WireGuard not working

Hello,
I set up Wireguard on my OpenWRT and it did not work as intended.

I can connect and it shows my Wireguard connection in LuCI, but only some Bytes are transmitted.

I can also not ping any IP in my local network when connected via Wireguard.

What could be the issue here?

Thanks.
Network Config

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fddd:bb51:757f::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.200'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'
        option ifname 'eth0 lan1 lan2 lan3 lan4 wan'
        list dns '192.168.1.254'

config device 'lan_lan1_dev'
        option name 'lan1'
        option macaddr '58:ef:68:fe:a5:e8'

config device 'lan_lan2_dev'
        option name 'lan2'
        option macaddr '58:ef:68:fe:a5:e8'

config device 'lan_lan3_dev'
        option name 'lan3'
        option macaddr '58:ef:68:fe:a5:e8'

config device 'lan_lan4_dev'
        option name 'lan4'
        option macaddr '58:ef:68:fe:a5:e8'

config device 'wan_wan_dev'
        option name 'wan'
        option macaddr '58:ef:68:fe:a5:e8'

config interface 'VPN'
        option proto 'wireguard'
        option private_key 'xxx='
        option listen_port '55653'

config wireguard_VPN
        option route_allowed_ips '1'
        option endpoint_port '48136'
        option public_key 'xxx='
        option description 'Iphone'
        list allowed_ips '192.168.1.50/32'

Firewall Config

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan VPN'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'lan'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option src 'lan'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'lan'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'lan'
        list src_ip 'fc00::/6'
        list dest_ip 'fc00::/6'
config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'lan'
        list src_ip 'fe80::/10'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'neighbour-advertisement'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'router-solicitation'
        list icmp_type 'time-exceeded'
        option src 'lan'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'destination-unreachable'
        list icmp_type 'echo-reply'
        list icmp_type 'echo-request'
        list icmp_type 'time-exceeded'
        option src 'lan'

config rule
        option name 'Support-UDP-Traceroute'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'
        option src 'lan'
        option dest_port '33434-33689'

config include
        option path '/etc/firewall.user'

config redirect 'adblock_dns_53'
        option name 'Adblock DNS, port 53'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_dns_853'
        option name 'Adblock DNS, port 853'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_dns_5353'
        option name 'Adblock DNS, port 5353'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        option src 'lan'
        option target 'ACCEPT'

NOTE: I know that that one firewall rule is a bad idea but it is only temporary.

Remove this.

Specify an IP address.

Get rid of

config rule
        option src 'lan'
        option target 'ACCEPT

Add

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '55653'
        option name 'Wireguard'
        option proto 'udp'

You need to use a separate subnet for the wireguard IP on your iphone. You can't use 192.168.1.50 when using 192.168.1.x in the LAN.

What's the config on your iphone?

That isn't necessary for it to work.

[Interface]
PrivateKey = xxx=
ListenPort = 48136
Address = 192.168.1.50/32
MTU = 1200

[Peer]
PublicKey = xxx=
Endpoint = vpn643sys.duckdns.org:55653
PersistentKeepalive = 45

Add on the client:

AllowedIPs = 0.0.0.0/0, ::/0

[Interface]
PrivateKey = WLA2bEASS5bV+zh4F0BCPmL2xMZ4S/FMgAgW+88GymE=
ListenPort = 48136
Address = 192.168.1.50/32
MTU = 1200

Change the address to a subnet you don't already use in the LAN. Then update the allowed ip in the router config accordingly.

You also need to add allowed IPs to the peer config on the iphone. If you want to send all traffic then do as vgaetera has said in the above post, otherwise if you only want to access LAN resources restrict it to specific subnets.

Thanks now I see my router.

Oh by the way Why can I only see my openwrt router?
This is my network topology.

Annotation 2020-10-09 2215291442×1280 53.2 KB

I know I got multiple devices online and I tried accessing the main router but it did not work. The network scanner only managed to see up to my Openwrt router but not the entire network and I can't seem to access the internet now with the VPN on. Why is that?

• Specify a different subnet for the VPN network, e.g. 192.168.2.0/24.
• Add a static route on your main router to 192.168.2.0/24 via 192.168.1.200.

Ok but I don't seem to get the static route part.

Your LAN hosts don't know where to send replies to the WG client, so you need to provide the proper routing.

Alternatively, you can enable masquerading on the LAN firewall zone.

Oh thanks.

I also suggest revoking your PrivateKey and generating a new pair asap, since anyone can just log in with this key now if it’s still valid.

Thanks for reminding me! I should be more careful

Yeah, treat PrivateKeys as passwords/secrets or like you treat ssh keys
You can give out the PubKey ( aka have some monitoring in grafana for wireguard that takes the public key or something) but never post the PrivateKey anywhere.

Also, not that anyone can do anything with your DDNS, but it’s better off if you don’t post it all over the web.

While your PublicIP still shows up in shodan etc, it’s just a bit better if you don’t post it anywhere aka, you’re less likely to be identified, so maybe I’d suggest swapping that duckdns address out to a new one, so no one tries to ddos you or something out of the sudden.

I have a topology similar to yours, but with a key difference:

• My OpenWrt device is connected via its WAN port to my normal LAN.

Yes, this puts it into a double-NAT situation, but it is okay because nothing is behind it. The OpenWrt box serves only as a VPN endpoint.

The key to making this work is the proper use of subnets. I have the following:

• Main LAN subnet: 10.0.1.0/24
• OpenWrt LAN subnet: 10.0.2.0/24 [the OpenWrt WAN has an address on the 10.0.1.0/24 network]
• Wireguard Subnet [running on the OpenWrt device]: 10.0.5.0/24 (peers are always defined w /32, but I've reserved the whole /24 subnet for WG)

I then have the firewall set such that:

• WG port opened from WAN to router (this device) as Traffic Rule [it should go without saying that the port also needs to be forwarded in your main router's configuration: from its WAN to the IP address of your OpenWrt router's WAN interface]

• WG has its own FW zone (input = accept, output = accept, forward = reject; masquerading disabled)

• WG FW zone forwarding allowed to the WAN (which is really my main network LAN).

For ease of configuration, I have also opened traffic rules for port 80 (web) and 22 (ssh) from the WAN to the router [NOTE: it is generally a very bad idea to do this if your router is directly connected to the internet. However, in this case, the WAN is part of my trusted LAN (which is behind a known good firewall). This allows me to administer the OpenWrt device via systems on my trusted LAN (easier than having to connect to the OpenWrt's LAN).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.