Hi all,
I want to have a home OpenWRT as a WireGuard Server where my iPhone mobile can VPN into the OpenWRT and can access:
a) the files on my local network NAS
b) the internet on my mobile through my home for safer browsing when abroad
I can't seem to get the configuration right for WireGuard on the OpenWRT Server. This is what I did:
Under >Network>Interfaces I have added a new Interface with the following configuration
===General Settings====
Protocol: WireGuard VPM
Bring up on Boot: Checked
Have a Private and public Key through pressing the Generate new Key pair
Listen Port: 51820
IP Address: 192.168.21.210/32 ###this is the IP I understand of the Wireguard Server VPN interface
===Advanced Settings====
I did not change anything here
===Firewall Settings====
Create/Assign firewall-zone: Lan(lan, vpn)
===DHCP Server====
No DHCP Server Configured
===Peers====
Description: Mobile
Have a Private and public Key through pressing the Generate new Key pair
Have a Preshared Key through pressing the Generate preshare key
Allowe IPs: 192.168.21.211/32 ###this is the IP address that the Mobile Client will have
Route Allowed IPs: Checked
Endpoint Host: www.mywebsite.com ### this is a website that points to my router's VPN Server IP address
Endpoint IP 51820
Persistent Keep Alive: 25
Under Firewall/Port Forwards
Name:VPN_Forward
Restrict to address family: automatic
Protocol: TCP / UDP
Source zone: wan:[Switch port: "wan"]wan6:[Switch port: "wan"]
External port 51820
Destination zone: lan: [Bridge: "br-lan"] vpn: [Tunnel Interface: "wireguard-vpn"]
Internal IP address: 192.168.21.210
Let's actually just take a look at the config as it stands in the actual system:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
This gives us all the info we need to get started.
First make sure that incoming connections are possible with your ISP. The "upstream" IP on the main status page must match that reported by a "whats my IP" test site on a lan computer. You probably want to subscribe to a DDNS service so that your phone can reach your home IP by name as the ISP will usually change your IP whenever your modem has to reconnect.
Your Allow-Wireguard firewall rule is wrong. It should be src wan and no dest. Wireguard from the LAN is also already allowed since the lan default is to allow all ports.
The vpn tunnel IP should be specified as a /24, this installs a route to all possible road warriors in that /24 so that it is not necessary to use route_allowed_ips with every /32.
Your WG interface address overlaps the lan interface's subnet (192.168.21.0/24). You must us a different subnet. For example, let's use 192.168.22.0/24.
So, fixing the above, let's make it look like this:
config interface 'vpn'
option proto 'wireguard'
option private_key '====='
option listen_port '51820'
list addresses '192.168.22.1/24'
Now, change the allowed_ips of the peer to use the same subnet:
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
Don't forget to update the configuration on the remote peer ("Mobile") to match the new allowed IP on it's main interface address.
Once that's done, restart your OpenWrt router and test again. If it doesn't work, post the latest versions of those two config files and also the remote peer's configuration.
Both Psherman and egc solutions above worked. Only one thing extra was needed in my case.... YOU HAVE TO RESTART the Interface Service (or the whole router) before your peer client works, otherwise even with the correct configuration and "Apply and save" it was simply not working.
