Thank you for the suggestion, Paul. Indeed, I did find couple of wrongly entered keys (as I was doing the Android app setup via QR code scan and didn't know what else should I set manually).
What I found as wrong was the private key on the Android side (in the interface's private key), and the pre-shared key.
After adding them, in the GUI of the app and the output of wg show
now provides absolutely the same public keys as in the mobile app, but just twisted - Public Key #1 on one side it is in Interface and the other - in Peer, and vise-versa for the other Public key (#2).
Nevertheless, despite the router's restart and even additional minor changes - still not working.
Minor changes: In the router I noticed that the peer's allowed address was 192.168.9.2/32, whereas the App's Interface address was 192.168.9.3/32 (of course even after the keys confirmation above).
So what I did was to replace 192.168.9.2/32
from the router's allowed peers and I added 192.168.9.0/29.
Then on the mobile app, I did setup the interface to be 192.168.9.2/32 and 192.168.9.3/32 (different attempts)
Again - still did not work, even after restart of the router.
Another two clarifications:
#1 - I am using the mobile operator's 4G network for the tunneling test; The phone is not connected to the WiFi of the router when I test the tunnel.
#2 - I got in touch with my ISP and they confirmed that there is no port filtering, nor shaping on the network.
Sooo... what may be the next step for troubleshooting?
P.S. The wg show
on the router shows the below during "connected":
root@OpenWrt:~# wg show
interface: WireGuard_VPN
public key: 5452Cuz<bla-bla>
private key: (hidden)
listening port: 51820
peer: OZG/74<bla-bla>
preshared key: (hidden)
allowed ips: 192.168.9.0/29
root@OpenWrt:~#
My phone's app settings are like that...
The output of cat /etc/config/network
is:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'some_ipv6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'pppoe'
option username 'pppoe_user'
option password 'pppoe_pass'
option ipv6 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 8t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 8t'
config interface 'WireGuard_VPN'
option proto 'wireguard'
option private_key 'mKW2<bla-bla>'
option listen_port '51820'
list addresses '192.168.9.1/24'
config wireguard_WireGuard_VPN 'wgclient'
option public_key 'OZG/74<bla-bla>'
option preshared_key 'OOoCS<bla-bla>'
list allowed_ips '192.168.9.0/29'
root@OpenWrt:~#
The output of cat /etc/config/firewall
is:
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WireGuard_VPN'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:~#