created the peers with public key and private key. Connected 100%. Ports are forwarded ....etc works. But No internet, because the interface still RX TX are ZERO.
Tested with wireguard client on android, iphone and linux client.
If RX and TX are zero then the server and client aren't connected. Which usually indicates incorrect keys or an issue with the firewall. Were you attempting to connect from inside your LAN or externally? What's the output of iptables-save -c | grep -e 51820?
1 Like
iptables-save -c | grep -e 51820
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
The [0:0] means there hasn't been any traffic which matches that rule. So if your client connection attempts were made externally then they're not getting to the router at all. Otherwise, if the attempts were made internally it's likely to be an issue with keys.
2 Likes
Because no connection at all in the interface. The client did the job correctly, but if the server interface are zero, then the same for the client. i've tried outside with LTE and inside the network with local and public ip, both the same.
Your problem is most likely due to human-related errors/typos.
The automated script is strongly recommended to avoid this kind of issue.
These instructions are tested and work for multiple users.
1 Like
Until a connection has been made there will be no traffic on wireguard interfaces, either server or client. So if there is no traffic then the connection has not been made.
If it's not working inside or outside your network then you have config issues. Either your connection details are wrong or the keys are incorrect. There's also the possibility of firewall misconfiguration.
2 Likes
The answer like if you call your provider "it work for multiple users." 
If my type and i'm dump to copy paste, then the automated script does the same.
that not true, the interface give the RX and TX value even without connected to any client
No it doesn't. Wireguard is not 'chatty'. It only exchanges traffic when a connection is made. The only exception is a client sending traffic to initiate a handshake.
But let's go back to basics. Please give us the output (making sure to redact any private data) of
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
2 Likes
The client is connected and shows the client in wireguard luci interface, but with 0 RX and TX.
Please give us the output (making sure to redact any private data) of
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
1 Like
It is only connected when you see a handshake.
There's no handshake in the above output.
This means that the client is not connected.
2 Likes
ci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb7:dffc:8382::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '9.9.9.9'
list dns '149.112.112.112'
config interface 'wan'
option ifname 'eth1.2'
option proto 'dhcp'
list dns '9.9.9.9'
list dns '149.112.112.112'
option peerdns '0'
config interface 'wan6'
option ifname 'eth1.2'
option proto 'dhcpv6'
list dns '2620:fe::fe'
list dns '2620:fe::9'
option reqprefix 'auto'
option reqaddress 'try'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'cHE2oUAKHxdbLG8DK5WiLBcXAFTMOp7D7FM/M2Wq93I='
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option public_key '1Y918FLJwNneuWGvioVsg/scmU/eZaTldu2BLVPt8ks='
option preshared_key 'jt0eZNlSUG4D2VFsz33fWVSLanBtLj7BifvvM9iDW9U='
list allowed_ips '192.168.9.2/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '64738'
option src 'wan'
option name 'chawgMumble'
option src_dport '64738'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '443'
option src 'wan'
option name 'chawgSSL'
option src_dport '443'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '80'
option src 'wan'
option name 'chawgHTTP'
option src_dport '80'
option target 'DNAT'
option dest_ip '192.168.1.213'
option dest 'lan'
config redirect
option dest_port '51820'
option src 'wan'
option name 'VPNchawg'
option src_dport '51820'
option target 'DNAT'
option dest_ip '192.168.1.214'
option dest 'lan'
option enabled '0'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Wed Dec 8 12:00:26 2021
*nat
:PREROUTING ACCEPT [65:14797]
:INPUT ACCEPT [6:591]
:OUTPUT ACCEPT [32:2350]
:POSTROUTING ACCEPT [12:762]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[75:15417] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[47:13943] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i vpn -m comment --comment "!fw3" -j zone_lan_prerouting
[28:1474] -A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[63:3912] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[10:620] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o vpn -m comment --comment "!fw3" -j zone_lan_postrouting
[51:3150] -A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[10:620] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.213/32 -p tcp -m tcp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.213/32 -p udp -m udp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.213/32 -p tcp -m tcp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.213/32 -p udp -m udp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.213/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.213/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.213/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.213/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.213/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.213/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.213/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j SNAT --to-source 192.168.9.1
[0:0] -A zone_lan_postrouting -s 192.168.9.0/24 -d 192.168.1.213/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j SNAT --to-source 192.168.9.1
[47:13943] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XXX.XX.XX/32 -p tcp -m tcp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j DNAT --to-destination 192.168.1.213:64738
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XXX.XX.XX/32 -p udp -m udp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j DNAT --to-destination 192.168.1.213:64738
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 87.XXX.XX.XX/32 -p tcp -m tcp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j DNAT --to-destination 192.168.1.213:64738
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 87.XXX.XX.XX/32 -p udp -m udp --dport 64738 -m comment --comment "!fw3: chawgMumble (reflection)" -j DNAT --to-destination 192.168.1.213:64738
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XXX.XX.XX/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j DNAT --to-destination 192.168.1.213:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XXX.XX.XX/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j DNAT --to-destination 192.168.1.213:443
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 87.XXX.XX.XX/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j DNAT --to-destination 192.168.1.213:443
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 87.XXX.XX.XX/32 -p udp -m udp --dport 443 -m comment --comment "!fw3: chawgSSL (reflection)" -j DNAT --to-destination 192.168.1.213:443
