WireGuard is driving me mad, looking for a good guide

So I've been trying to setup WireGuard on my BPI R4 (running snapshot), without any success.

Basically, I would like to have my phone (when it's not on home WiFi) access the home network and route all traffic through the home network (plain vanilla dynamic IP setup with DDNS, that part does work).

Clearly WireGuard and my brain are not compatible as whatever I do / whichever guide I follow, I never even see a handshake in luci even though both Android and Win11 claim to establish tunnels over 4G (predictably, nothing is being routed after that).

So is there a good, ideally well commented guide that can be recommended?

See: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

Of course your router should have a publicly available IPv4 address, check if this is the case otherwise you cannot reach it

Edit:

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
2 Likes

I agree with you, the configuration of wireguard is full of edge which can easily bite you in the rear.

regarding handshake, one thing that is not explicit is that you need to restart the wireguard interface (usually wg0) after configuration to take into account the key of your peer (your phone in that case).

To simplify the firewall configuration, I advise to put wg0 in the lan zone and to test from the lan initially (in that case, from the wan, you will need a port forward rule in ipv4).

1 Like

Ok that clearly was part of it. Now I do have a handshake and pinging 1.1.1.1 but something still prevents me from using the tunnel properly. Looks like DNS is not working properly yet.

That's what I followed (last) but sadly it's not the most intuitive guide ever, for example, is VPN_ADDR="192.168.9.1/24" supposed to be the same subnet as the LAN?

root@bpir4:~# ubus call system board
{
        "kernel": "6.6.30",
        "hostname": "bpir4",
        "system": "ARMv8 Processor rev 0",
        "model": "Bananapi BPI-R4",
        "board_name": "bananapi,bpi-r4",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r26348-3e5a23639f",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r26348-3e5a23639f"
        }
}
root@bpir4:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2f:f036:e773::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        list ipaddr '192.168.1.10/24'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth2'
        list ports 'wan'

config device
        option name 'wan'
        option macaddr 'ea:37:29:af:e6:45'

config device
        option name 'eth2'
        option macaddr 'ea:37:29:af:e6:45'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '***'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient'
        option public_key '***'
        option preshared_key '***'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fd00:9::2/128'
        option private_key '***'
        option description 'GA'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
root@bpir4:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'
root@bpir4:~# ip route show
default via 212.51.131.1 dev br-wan  src 212.51.131.62 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.10 
192.168.9.0/24 dev vpn scope link  src 192.168.9.1 
192.168.9.2 dev vpn scope link 
212.51.131.0/24 dev br-wan scope link  src 212.51.131.62 
root@bpir4:~# wg show
interface: vpn
  public key: ***
  private key: (hidden)
  listening port: 51820

peer: ****
  preshared key: (hidden)
  endpoint: 178.197.219.166:34165
  allowed ips: 192.168.9.2/32, fd00:9::2/128
  latest handshake: 20 seconds ago
  transfer: 113.22 KiB received, 22.77 KiB sent
  persistent keepalive: every 25 seconds

What's the output of cat /etc/config/dhcp

root@bpir4:~# cat /etc/config/dhcp 

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'lan'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config domain
        option name 'redmikate.lan'
        option ip '192.168.1.5'

config domain
        option name 'redmigabriel.lan'
        option ip '192.168.1.4'

config domain
        option name 'mt3000.lan'
        option ip '192.168.1.6'

Remove that from the config dnsmasq section. Then run /etc/init.d/dnsmasq reload

If that doesn't work, change option localservice '1' to option localservice '0' and run the reload command again.

2 Likes

Will do, FWIW, adding the WG interfaace just fixed it too, :slight_smile:

Thanks a lot to all of you!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.