this command doesnt work
uci add_list firewall.lan.network="${WG_IF}"
so instead i added wireguard_vpn in covered networks in section Firewal -> zone settings Lan zone
The mentioned url is confusing? its using VPN peers/ but i thought it will be used to setup server and clients....
so much confusion... is there some working howto?
Even my win10 client can connect to openwrt wireguard server it has no default route. .. and i cant ping any local ip address / even cant ping wireguard interface address...
I'd like to see the complete network and firewall config files (below), as well as the Windows WG config file.
Are you getting a handshake? What is the output of wg show
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
root@OpenWrt-main-router:~# wg show
interface: wireguard_vpn
public key: ERv+t+LUDAinmkTHPmurJyDGenNxrwXxxxxxRI=
private key: (hidden)
listening port: 51820
network
root@OpenWrt-main-router:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fddf:4363:a8a0::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'b4:75:0e:64:4b:f8'
config device
option name 'lan2'
option macaddr 'b4:75:0e:64:4b:f8'
config device
option name 'lan3'
option macaddr 'b4:75:0e:64:4b:f8'
config device
option name 'lan4'
option macaddr 'b4:75:0e:64:4b:f8'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.1.1'
config device
option name 'wan'
option macaddr 'b4:75:0e:64:4b:f8'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.0.4'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
option delegate '0'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config route
option interface 'lan'
option target '192.168.1.0'
option netmask '255.255.255.0'
option gateway '10.0.1.44'
config interface 'wireguard_vpn'
option proto 'wireguard'
option private_key 'xxxxTDjGQ='
option listen_port '51820'
list addresses '192.168.9.1/24'
option mtu '1412'
config wireguard_vpn 'wgclient'
option public_key 'xxxxGNHi4NFLXO/mQpgQoiTplI+2V0='
option preshared_key 'xxxxxwOqqS1IYvUth+/HNlPPzbRM1jJmGbYCCk='
list allowed_ips '192.168.9.2/32'
firewall
root@OpenWrt-main-router:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wireguard_vpn'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option dest_ip '10.0.1.156'
option dest_port '80'
option name 'piwigo'
option src_dport '1122'
config rule 'wg'
option name 'Allow-WireGuard-LAN'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
The files generally look fine, but it appears you are not getting any handshakes.
Please post your Windows system's WG config file.
A few things to check...
I can see that your OpenWrt device is connected behind another router (192.168.0.1). Have you forwarded UDP port 51820 from your outermost router to 192.168.0.4? Does the result from googling "What's my IP" match what you see for the WAN IP on your primary router (the one connected directly to the internet)?
How are you testing your connection? Is the windows computer on the OpenWrt LAN or the upstream router's LAN, or a different network entirely? Does the windows peer use an IP address or a domain name for the address? If IP -- does it match the WAN IP from above? If domain name -- does that domain name resolve to the proper IP (i.e. the WAN IP)?
Has the key exchange happened properly. It is easy to mess this up because it is impossible for a human to differentiate between public and private keys.
The public key from the router's config must be entered into the "peer > public key" field on the windows system. And vice versa. If in doubt, you can create new key-pairs.
Other things:
it may be a good idea to remove the preshared key until you get the WG handshakes working in general. This removes one variable and thus makes it easier to troubleshoot.
You may want to test with the windows machine connected directly to the OpenWrt router and with the WG peer address on that system set to 10.0.1.1. Again, this is eliminating variables from outside the router with WG, and then we can work out from there.
You'll probably want to enable "route allowed IPs" on the OpenWrt wiregaurd configuration for the windows peer. This won't cause issues with the initial handshake, but will affect the ability to make proper connections.
so as this setup doesnt work ... do i have to go with steps from other things section?
Not sure about "preshared key"; do i have to put into some client config?
Also what do you mean by route allowd ips? do i have to put this into the network wgclient section?
I saw some posts that also 51820 has to be added to openwrt firewall... but doesnt make a sense to me.
Your windows peer does not have the preshared key, but the router configuration does have it there. Without a matching preshared key, you will not get a handshake. It either needs to be present in both systems (the exact same key), or absent in both systems.
This is an option that will be necessary in your router's WG peer configuration. option route_allowed_ips '1'
You've already got this port opened in your firewall -- per below
Try editing your wireguard configuration on your router to match below (note the removal of the preshared key and the addition of the route allowed IPs)... then restart your router and try again.
config interface 'wireguard_vpn'
option proto 'wireguard'
option private_key 'xxxxTDjGQ='
option listen_port '51820'
list addresses '192.168.9.1/24'
option mtu '1412'
config wireguard_vpn 'wgclient'
option public_key 'xxxxGNHi4NFLXO/mQpgQoiTplI+2V0='
list allowed_ips '192.168.9.2/32'
option route_allowed_ips '1'
In this configuration, you have an interface called wireguard_vpn
Critically (and this is the thing I had not caught), the peer configuration requires a prefixwireguard_ before the name of the interface. So, your peer stanza should actually look like this:
config wireguard_wireguard_vpn 'wgclient'
...
Note the prefix wireguard_ that was added to the interface name.
So... you can either edit the name of the interface to simply vpn (instead of wireguard_vpn) and use the peer stanza as it is, or add the prefix to the peer stanza (as described above) and keep the interface name the same.
Yes... did you add this to your peer stanza on the OpenWrt side?
What did you change in the end? Did you change the name of the interface (to vpn) or did you fix the peer stanza and prepend wireguard_ to the interface name?
Feel free to post the latest config files (/etc/config/network and /etc/config/firewall).
@psherman
yeah thats correct,
i know its odd question but i am physically 400km away from openwrt router... so just dont want to mess things up... just to double check...
root@OpenWrt-main-router:~# uci show firewall | grep wire
firewall.@zone[0].network='lan' 'wireguard_vpn'
can i update it by this cmd properly? root@OpenWrt-main-router:~# uci set firewall.lan.network="lan vpn"
if i can add one observation... once vpn connection is established the speed downgrade is more then 1/2, normally i have speed 50/15, using vpn connection its max 18-20/14... so basically 30mb are gone... i was looking on router Load via luci graphs and while speedtest was running the load increased from almost 0.04 to 0.23
