a public IP address.
The WireGuard protocol also follows this principle.
So, if you want to set up a VPN server to access your private network remotely, make sure you have a public IPv4 or IPv6 address.

I saw linksys stock firmware allows remote access to my router setting even without public IP, by having an linksys account.

Wonder how it is done & similar via openwrt.

The methods which allow remote access without a public IP, typically involve third-party that passes your traffic through their own public IP addresses.
Providing such type of service requires financial and technical resources, which is not something that OpenWrt as a non-commercial community project can waste on a whim.
See also: Access network behind private nat isp ip

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.