Hello! I have an issue with WireGuard setup on OpenWRT router.
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda2:1ffb:7161::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '28:28:5d:63:50:53'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'pppoe'
option password '9########'
option username '3########'
option ipv6 '0'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'aAh###'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
config wireguard_vpn 'wgclient'
option preshared_key 'ejr4F####'
option endpoint_host '188.####'
option endpoint_port '51820'
option route_allowed_ips '1'
option description 'peer'
option public_key 'Fg0###'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fd00:9::2/128'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest_port '51820'
option src 'wan'
option name 'w'
option src_dport '51820'
option target 'DNAT'
option dest_ip '192.168.1.1'
option dest 'lan'
wg show
interface: vpn
public key: Dlk###
private key: (hidden)
listening port: 51820
peer: Fg0###
preshared key: (hidden)
endpoint: 188#####:51820
allowed ips: 192.168.9.2/32, fd00:9::2/128, 0.0.0.0/32
Wireguard Windows client:
egc
January 2, 2024, 4:21pm
2
From the looks of it you want to connect to your router from outside e.g. with your laptop or phone on the internet connect to your home.
Is that what you want?
What version of OpenWrt are you running and on what hardware?
ubus call system board
1 Like
krazeh
January 2, 2024, 4:34pm
4
You're not getting a handshake between the peers. As a starting point remove:
Then check the keys are correct on both ends.
Also remove the endpoint host and endpoint host.
2 Likes
egc
January 2, 2024, 4:39pm
6
and the clients address should be:192.168.9.2/24 and not 192.168.9.1/24
Test always from outside e.g. with you laptop/phone on cellular
1 Like
yes. i want to use my router as a wireguard server
{
"kernel": "4.14.209",
"hostname": "OpenWrt",
"system": "MediaTek MT7620N ver:2 eco:3",
"model": "ZyXEL Keenetic Lite II",
"board_name": "zyxel,keenetic-lite-ii",
"release": {
"distribution": "OpenWrt",
"version": "19.07.5",
"revision": "r11257-5090152ae3",
"target": "ramips/mt7620",
"description": "OpenWrt 19.07.5",
"revision": ""
}
}
yhglbizprsps:
ZyXEL Keenetic Lite II
I don't see this device supported by the official OpenWrt project. Where did the install file come from?
yhglbizprsps:
"version": "19.07.5",
This is a very old version -- it is EOL and unsupported now... you should be looking to upgrade to a more modern version because this has many known security vulnerabilities.
1 Like
fixed it but still doesn't work
fixed it but still doesn't work
keys are correct
Have you verified that you have a proper public IPv4 address on the wan of your router?
Also, can you tell us where the OpenWrt version that you are using came from?
1 Like
yes. it's public static ip
ZyXEL Keenetic Lite II - this is very old device. I found this site https://wikidevi.wi-cat.ru/ZyXEL_Keenetic_Lite_II on google search. I translated this page https://4pda.to/forum/index.php?showtopic=811223
In that case, you probably need to reach out to the people who provided the build you are using. They may have made modifications to OpenWrt that could fundamentally affect how things work, and we'd have no way to guess about these changes.
We can do one more review of your configs -- post the latest network and firewall files as well as the remote peer's config.
1 Like
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
option dest 'lan'
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda2:1ffb:7161::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr '28:28#####'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'pppoe'
option password '9#########'
option username '3########'
option ipv6 '0'
option delegate '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'aAh#######'
option listen_port '51820'
option delegate '0'
list addresses '192.168.9.1/24'
list addresses 'fd00:9::1/64'
list addresses '192.168.9.1/32'
config wireguard_vpn 'wgclient'
option preshared_key 'ej####'
option description 'peer'
option public_key 'Fg####'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fd00:9::2/128'
list allowed_ips '0.0.0.0/0'
wg show
interface: vpn
public key: Dlk####
private key: (hidden)
listening port: 51820
peer: Fg0###
preshared key: (hidden)
allowed ips: 192.168.9.2/32, fd00:9::2/128
logread -e vpn
Tue Jan 2 21:45:01 2024 daemon.notice netifd: Network device 'vpn' link is down
Tue Jan 2 21:45:01 2024 daemon.notice netifd: Interface 'vpn' is now down
Tue Jan 2 21:45:09 2024 daemon.notice netifd: Interface 'vpn' is setting up now
Tue Jan 2 21:45:12 2024 daemon.notice netifd: Interface 'vpn' is now up
Tue Jan 2 21:45:12 2024 daemon.notice netifd: Network device 'vpn' link is up
Tue Jan 2 21:45:13 2024 user.notice firewall: Reloading firewall due to ifup of vpn (vpn)
wg showconf vpn
[Interface]
ListenPort = 51820
PrivateKey = aAh###
[Peer]
PublicKey = Fg###
PresharedKey = ejr####
AllowedIPs = 192.168.9.2/32, fd00:9::2/128
is there a script to auto config wireguard? or thing like wg-easy?
Remove the delegate line, and the lower two address lines
Remove the lower two address lines:
This appears to be the config on the remote peer... it's totally wrong.
The interface must have an address (192.168.9.2/24) and you'll need DNS too. The listen port should be removed.
The peer part of that config should have allowed IPs of 0.0.0.0/0 if you intend to use the tunnel for all traffic, and it needs an endpoint host and port.
I can see that your keys are almost certainly also wrong -- the public keys don't make sense. You should regenerate your keys for both the router and the remote peer. The public key is derived from the private key. Each side will have a private key -- this one needs to be in the interface section for each side and is not shared with the other side. Then, the public key that comes from the router side needs to be entered into the peer config on the remote peer and vice versa.
1 Like
For the keys, here's an example (NOTE: Do not use these keys -- they are valid, but they are being posted on the public internet so they are obviously not secret and therefore not safe/secure):
OpenWrt Peer:
Private key:
sAOhTjm9Iwv5jYcATMazpChxThhVT1Y+ORbkKNsfnUo=
Public key (derived from the above):
Qt7EXqW20+zHQqhXmLsDP8FXNzl9MXD96EvuCvgLC2Y=
Remote Peer:
Private key:
8EfHddJYIv2iyP6aKrBIYt7QoJ35ySvF3pun+Ic/wUA=
Public key (derived from the above):
o8ra4HvF3wtl1RkOAgyA3mVYsMdWXsRC9tKVKdGbA10=
This then goes into the configs like this:
config interface 'vpn'
option proto 'wireguard'
option private_key 'sAOhTjm9Iwv5jYcATMazpChxThhVT1Y+ORbkKNsfnUo='
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_vpn 'wgclient'
option description 'peer'
option public_key 'o8ra4HvF3wtl1RkOAgyA3mVYsMdWXsRC9tKVKdGbA10='
list allowed_ips '192.168.9.2/32'
option route_allowed_ips '1'
And the remote side would look like this:
[Interface]
PrivateKey = 8EfHddJYIv2iyP6aKrBIYt7QoJ35ySvF3pun+Ic/wUA=
Address = 192.168.9.2/24
DNS = 192.168.1.1
[Peer]
PublicKey = Qt7EXqW20+zHQqhXmLsDP8FXNzl9MXD96EvuCvgLC2Y=
AllowedIPs = 0.0.0.0/0
Endpoint = <publicIP>:51820
1 Like
It's still not working https://openwrt.org/docs/guide-user/services/vpn/wireguard/server - did as written in the article - still not working
The wan config below is dangerous (unless this router is already on a trusted network). If your router's WAN is facing the internet, you should have input and forward rules set to REJECT.