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XXX.XX.XX/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j DNAT --to-destination 192.168.1.213:80
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d 87.XXX.XX.XX/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j DNAT --to-destination 192.168.1.213:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 87.XXX.XX.XX/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j DNAT --to-destination 192.168.1.213:80
[0:0] -A zone_lan_prerouting -s 192.168.9.0/24 -d 87.XXX.XX.XX/32 -p udp -m udp --dport 80 -m comment --comment "!fw3: chawgHTTP (reflection)" -j DNAT --to-destination 192.168.1.213:80
[51:3150] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[51:3150] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[28:1474] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 64738 -m comment --comment "!fw3: chawgMumble" -j DNAT --to-destination 192.168.1.213:64738
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 64738 -m comment --comment "!fw3: chawgMumble" -j DNAT --to-destination 192.168.1.213:64738
[10:620] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: chawgSSL" -j DNAT --to-destination 192.168.1.213:443
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment "!fw3: chawgSSL" -j DNAT --to-destination 192.168.1.213:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: chawgHTTP" -j DNAT --to-destination 192.168.1.213:80
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 80 -m comment --comment "!fw3: chawgHTTP" -j DNAT --to-destination 192.168.1.213:80
COMMIT
# Completed on Wed Dec 8 12:00:26 2021
# Generated by iptables-save v1.8.3 on Wed Dec 8 12:00:26 2021
*mangle
:PREROUTING ACCEPT [1746:214878]
:INPUT ACCEPT [1062:74979]
:FORWARD ACCEPT [647:126809]
:OUTPUT ACCEPT [1002:221304]
:POSTROUTING ACCEPT [1648:348030]
[11:660] -A FORWARD -o eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[11:680] -A FORWARD -i eth1.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Dec 8 12:00:26 2021
# Generated by iptables-save v1.8.3 on Wed Dec 8 12:00:26 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[44:4014] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1021:71121] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[936:66494] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[60:2940] -A INPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[16:660] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[7:833] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i vpn -m comment --comment "!fw3" -j zone_lan_input
[18:854] -A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
[647:126809] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[631:125804] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:83] -A FORWARD -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[5:302] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i vpn -m comment --comment "!fw3" -j zone_lan_forward
[10:620] -A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[44:4014] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[962:218458] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[928:215986] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -m conntrack --ctstate INVALID -m comment --comment "!fw3" -j DROP
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o vpn -m comment --comment "!fw3" -j zone_lan_output
[34:2472] -A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
[17:801] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[1:53] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[16:660] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o vpn -m comment --comment "!fw3" -j ACCEPT
[5:302] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[5:302] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7:833] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[7:833] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7:833] -A zone_lan_src_ACCEPT -i br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i vpn -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o eth1.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[39:2774] -A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
[10:620] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[10:620] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[18:854] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[18:854] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[34:2472] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[34:2472] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[18:854] -A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Dec 8 12:00:26 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
12: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
14: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 87.XXX.XX.XX/25 brd 87.62.102.127 scope global eth1.2
valid_lft forever preferred_lft forever
15: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
valid_lft forever preferred_lft forever
default via 87.62.102.1 dev eth1.2 proto static src 87.XXX.XX.XX
87.62.102.0/25 dev eth1.2 proto kernel scope link src 87.XXX.XX.XX
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.9.0/24 dev vpn proto kernel scope link src 192.168.9.1
broadcast 87.62.102.0 dev eth1.2 table local proto kernel scope link src 87.XXX.XX.XX
local 87.XXX.XX.XX dev eth1.2 table local proto kernel scope host src 87.XXX.XX.XX15
broadcast 87.XXX.XX.XX127 dev eth1.2 table local proto kernel scope link src 87.XXX.XX.XX15
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
broadcast 192.168.9.0 dev vpn table local proto kernel scope link src 192.168.9.1
local 192.168.9.1 dev vpn table local proto kernel scope host src 192.168.9.1
broadcast 192.168.9.255 dev vpn table local proto kernel scope link src 192.168.9.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: vpn
public key: XXXXX
private key: (hidden)
listening port: 51820
peer: XXX
preshared key: (hidden)
allowed ips: 192.168.9.2/32, fdf1:e8a1:8d3f:9::2/128
1 Like
Even if you copy-pasted the keys, it is still possible to confuse the server/client and public/private keys.
This is a common mistake many users make due to misunderstanding of asymmetric cryptography.
2 Likes
stop to repeat the same sh** again and again. The videos from this setup are on youtube, the interface are connected without any client. https://www.youtube.com/watch?v=Bo2AsW4BMOo
maybe the article are wrong or the new firmware are buggy or old.
No they're not. When he shows the connection status you can see the details of the latest handshake which indicates at some point there has been a connection between the server and the client. That is why the interface shows data has been received and transmitted.
The issue is with your configuration. WG works fine in current OpenWRT firmwares. The wiki instructions work.
2 Likes
just removed my question. removed the interface and installed the pivpn on other device. It seems you are sure about your wrong article in the wiki.
Buy
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.