Wireguard no traffic

Hello everyone,

I'm reaching out for some guidance with setting up WireGuard on my OpenWRT Raspberry Pi Compute Module 4 IoT Router.

Despite following multiple tutorials, including the official OpenWRT documentation, I am unable to get internet traffic to route through the VPN connection.

Here is what I have attempted so far:

  1. I followed the instructions on the OpenWRT WireGuard server guide (https://openwrt.org/docs/guide-user/services/vpn/wireguard/server).
  2. I also tried the automated setup method described here: https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated.

While I can establish a connection (confirmed with wg show), I'm not able to get local traffic or internet data to pass through this connection.

My current system is running OpenWRT 23.05.0 - r23497-6637af95aa.

Could anyone please offer some advice or direct me to the appropriate resources to troubleshoot this issue?

Thank you for your time and assistance.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'vpn'

config interface 'lan'
        option device 'br-lan.18'
        option proto 'static'
        option ipaddr '192.168.18.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option defaultroute '0'
        option delegate '0'
        option ip6hint '18'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.10'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'asdasdasd'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'
        list dns '192.168.18.1'

config wireguard_wg_lan
        option public_key 'UWP6dF87CrQy7pL1Di8Xi5I6uZG7Y2dgfSSqAS8hw1k='
        option preshared_key '3rNmNPFLMFsgGCtTWY1i+1kC30OCqLKU6Ind2FMuDp8='
        option description '1_lan_Phone'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'odh0dJVj50oKpjy/I4RlAetpv+vUU/viwIoZL5qfiEo='
        option preshared_key 'IZ8wpyJZoxOxyOQLAgzzuXDQ1Gh0CPOwE+1msMAWtPU='
        option description '2_lan_Farm'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

The vpn should not be bridged... so this needs to be fixed:

further, you're lan network interface appears to be using br-lan.18, but in a way that is not properly defined.

In addition, you probably do want the lan to use the default route unless you have other routing happening (such as PBR)... so let's fix that, too.

So, I'll make an assumption here that you want to use VLAN 18 on eth1... it should look like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.18'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.18.1'
        option netmask '255.255.255.0'
        option ip6assign '64'
        option delegate '0'
        option ip6hint '18'

Try that... if it doesn't work, we'll need more info, starting with an updated version of your network file (fixed as recommend above), the firewall file, the results of wg show, and a description of what you have tested to determine that you don't have any traffic flowing.

1 Like

You have no vpn interface and more importantly you can not bridge a Wireguard tunnel because it's layer-3.
If you want to bridge two remote layer-2 domains you have use encapsulation on top of Wireguard. But if you just want to route via the Wireguard tunnel you will have lan interface and Wireguard interfaces defined and have to set routes accordingly.

3 Likes

Thanks for your help,

My router connects to an ONT and used vlan10 on eth0 to communicate with the ISP
my router then connects to a Wireless access point via eth1 on VLAN 18, I also use the switch capability of my wireless access point to connect in the rest of my network.

I made the changes but seemed to have killed my network for talking with the rest of my network. I will reset my router tonight and try again.
thanks again

If you're still able to connect to the device to grab config files, we might be able to fix the issue.

2 Likes

I Managed to rebuild my router and i think i have fixed the network config
I have reconfigured wireguard and can get a connection but no internet or access to my lan resources

I appreciate any advice on trouble shooting this

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'eth0.10'
        option type '8021q'
        list ports 'eth0'
        option ifname 'eth0'
        option vid '10'

config interface 'lan'
        option device 'eth1.18'
        option proto 'static'
        option ipaddr '192.168.18.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.10'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg_0'
        option proto 'wireguard'
        option private_key '2Dsad'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list dns '192.168.18.1'

config wireguard_wg_0
        option description 'tst'
        option public_key 'Dasd'
        option private_key '0asd'
        list allowed_ips '192.168.9.2/32'
        option endpoint_host 'svr01.sadsd'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

config device
        option name 'wg_0'

config device
        option name 'eth1.18'
        option type '8021q'
        option ifname 'eth1'
        option vid '18'

wg show has

root@OpenWrt:~# wg show
interface: wg_0
  public key: Tm6IOIC0xR28KNd4hzLSJ579ggLHoEYEUdvmQykmCmo=
  private key: (hidden)
  listening port: 51820

peer: D4Y4iGFq0oqtt4mqgJzjdlIBTjAqUJVZDNZ1mRSWYwk=
  endpoint: 49.224.117.134:35362
  allowed ips: 192.168.9.2/32
  latest handshake: 1 minute, 54 seconds ago
  transfer: 3.75 KiB received, 1.62 KiB sent
  persistent keepalive: every 25 seconds

Let’s see /etc/config/firewall.

