Wireguard Server Access

Morning All,

I'm in the process of setting up a Wireguard stand alone server, however, everything I'm finding when adding OpenWRT to the search is directing me to install wireguard tools on my OpenWRT router.

I don't want to install Wireguard on the router, which appears to be what the tools installs are doing.

Do I need to install Wireguard tools or just configure port forwarding in my router to the wg server, and then configure wg?

Thanks.
B.

You don't need to install anything on your main router (including wireguard-tools) if the WG endpoint sits behind that device. However, if that is the case, you will need to add port forwarding from the main router > wg endpoint assuming that this endpoint is listening for inbound connections.

Where is Wireguard being installed?

4 Likes

Thanks for confirming.

WG is being installed on a old linux desktop pc that used to be my Windows Media Center pvr box before microsoft ko'd MC. Yeah, that was a while ago... since then, its just been sitting around with various flavors of Linux installed now and again.

Will likely be container (proxmox or Docker) server for pihole, wireguard and NAS media server. Maybe MythTV, haven't fully decided as my tuner card may be obsolete.

How can I test that my port is actually open and forwarding appropriately?
Zone Settings have been left alone as i'm finding no source that says to modify the lan or wan zone settings.

Firewall config for the redirect

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'guard'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.10.30'
        option dest_port '51820'
        option family 'ipv4'
        list proto 'tcp'
        list proto 'udp'

I tried to test with an "Open Port Check Tool" website but comes back as failed. Wireguard peer never receives a handshake ack.

I don't know if my ISP is blocking (even though the website says no or if my firewall configs are incorrect.

You can't, except with a valid remote peer.

You can remove proto TCP since Wireguard is UDP only.

That is 100% expected. Wireguard does not reply to port probes under any circumstances. The WireGuard protocol is not chatty -- it does not respond at all unless the connection is coming from a remote peer that has all the correct crypotographic keys.

That's a bit harder to determine, but we should make sure you have a proper public IP address. Show us the first to octets of your IP address (in bold: aaa.bbb.ccc.ddd):

ifstatus wan | grep address

wan address : 134.215.

Enabled logging and not seeing anything in the wan or firewall logs, but not seeing anything for the forwarded address being rejected.

Ok, on a whim I forwarded port 22 to my OpenWRT IP. Open when enabled, Closed when disabled, so forwarding is open and working. So, looks like my issue is between the WG server and WG peer/client.

Followed this guide to configure WG server/peer ( https://www.ckn.io/blog/2017/11/14/wireguard-vpn-typical-setup/)

Are either of the wireguard peers running OpenWrt?

I'm going to say no. The only peer I've set up for testing is my phone with wg app.

Ok... so fixing your WG issues would be out of scope here since it's between two non-OpenWrt devices. However, I will offer this pro-tip:

With your phone connected to wifi on the 192.168.10.0/24 network, configure the peer endpoint address (on the phone's config) as 192.168.10.30. This will allow you to test the ability to establish the tunnel and handshake without any complications potentially introduced by your ISP.

Thanks, I'll give that a shot. I was about to close out this topic and go bug the folks in a WG forum.

Appreciate the help.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.