WireGuard server configuration help needed (Android-to-Home)

Hello Team,

Firstly I would like to apologize if the information may have been somewhere, but honestly, I have been struggling to find such in the past ... number of days.
Nevertheless..

So the overall target is that I may be able to forward all traffic from my mobile phone (on Android) thru a VPN channel and to go out of my home router that has OpenWRT 21.02.1 and WireGuard (more details down below). Also, to be able to reach my home network devices from within the VPN with internal addresses (e.g. to avoid having to share the traffic from my local LAN camera to WAN).

What I have done so far:

  1. Installed OpenWRT on the router (Cisco WRT610N v1)
  2. Setup the router as follows:
  • Set daily router reboot at 4:30am using a Chron job
  • WAN connection: PPPoE
  • LAN router address: 192.168.1.1
  • Set the Wireless configs

Afterwards I started on my aim with WireGuard:

  1. Installed WireGuard by following the below steps:
  • SSH into the router via:
    ssh root@192.168.1.1

  • Refresh the packages ready to be updated:
    opkg update

  • Start installing in dependencies order:

opkg install zlib
opkg install libnl-tiny libelf1 libcap
opkg install kmod-udptunnel4 kmod-udptunnel6 libmnl0 ip-full
opkg install kmod-wireguard luci-proto-wireguard wireguard-tools libqrencode
opkg install luci-app-wireguard qrencode
opkg install luci-i18n-wireguard-en
  • Reboot the router from System > Reboot
  • Voila!
  1. Checked Status > WireGuard

  2. Created a dummy network interface that uses the WireGuard

  3. Checked again Status > WireGuard and saw that all data is present in the page - QR code, Configuration section (with Public key and Port) and Peer (with Public key, Latest Handshake, Data Received and Data Transmitted)

  4. Then I followed the OpenWRT Wiki's WireGuard server guide from here
    Note: Only exception is that I did not use the below row as I do not intend to use IPv6 at all:

uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"

  • Sequence of all exact commands will be shared either at the bottom of the current message, or within the first comment of the thread

  • Note: After step #3, upon Firewall restart I received a warning that the interface device has not been found, hence I continued and after fully configuring the network interface, then restarted again the firewall - at that time, no warning for missing WireGuard interface was returned

  1. Downloaded WireGuard app on my Xiaomi RedMi Note 9 Pro (OS: MIUI 12.5.6; Android version: 11 RKQ1.200826.002)

  2. On the phone, inside of WireGuard app, using the + button, I did initiate a creation of a new entry for a VPN connection, then used the "Scan from QR code" option as I have the QR code gererated in my Status > WireGuard. After scanning, it asked me to enter a name for the entry and saved it as is. Then I realized additional few fields are to be configured:

  • Addresses - this is where I entered the static Public IPv4 address of my router (upon save it was automatically converted to ipv4_address/32)
  • Listen port - I added the port that I have used during the configuration of Wireguard in step #6 above (Port: 51820)

With all of the above, upon changing the toggle in the mobile app, it seems that a VPN tunnel is being established, but I do not see that in the GUI of OpenWRT anywhere. As well, when trying to browse or even to ping the router from the phone, it simply does not go.

Would you kindly assist me to achieve my overall target, please?

==============================================================

Sequence of commands used for WireGuard server configuration:

  1. Preparation - Configure the parameters
WG_IF="WireGuard_VPN"
WG_PORT="51820"
WG_ADDR="192.168.1.1/24"
WG_ADDR6="fe80::b9d3:2c9f:3e20:8618/128"
  1. Key management
  • On the router, go to dedicated directory (you may need to create it first):
    cd /tmp/VPN

  • Generate the keys

umask go=
wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub
wg genpsk > wgclient.psk
 