1 Like

Thank you, here is my firewall

This entry is a temp work around running wireguard on another machine
config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.18.118'
        option dest_port '51820'

Firewall config is here

config defaults
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'
        option flow_offloading '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'

config rule 'dot_fwd'
        option name 'Deny-DoT'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option proto 'tcp udp'
        option target 'REJECT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.18.118'
        option dest_port '51820'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

Remove this workaround and instead create a traffic rule to accept the traffic from the wan to the router itself. Then we should hopefully see a handshake and routing on the router itself.

1 Like

thanks psherman, I have updated my firewall and added this rule, i can confirm I can connect but no internet or lan access/ traffic

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option src_port '51820'
        option target 'ACCEPT'
        option family 'ipv4'
config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_0'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option src_port '51820'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect 'dns_int'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option proto 'tcp udp'
        option family 'any'
        option target 'DNAT'

config rule 'dot_fwd'
        option name 'Deny-DoT'
        option src 'lan'
        option dest 'wan'
        option dest_port '853'
        option proto 'tcp udp'
        option target 'REJECT'

wg show

interface: wg_0
  public key: qul6o=
  private key: (hidden)
  listening port: 51820

peer: 7reC71OSw210m=
  endpoint: 49.224.117.134:19772
  allowed ips: 10.18.18.2/32
  latest handshake: 5 seconds ago
  transfer: 1.38 KiB received, 588 B sent
  persistent keepalive: every 25 seconds

and network config

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'eth0.10'
        option type '8021q'
        list ports 'eth0'
        option ifname 'eth0'
        option vid '10'

config interface 'lan'
        option device 'eth1.18'
        option proto 'static'
        option ipaddr '192.168.18.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'

config device
        option name 'eth1.18'
        option type '8021q'
        option ifname 'eth1'
        option vid '18'

config interface 'wg_0'
        option proto 'wireguard'
        option private_key '0Po='
        option listen_port '51820'
        list addresses '10.18.18.1/24'

config wireguard_wg_0
        option description 'test'
        option public_key '7reC='
        option private_key 'wKs='
        list allowed_ips '10.18.18.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config interface 'wan6'
        option proto 'dhcpv6'
        option device 'eth0.10'
        option reqaddress 'try'
        option reqprefix 'auto'

Let’s see the configuration from the other peer.

1 Like

No internet from your WG client could be DNS issue , to check do a: ping 8.8.8.8 and/or traceroute/tracert 8.8.8.8

Your LAN clients have their own firewall and will not allow WG traffic by default.
To test if this is the case enable masquerading on the lan zone e.g. add to lan zone: option masq '1'

1 Like

here is my peer config, I do redirect DNS queries through DNS hijacking and using DoT with Dnsmasq and Stubby

So the remote peer is OpenWrt based? Let’s see the network and firewall files for that device.

apologies, the client I’m testing is via my iPhone

Is your OpenWrt Wireguard server also the main router in your house, or is it another machine on the LAN?

1 Like

It is my main router

I did temporarily setup a Wireguard on a server on my network and I can connect to that fine and access resources
The only network change for this was to forward the port to the Wireguard sever

Remove the ipv6 allowed ips.
And add dns to your wireguard interface config section (on the phone). Maybe start with 8.8.8.8 or another public dns server.

1 Like

I have tried a couple of dns servers (google & cloudflare) updated config below
Thank for looking at this


I can’t access the internet or local resources

Let’s try this… remove wg_0 from the lan zone and put it into its own zone. Then add forwarding.

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg_0'

config forwarding
        option src 'wg'
        option dest 'lan'
1 Like