WireGuard server configuration help needed (Android-to-Home)

When testing a VPN, the road warrior user (here, a smartphone) needs to be on a separate Internet source (the cell network) to simulate being away from home. It generally will not work through your home WiFi network. Turn the phone's WiFi off and confirm the cell connection is good.

Indeed, I have used my phone only with 4G Internet connection, without it being connected to the WiFi of the same router.
Despite that, I do not understand that it may not work.. as it should be able to create a tunnel to itself thru its ISP GW - Simple enough: the traffic goes out to the GW and then comes back in the router (of course, I have already confirmed with my ISP there are no filterings or shapings on the network).

Place the wireguard tunnel in the router's lan firewall zone, using option device wg0. This means you trust the phone as much as anything else in the LAN, as it will have full access. If that is not the case you can set up a separate zone for it, but for initial testing just have it in the lan zone.

How is that being done? Please share a detailed step-by-step for a person who haven't touched OpenWRT in a while (10 years, idk) or WireGuard (never touched).

Each endpoint needs the other's public key. Most of the QR process is to automate copying the router's key to the phone. But the phone's public key also needs to be shared to the router usually manually. A private key is only held on the device. Preshared keys offer an additional layer of encryption for slightly more security, but should not be used in initial testing.

So I did it with the QR code and then I did it manually - result was the same. However, if not today, tomorrow I will try with the last suggestion of @psherman to exchange freshly created keys.

Route allowed IPs

This seems to be set just as you mention

Finally, and this is more of a fine tuning issue to look out for in the future, having your home network 192.168.1.0 will make it unreachable by VPN if you connect the phone through a public wifi that uses the same range. It is better to make the home network something unusual so it is unlikely to ever conflict.

As you may see since comment #2 above, that was changed and now the phone is set with 192.168.9.0 (will be with *.9.3), whereas the home network is with 192.168.1.0/24

So overall... I'm a bit more confused from the reply, instead of clearing the picture for me.

As I am to believe you are willing to help, please let me know what current settings would you want me to show you (provide commands for them), and I will do my very best to answer at soonest convenience.

Thank you in advance for your kind understanding :slight_smile:

Thank you for the suggestion, Paul. Indeed, I did find couple of wrongly entered keys (as I was doing the Android app setup via QR code scan and didn't know what else should I set manually).

What I found as wrong was the private key on the Android side (in the interface's private key), and the pre-shared key.

After adding them, in the GUI of the app and the output of wg show now provides absolutely the same public keys as in the mobile app, but just twisted - Public Key #1 on one side it is in Interface and the other - in Peer, and vise-versa for the other Public key (#2).

Nevertheless, despite the router's restart and even additional minor changes - still not working.

Minor changes: In the router I noticed that the peer's allowed address was 192.168.9.2/32, whereas the App's Interface address was 192.168.9.3/32 (of course even after the keys confirmation above).

So what I did was to replace 192.168.9.2/32 from the router's allowed peers and I added 192.168.9.0/29.
Then on the mobile app, I did setup the interface to be 192.168.9.2/32 and 192.168.9.3/32 (different attempts)
Again - still did not work, even after restart of the router.

Another two clarifications:
#1 - I am using the mobile operator's 4G network for the tunneling test; The phone is not connected to the WiFi of the router when I test the tunnel.

#2 - I got in touch with my ISP and they confirmed that there is no port filtering, nor shaping on the network.

Sooo... what may be the next step for troubleshooting?

P.S. The wg show on the router shows the below during "connected":

root@OpenWrt:~# wg show
interface: WireGuard_VPN
  public key: 5452Cuz<bla-bla>
  private key: (hidden)
  listening port: 51820

peer: OZG/74<bla-bla>
  preshared key: (hidden)
  allowed ips: 192.168.9.0/29
root@OpenWrt:~#

My phone's app settings are like that...

