Xierion
February 20, 2021, 12:35am
1
I have successfully configured and tested a WireGuard VPN connection from my unRAID server, but would prefer to have connections directly on my OpenWRT router (Raspberry Pi 3B+)
My android device can connect via unRAID, but identical settings will not connect via OpenWRT
(interface name wg0 is common across devices, but port number is different to allow side-by-side connections for testing)
running 'wg showconf wg0
' on unRAID shows:
> [Interface]
> ListenPort = 12345
> PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> [Peer]
> PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> AllowedIPs = 10.253.0.2/32
> Endpoint = xxx.xxx.xxx.xxx:xxxxx
Running the same command on OpenWRT shows:
> [Interface]
> ListenPort = 1234
> PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
but there is no mention of a peer on OpenWRT.
'/etc/config/network
' shows a peer is configured:
> config interface 'wg0'
> option proto 'wireguard'
> option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
> option listen_port '1234'
> list addresses '192.168.1.1'
>
> config wireguard_wg0
> option route_allowed_ips '1'
> option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
> option description 'Android'
> list allowed_ips '0.0.0.0/0'
> option persistent_keepalive '25'
I can only guess that I am having connection issues because WireGuard does not show a peer as configured.
Check the output:
wg show; iptables-save -c -t filter | grep -e 1234
1 Like
Xierion
February 20, 2021, 4:19am
3
interface: wg0
public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 1234
[0:0] -A zone_wan_input -p udp -m udp --dport 1234 -m comment --comment "!fw3: WireGuard" -j ACCEPT
1 Like
Xierion
February 20, 2021, 5:16am
5
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd52:833a:b6a8::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='10.0.0.1'
network.lan.ifname='eth1'
network.lan.proto='static'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.wg0.listen_port='1234'
network.wg0.addresses='192.168.1.1'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wg0[0].description='Android'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg0[0].endpoint_host='192.168.1.2'
network.@wireguard_wg0[0].persistent_keepalive='25'
The peer appears to be showing up in the core config. Should it be showing in the 'wg showconf wg0
' command?
1 Like
uci -q delete network.wg0.addresses
uci add_list network.wg0.addresses="192.168.1.1/24"
uci -q delete network.@wireguard_wg0[0].endpoint_host
uci -q delete network.@wireguard_wg0[0].allowed_ips
uci add_list network.@wireguard_wg0[0].allowed_ips="192.168.1.2/32"
uci commit network
/etc/init.d/network restart
Xierion
February 20, 2021, 5:54am
7
still no luck
root@OpenWrt:~# wg showconf wg0
[Interface]
ListenPort = 1234
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx
root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd52:833a:b6a8::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='10.0.0.1'
network.lan.ifname='eth1'
network.lan.proto='static'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxxxxxxxxxxxxxxxxxxxx'
network.wg0.listen_port='1234'
network.wg0.addresses='192.168.1.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wg0[0].description='Android'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='192.168.1.2/32'
1 Like
That's weird, perhaps there's some typo I cannot notice.
Try this script:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated
Run the script as-is, and it should give you a working config at least.
Then you can adjust the code and configs to your needs.
Xierion
February 20, 2021, 6:31am
9
'Weird' was my thoughts too. I thought the process I was following was pretty straight forward.
The script didn't appear to do too much, and manually visiting 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard
' shows This page does not exist anymore
yousong
February 20, 2021, 6:38am
10
Are there any errors in logread when restarting the interface, like with ifup wg0
Or debug it by editing /lib/netifd/proto/wireguard.sh and check the generated config in /tmp/wireguard/wg0.conf
diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh b/package/network/utils/wireguard-tools/files/wireguard.sh
index 63261aea71..cb4be373f8 100644
--- a/lib/netifd/proto/wireguard.sh
+++ b/lib/netifd/proto/wireguard.sh
@@ -139,7 +139,7 @@ proto_wireguard_setup() {
${WG} setconf ${config} "${wg_cfg}"
WG_RETURN=$?
- rm -f "${wg_cfg}"
+ #rm -f "${wg_cfg}"
if [ ${WG_RETURN} -ne 0 ]; then
sleep 5
1 Like
Xierion
February 20, 2021, 6:54am
12
The only result I am getting from a logread is 'user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)
'
I am not sure what to edit in '/lib/netifd/proto/wireguard.sh' to enable debugging, and '/tmp/wireguard/wg0.conf
' does not currently exist
yousong
February 20, 2021, 7:04am
13
Commenting out the rm -f
command should preserve the generated config file in tmp dir
1 Like
That's only part of the full URL to be expanded while downloading the script.
It should download and combine 5 blocks of code from the relevant how-tos.
Then run the resulting script which should generate a working config:
sh wireguard-server.sh
Xierion
February 23, 2021, 10:32am
15
Gotcha. running script now
1 Like
Xierion
February 23, 2021, 10:58am
16
Script appeared to work, and set up a vpn interface, but ended up with the same scenario as created manually.
1 Like
Xierion
February 23, 2021, 11:03am
17
enabling debugging after running the 'WireGuard extras - Automated' script shows the following:
root@OpenWrt:/tmp/wireguard# cat vpn
[Interface]
PrivateKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort=51820
[Peer]
PublicKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs=192.168.9.2/32
AllowedIPs=fdf1:e8a1:8d3f:9::2/128
1 Like
Then the cause of the problem is likely unrelated to the WireGuard configs.
Try to re-flash the latest stable OpenWrt release.
Xierion
February 23, 2021, 11:14am
19
currently running v19.07.7
1 Like
yousong
February 23, 2021, 11:31am
20
How about trying to manually setup the wireguard with the generated config. Something like the following
ip link add vpn0 type wireguard
wg setconf vpn0 /tmp/wireguard/vpn
wg show
Is it possible that there is something wrong in peer's public key? like a typo when copying/pasting. A wild guess.
1 Like
I think I have it sorted. I was using luci-app-wireguard
and I think the QR code thing was throwing me off.
Following the guide chrisbuchan.co.uk/computing/wireguard-setup-openwrt/
has worked fine.
In hindsight I should have done that in the 1st place. Thanks for your collective help.