I just noticed this in your config.
The standard TCP/UDP port range is 1 to 65535. The port you have configured is outside of that range.
This is almost certainly the opās redacting of the actual port they are using (not strictly necessary, but Iād it makes them more comfortable, that is fine). Since the handshake is working now, it is safe to assume they are using a valid port number.
YES! That fixed it.
I still need to verify that the cameras will resolve from the no-ip address, but all looks good so far. I'm actually using it now.
I do think that the installation process should be a bit more automated. The qr code should have handled all of this on the Android side and prompted me for anything it still needed such as the serverURL.
I found a good wireguard page that is very informative, but huge so it's not a quick read.
Thanks again to everyone that helped.
Dennis.
1 Like
Yes, something would probably squawk if I actually tried to use that bogus port number. Part of wireguard's security is the fact that ports are not standard and it doesn't respond to incorrect passwords - "Sorry that password is incorrect, please keep trying until you guess correctly". This means the hacker needs to find the port before he can even try hacking. As such, I don't want to advertise it.
I don't know why I'm such a target for hackers. The only thing of value here is the cameras which currently have ip lockouts on them. I'm guessing that my IP address must have been written on the back of the stall door at a hacker convention or something.
One thing I did notice is that the IP changed with the new router. It's been the same for a good while now, but changed with the new Archer A7 router. So unless the hacker knows my noip address, it will probably be a while before he comes back.
The QR code is really just there to make the key exchange happen easily. It would still need to ask for some of the other info.
But glad it is all working now.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
I marked it solved, but the is really no single post that was the complete solution. It was a bunch of them.
The QR code seems to have the servers public IP, but the Android wireguard app should be able to send it the correct public IP for the android.
I need to read up about it some more for sure.
It canāt know that information in advance of creating the QR code. There is nowhere in the wireguard config to specify its own public ip (which may be dynamic) or domain name.
But it can still prompt the user to enter the Endpoint URL: port. It does know the addresses field, but apparently didn't send that. BTW, the Android app should call that field " server address " and not "endpoint". Or at least something that's more intuitive to show that it's looking for an URL: port.
If you leave that field blank, it tells you you need to supply an address. That sent me back up to the field labeled addresses.
The wireguard Luci page should have a place to put all of that before generating the barcode.
Wireguard configuration is trivial if you know what you're doing, but next to impossible if you don't. I'm in the latter category, but I'm learning.
The openwrt wireguard server page is leaving stuff out as well. Still, there's really no reason that stuff couldn't have just been put in a script to run.
I have tested the noip name resolution from inside the vpn and it's working correctly.
So when I'm actually on the routers WiFi and using wireguard to get into the same router, myddnsname.No-ip.Org:1234 will resolve correctly to the device associated with Port 1234. It didn't work right on the last wg router that the hackers trashed.
So far I haven't found any problems with this configuration. Fwiw, the speed test is showing it's faster as well. Considering that this openwrt router is only half the speed and a fourth the number of processors as the ax1800, I think that is impressive.
I canāt speak to the Android app (Iām on iOS and Iām also not involved with the wg project itself), butā¦
Wireguard does not have a server/client relationship. All devices are just peers. Endpoint could be changed to āendpoint addressā but technically endpoint is the correct term.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.