The output of cat /etc/config/network is:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'some_ipv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'pppoe'
        option username 'pppoe_user'
        option password 'pppoe_pass'
        option ipv6 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 8t'

config interface 'WireGuard_VPN'
        option proto 'wireguard'
        option private_key 'mKW2<bla-bla>'
        option listen_port '51820'
        list addresses '192.168.9.1/24'

config wireguard_WireGuard_VPN 'wgclient'
        option public_key 'OZG/74<bla-bla>'
        option preshared_key 'OOoCS<bla-bla>'
        list allowed_ips '192.168.9.0/29'

root@OpenWrt:~#

The output of cat /etc/config/firewall is:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'WireGuard_VPN'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

root@OpenWrt:~#

The ability for this to work often depends on the router's configuration with respect to what is often called NAT loopback or hairpin-NAT -- if not configured appropriately, you might get a false negative. There is also the possibility that the ISP could be the issue (not likely in your case), and if testing from within, you could get a false positive. The best way to avoid a false impression of the situation is to use your cellular connection to make the connection... it sounds like you're already doing that, so no change needed. But that is why inbound VPN connections are best tested from a network outside your target network.

This depends very much on your goals. Are you trying to use this VPN to be able to access your home network and the stuff on it, or just to use your home internet connection for a level of privacy/security when you are using a public network?

IMO, the first thing to do is to make sure you exchange the keys properly. Then see if you get a handshake (you'll see it from the output of wg show).

this is wrong. it should be 192.168.9.2/32.

Remove the preshared key (from both here and the android side) for now. You can add it in once everything is working.

If you want to split the WireGuard network into its own firewall zone, you'll want it to look like this:

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'WireGuard_VPN'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

You can tighten down the security later (if your goals require anything different than this), once it is proven to work.

Thank you for throwing some more light in that darkness of mine, Paul. Highly appreciated.
Of course, I do rely on the good word of my ISP, but honestly, I am hardly doubting they may have some problems as I have already informed them about my aim for a VPN setup and I have already asked them specifically about the port I use - 51820.

And about your question:

Here is the answer if the question:

Thank you once again for all of your help! Highly appreciated! :slight_smile:

Sorry I had missed that earlier. The firewall rules that I showed just a few posts above will do what you want (once things are working).

Done

Done + reboot of the router

Set the IP of the app's interface to 192.168.9.2/32 - didn't work; to 192.168.9.3/32 - didn't work

P.S. About the zones I understand, but I just don't know how to achieve that as a goal. Neither the commands, nor what from the above setup should be changed in order to comply with the split of Firewall zones. :confused:

Any other suggestions?

Ah... I made a typo. Your Android config said 192.168.9.3 -- so your OpenWrt config should match that (192.168.9.3/32). With it set that way and freshly restarted, use your phone on cellular to try to connect. After that attempt, what is the output of wg show

Oh, I'd also recommend removing the IPv6 from the allowed IPs on the android side of the config.

So I just did the following:

  • In the router:
    #1 - set Allowed IPs in Peer to 192.168.9.3/32
    #2 - Save
    #3 - Save & Apply
    #4 - Reboot

  • in the mobile app:
    #1 - confirmed that Interface's address is 192.168.9.3/32
    #2 - Removed the , ::0 from the Peer allowed IPs (current value in the field: 0.0.0.0/0)
    #2 - confirmed that the phone is not connected to the WiFi, instead it is to the cellular's 4G

Attempted to connect, but the result is still the same.

The output of wh show during connection is exactly the same as before:

root@OpenWrt:~# wg show
interface: WireGuard_VPN
  public key: 5452Cuz<bla-bla>
  private key: (hidden)
  listening port: 51820

peer: OZG/74<bla-bla>
  allowed ips: 192.168.9.3/32

k... let's try something else.

Make the endpoint on the Android device 192.168.1.1:51820. This time, use wifi, and try to connect. Let's see what happens with wg show after that.

Works like a charm with 192.168.1.1:51820

P.S. I also did restart the Android and tried before setting 192.168.1.1:51820.

Hmm... what it may be with the Internet communication then? How to troubleshoot?

I think you had a typo in your endpoint IP on Android... just catching that now. You had 194.168.89.130:51820. It should have been 194.169.89.130:51820.

Try that.

2 Likes

You're a genius, @psherman !!! Very well done with all of the effort here!!! Thank you so so so very much!

Finally, it all works perfectly well and just as I have expected it.

Thank you once again!

Thread to be closed. Summary: Multiple issues since the start.

Glad it's all working now. If you want to use the preshared key, you can add that now. Happy trails!

1 Like

Please show me some file in that your router work. Network, firewall....so that everyone can find the way to do.

The firewall file is in the thread... but as I mentioned earlier, it would be best if you opened your own thread. Then you can get help that is specific to your situation.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.