# Server private key
WG_KEY="$(cat wgserver.key)"
 
# Pre-shared key
WG_PSK="$(cat wgclient.psk)"
 
# Client public key
WG_PUB="$(cat wgclient.pub)"
  • (for long term storage purposes) On the PC, go to a designated directory for storing the keys and copy them from the router:
cd C:\Users\anton.to\Downloads

scp root@192.168.1.1:/tmp/VPN/* .
root@192.168.1.1's password:
wgclient.key                                                                          100%   45    14.6KB/s   00:00
wgclient.psk                                                                          100%   45    16.7KB/s   00:00
wgclient.pub                                                                          100%   45    21.9KB/s   00:00
wgserver.key                                                                          100%   45    21.7KB/s   00:00
wgserver.pub                                                                          100%   45    14.7KB/s   00:00
  1. Configure the router's firewall:
  • Note: A warning that "WireGuard_VPN" device has not been found might be printed out upon Firewall restart
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg
uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
  1. Configure the router's network interfaces
  • Create a network device:
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"
uci set network.${WG_IF}.listen_port="${WG_PORT}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR}"
uci add_list network.${WG_IF}.addresses="${WG_ADDR6}"
  • Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.140/29"
uci commit network
/etc/init.d/network restart
  1. Restart Firewall once again
    /etc/init.d/firewall restart

Hi.
Create a separate network for wireguard, it's the basic setup found on every documentation for wireguard.
x.x.9.1 for example.

The resulting config files are almost always more useful than the process you used to get there.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Also post your Android wg config.

root@OpenWrt:~# cat /etc/config/network
cat /etc/config/firewall

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde6:6073:4524::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'pppoe'
        option username '<USR>'
        option password '<PW>'
        option ipv6 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 8t'

config interface 'WireGuard_VPN'
        option proto 'wireguard'
        option private_key '<Privte_KEY>'
        option listen_port '51820'
        list addresses '192.168.1.1/24'
        list addresses 'fe80::b9d3:2c9f:3e20:8618/128'

config wireguard_WireGuard_VPN 'wgclient'
        option public_key '<Public_Key>'
        option preshared_key '<Preshared_Key>'
        list allowed_ips '192.168.1.140/29'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WireGuard_VPN'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

But my router is 192.168.1.1, its DHCP gives addresses from 100 to 150, and my VPN is set to stay within 192.168.1.140/29.
Would you guide me how and what may I change exactly?

The subnet you are using for wg overlaps your lan. They must be different.

Try, as an example: 192.168.9.1/24 and 192.168.9.2/32 for the interface and peer, respectively.

There is also an option you should add to the wg peer config on the router: route_allowed_ips 1.

I also recommend (but this is not required): Create a new firewall zone for wireguard.

1 Like

Hi.

That the most basic running wireguard setup I found.
And follow @psherman advise too.

May you point which commands to change from the above setup sequence for the WG subnet, please?
As well, please share details on how to add to the wg peer config on the router: route_allowed_ips 1.

And for the firewall zone for WG, I'm also open for that, but I will also need to know the commands and if any from the above sequence has to be removed.

Thank you in advance, of course :slight_smile:

Also your Android config is backwards.

Your interface ip should be 192.168.9.2 (if you follow my above suggestion). The peer end ping should be your public ip (and don’t forget the port

Use a public dns like 8.8.8.8

@psherman , Paul, is there a way I may connect with you directly to discuss on what changes needs to be done? Honestly, my head is a bit messed up with the suggestions.

I understand now where the issue is - subnets are overlapping, but I cannot seem to find how to fix this, nor about the additional recommendations.

Ok, so I did everything from scratch once again. The whole thing from the above.
The slight change is the following (in the very beginning):
WG_ADDR="192.168.9.1/24"

As well, I did remove the IPv6 address that used to be configured with:
WG_ADDR6="fe80::b9d3:2c9f:3e20:8618/128"

The fresh output of

cat /etc/config/network
cat /etc/config/firewall

Is just below, respectively:

root@OpenWrt:/tmp/VPN# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde6:6073:4524::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'pppoe'
        option username '<PPPoE_User>'
        option password '<PPPoE_Pass>'
        option ipv6 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 8t'

config interface 'WireGuard_VPN'
        option proto 'wireguard'
        option private_key '<Private_Key>'
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config wireguard_WireGuard_VPN 'wgclient'
        option public_key '<Public_Key>'
        option preshared_key '<Preshared_Key>'
        list allowed_ips '192.168.9.2/32'

root@OpenWrt:/tmp/VPN# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WireGuard_VPN'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:/tmp/VPN#

Afterwards, created a new entry in the Android app, edited it similarly to above with the below suggestion of @psherman:
In Interface's Addresses field, I did put 192.168.9.2 (was translated as 192.168.9.2/32)
Added in Interface's DNS 8.8.8.8
Then the Peer's Endpoint was left empty
The Peer's Allowed IPs was 0.0.0.0/0, ::/0

With all of that, regretfully the result is still the same.

