Wireguard Help

Installing and Using OpenWrt Network and Wireless Configuration
1

I am installing Wireguard on a device I had WG working before but to no avail. The only think I can see is the version is newer. the last version I had luci-proto-wireguard working was git-20.167.61968-87da00a-1 and the one I now find is git-21.0.16.33009-386a29-1.

In a nutshell, installed luci-app-wireguard, luci-proto-wireguard, wireguard, wireguard-tools and kmod-wireguard. Then I added my private key for server, added to firewall lan, added peer. Same as I did the last 3 times on two other device.

When I try to connect from my Android or Windows TunSafe client, I just go in circles.

I have read there is an issue with a version of luci-proto-wireguard and am I running into that problem?

Any help appreciated.

1 Like
2 
ubus call system board; wg show

What is the output?

3 
        "kernel": "4.14.180",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Newifi-D2",
        "board_name": "d-team,newifi-d2",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.3",
                "revision": "r11063-85e04e9f46",
                "target": "ramips/mt7621",
                "description": "OpenWrt 19.07.3 r11063-85e04e9f46"
        }
}
interface: WG00
  public key: sAv3TRe7F3o5IXkoOP3syPrkyNQ+VLBsz39P1IMK/Aw=
  private key: (hidden)
  listening port: 51820

peer: 3FI24J7RYFR1slCnjKhSLW5vVMTzR3xI/QSDma/V72k=
  allowed ips: 10.200.200.4/32

type or paste code here
1 Like
4

The WG interface is up and running, but there's no handshake.
Thus your problem is most likely related to the configuration.
Post the output redacting the private parts:

uci show network; uci show firewall; \
ip address show; ip route show table all; ip rule show
5 
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd2d:b069:cd35::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='20:76:93:50:c7:3b'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='20:76:93:50:c7:3c'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.WG00=interface
network.WG00.proto='wireguard'
network.WG00.private_key='xxxxxxxxxxxxxxxxxxxxxxxxxx='
network.WG00.listen_port='51820'
network.WG00.addresses='10.200.200.1'
network.@wireguard_WG00[0]=wireguard_WG00
network.@wireguard_WG00[0].public_key='3FI24J7RYFR1slCnjKhSLW5vVMTzR3xI/QSDma/V72k='
network.@wireguard_WG00[0].description='Note 10'
network.@wireguard_WG00[0].allowed_ips='10.200.200.4/32'
root@OpenWrt:~#
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd2d:b069:cd35::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_eth0_1_dev=device
network.lan_eth0_1_dev.name='eth0.1'
network.lan_eth0_1_dev.macaddr='20:76:93:50:c7:3b'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_eth0_2_dev=device
network.wan_eth0_2_dev.name='eth0.2'
network.wan_eth0_2_dev.macaddr='20:76:93:50:c7:3c'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 6t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.WG00=interface
network.WG00.proto='wireguard'
network.WG00.private_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
network.WG00.listen_port='51820'
network.WG00.addresses='10.200.200.1'
network.@wireguard_WG00[0]=wireguard_WG00
network.@wireguard_WG00[0].public_key='3FI24J7RYFR1slCnjKhSLW5vVMTzR3xI/QSDma/V72k='
network.@wireguard_WG00[0].description='Note 10'
network.@wireguard_WG00[0].allowed_ips='10.200.200.4/32'

root@OpenWrt:~# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan WG00'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wan wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'

root@OpenWrt:~# ip address show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 20:76:93:50:c7:3b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2276:93ff:fe50:c73b/64 scope link
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 20:76:93:50:c7:3b brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd2d:b069:cd35::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::2276:93ff:fe50:c73b/64 scope link
       valid_lft forever preferred_lft forever
6: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:76:93:50:c7:3b brd ff:ff:ff:ff:ff:ff
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 20:76:93:50:c7:3c brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.75/24 brd 10.0.0.255 scope global eth0.2
       valid_lft forever preferred_lft forever
    inet6 fe80::2276:93ff:fe50:c73c/64 scope link
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:76:93:50:c7:3a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2276:93ff:fe50:c73a/64 scope link
       valid_lft forever preferred_lft forever
10: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether 20:76:93:50:c7:3c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2276:93ff:fe50:c73c/64 scope link
       valid_lft forever preferred_lft forever
12: WG00: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.200.200.1/32 brd 255.255.255.255 scope global WG00
       valid_lft forever preferred_lft forever

root@OpenWrt:~# ip route show table all
default via 10.0.0.1 dev eth0.2 proto static src 10.0.0.75
10.0.0.0/24 dev eth0.2 proto kernel scope link src 10.0.0.75
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
broadcast 10.0.0.0 dev eth0.2 table local proto kernel scope link src 10.0.0.75
local 10.0.0.75 dev eth0.2 table local proto kernel scope host src 10.0.0.75
broadcast 10.0.0.255 dev eth0.2 table local proto kernel scope link src 10.0.0.75
local 10.200.200.1 dev WG00 table local proto kernel scope host src 10.200.200.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
fd2d:b069:cd35::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd2d:b069:cd35::/48 dev lo proto static metric 2147483647 error 4294967148 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.2 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev wlan1 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd2d:b069:cd35:: dev br-lan table local proto kernel metric 0 pref medium
local fd2d:b069:cd35::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0.2 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan1 table local proto kernel metric 0 pref medium
local fe80::2276:93ff:fe50:c73a dev wlan0 table local proto kernel metric 0 pref medium
local fe80::2276:93ff:fe50:c73b dev eth0 table local proto kernel metric 0 pref medium
local fe80::2276:93ff:fe50:c73b dev br-lan table local proto kernel metric 0 pref medium
local fe80::2276:93ff:fe50:c73c dev eth0.2 table local proto kernel metric 0 pref medium
local fe80::2276:93ff:fe50:c73c dev wlan1 table local proto kernel metric 0 pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev eth0.2 table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev wlan1 table local metric 256 pref medium
ff00::/8 dev WG00 table local metric 256 pref medium

root@OpenWrt:~# ip rule show
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1 Like
6

You are missing the port opening firewall rule.

uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="51820"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
7

Thanks. I will look how to do that. I don't recall having done that in the past.

8

Thank you. I installed this at least 3 times before on other OpenWRT boxes but I don't recall ever having to do this. It works.

1 Like
9

That would be really odd (and questionable) as by default the WAN interface should not accept any incoming traffic. So for the "server" site unless the port is open the tunnel could not be established.
So either on your previous devices you had disabled the Firewall on the WAN interface or you might had the WG communication somehow opening the ports by chance with their outgoing NAT request.

10

I doubt I would have disable the firewall. No matter. It's working now.

11

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.