Wireguard on OpenWrt/archer c7 v2 - can't get a handshake

Hello, I have followed the OpenWrt Wiki and then few youtube videos but can't get a handshake. Tried to copy other solutions here but just made a bigger mess.

Trying to connect my phone to wireguard on the openwrt router (archer c7v2). It doesn't connect at all with lan wifi or with cellular data. Is this possibly a CGNAT issue? Have an ISP modem/router (97...***) going into the openwrt router (192.169.1.1).

Essentially want to be able to access my home network when away to view NVR and to use a tunnel when using public wifi. Thank you for any help and for the previous help with VLANs.

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ***

config device
	option name 'br-lan'
	option type 'bridge'
	option acceptlocal '1'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0t 2 3'
	option vid '1'
	option description 'LAN'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'
	option description 'WAN'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 4 5'
	option vid '30'
	option description 'NVR'

config device
	option type 'bridge'
	option name 'br-NVR'
	list ports 'eth1.30'

config interface 'NVR'
	option proto 'static'
	option device 'br-NVR'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t'
	option vid '10'
	option description 'GUEST'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option ports '0t'
	option vid '20'
	option description 'IOT'

config device
	option type 'bridge'
	option name 'br-GUEST'
	list ports 'eth1.10'

config device
	option type 'bridge'
	option name 'br-IOT'
	list ports 'eth1.20'

config interface 'GUEST'
	option proto 'static'
	option device 'br-GUEST'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'IOT'
	option proto 'static'
	option device 'br-IOT'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'vpn'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'
	option private_key ***

config wireguard_vpn
	option description '50'
	option public_key ***
	option private_key ***
	option preshared_key ***
	list allowed_ips '192.168.9.2/32'
	option route_allowed_ips '1'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule

config zone
	option name 'GUESTZONE'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'GUEST'

config forwarding
	option src 'GUESTZONE'
	option dest 'wan'

config zone
	option name 'IOTZONE'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'IOT'

config zone
	option name 'NVRZONE'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'NVR'

config forwarding
	option src 'lan'
	option dest 'IOTZONE'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GUESTZONE'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'NVRZONE'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51828'
	option proto 'udp'
	option target 'ACCEPT'

config rule

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'NVR'
	option interface 'NVR'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'GUEST'
	option interface 'GUEST'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'IOT'
	option interface 'IOT'
	option start '100'
	option limit '150'
	option leasetime '12h'

config host
	option name 'BP-3'
	option ip '192.168.1.228'
	option mac ***

config host
	option name 't'
	option ip '192.168.30.228'
	option mac ***

config host
	option name 'CC7F6'
	option ip '192.168.30.249'
	option mac '***

The port in your WG config is 51820... below we see 51828. I'm assuming that was a typo. Try fixing that, restarting and trying again.

If that doesn't work... Let's see your remote peer's config.

Yes was typo on port and didn't resolve the issue.

By peer configuration you mean from wireguard on phone? Not sure how to ssh that.

on phone
interface
address 192.168.9.2/32
DNS 1.1.1.1

peer
endpoint: 192.168.9.1
allowed ip: 0.0.0./0, ::/0

This is your problem...

The endpoint address needs to be your router's public IP address or domain name. You could test the connectivity when connected to the local wifi -- if the public IP doesn't work, you can try setting that to 192.168.1.1 which is the router's lan address (this will only serve as a test and only work while you're on your own wifi).

Awesome, got handshake on lan. But when I change peer allowed IP to my public ip I get no connection.
Would bridging my modem to the openwrt router resolve this? Or is 97...*** a workable public ip?

Great... what was the IP address you used in the endpoint field on your phone? Was it your public IP or was it 192.168.1.1?

Is the 97.x.x.x address what you see on the wan of your OpenWrt device currently?

It was 192.168.1.1 that worked.

no it was from googling my ip.
the openwrt states address is 10.0.0.25. Now I just tried this and it also works when connected to the lan but I get no connection when I use cellular data with it.

I will try bridging the modem tomorrow. I believe it might be issue of 2 DHCP occurring from the modem and the openwrt router.

This means that you are behind another NAT layer... What is immediately upstream of your C7? It sounds like it is an ISP modem/router -- is that correct?

Do you have the ability to adjust settings on that device? Can you see if it has a public IP address on it's upstream/wan? Ideally, you can make it a modem-only (bridge mode) and pass a public IP to your OpenWrt wan.

yes it is.

it is a rogers ignite modem and it failed to bridge wan to the router. I read that this modem has an issue with bridging internet if connected via ethernet instead of coax. Couldn't even access the modem through the ethernet port once bridged. Had to reset it. sigh.

Sounds like that's an annoying modem to work with.

If it can't bridge (or just won't work that way), it may be possible to port forward from the modem > OpenWrt, then at least you can open the ports.

That still requires a public IP on the WAN (in this case, the wan of your ignite modem) -- does it indicate the IP address it is using?

alot of settings on the modem can only be accessed via their app. it fails for me at login everytime. I hate this company but few good options.

and yes IP on wan is shown, matches public.

That's good. If you can port forward UDP port 51820 > 10.0.0.25 port 51820 (within the modem's config), you should be able to get a handshake. Hopefully the settings are exposed to the user and then hopefully you can actually get the app to work so you can adjust the settings accordingly.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.