Would someone guide me forward, please?

Sorry for the delayed response...

Before we go any further, lets make sure you have a public IP address on your WAN. What are the first to octets (in bold: aaa.bbb.ccc.ddd) of the OpenWrt WAN?

Ok... good. In the future, probably best not to post your complete IP address.

Meanwhile, let's look at the android side...

Hi.
Something sound not correct.
wan interface should using these configs:

config interface 'wan'
        option device 'eth0.2'
        option proto 'pppoe'
        option username '<PPPoE_User>'
        option password '<PPPoE_Pass>'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option peerdns '0'

and wan6 should look like that:

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option ipv6 'auto'

Never saw a ipv4 address bounded on ipv6 interface.

And again as @psherman advice, hide your full ip address

WG can appear to be connected even when it's not.

what is the output of wg show (from the router).

root@OpenWrt:~# wg show
interface: WireGuard_VPN
  public key: <key>
  private key: (hidden)
  listening port: 51820

peer: <other_key>
  preshared key: (hidden)
  allowed ips: 192.168.9.2/32

P.S. And of course, this is while WG app's toggle is "ON" (alike connected).

Result: No websites opening, cannot reach the internal environment (e.g. the router thru its internal IP address), nor ping to internal environment.

I am very sorry not relave this topic but I have problem with wireguard:
If wireguard was installed in my router then I can not login web "github.com" and other web can login normal.

You are not getting any handshakes, which indicates something is not working at the basic levels. I suspect it is a key issue.

Please create 2 new sets of key pairs (private/public), and be mindful of the locations of each:

  • Key pair #1 for OpenWrt

    • Private key --> on the OpenWrt device > interface configuration > private key
    • Public key --> on the Android device > peer configuration > public key
  • Key pair #2 for Android

    • Private key --> on the Android device > interface configuration > private key
    • Public key --> on the OpenWrt device > peer configuration > public key

Restart your OpenWrt router and try again.

1 Like

Please start your own thread... this way you can get help for your specific issue and not confuse the current thread.

Thanks.

When testing a VPN, the road warrior user (here, a smartphone) needs to be on a separate Internet source (the cell network) to simulate being away from home. It generally will not work through your home WiFi network. Turn the phone's WiFi off and confirm the cell connection is good.

Place the wireguard tunnel in the router's lan firewall zone, using option device wg0. This means you trust the phone as much as anything else in the LAN, as it will have full access. If that is not the case you can set up a separate zone for it, but for initial testing just have it in the lan zone.

Each endpoint needs the other's public key. Most of the QR process is to automate copying the router's key to the phone. But the phone's public key also needs to be shared to the router usually manually. A private key is only held on the device. Preshared keys offer an additional layer of encryption for slightly more security, but should not be used in initial testing.

The "allowed IPs" are a list of source IPs that will be allowed through the tunnel to this endpoint. If this is improperly configured, packets will be silently dropped by Wireguard. Since the phone intends to see the whole Internet via VPN, it should be set to 0.0.0.0. On the router the only legitimate source IP will be the /32 address of the phone's end of the tunnel. "Route allowed IPs" isn't necessary on the router side for a road warrior, but the phone should have that checked so that all Internet usage (0.0.0.0/0) is routed into the VPN tunnel.

Finally, and this is more of a fine tuning issue to look out for in the future, having your home network 192.168.1.0 will make it unreachable by VPN if you connect the phone through a public wifi that uses the same range. It is better to make the home network something unusual so it is unlikely to ever conflict.