Wireguard server on dumb ap TP LINK C6 v3

Hello. I'm a newbie when it comes to setting up a wireguard server. I managed to do it once using a windows automated script but I'm trying to up my game by making a special setup since I have a spare router in my home.

This is my setup
rsz_untitled

So I am trying to setup a wireguard server on my second router ( tp link c6 v3.2) so I can connect from outside the network using my phone so that I can use the internet (and have the same ip as my home network).

I have a dynamic IP from my ISP but I have configured a ddns service (tp link ) on the main router (tp link c6 v2).

I have found a script to setup wireguard here: https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated , but I don't know how to configure it so it can use the second router as a dumb ap.

I don't know how to setup a static routing on my main router.

I would appreciate a step-by-step newb friendly tutorial for what I need to do to make this work, if someone has the kind heart and patience to guide me through.

Thank you!

Better follow the normal guide. The dumbAP doesn't use firewall, but you need to enable it only to masquerade the lan zone. Like this you don't need any static route on the main router.

1 Like

Well, I followed that tutorial and I don't know what to do next. I ssh into my router and execute that commands. What should I do next, how do I generate keys for my phone, how do I add my ddns in the setup. Also how do I enable masquerade for lan zone.

My suggestion is to setup the wireguard first, when you have it working, confirmed with the phone over the wifi you may setup port forwarding over the first router (port 51820 to 192.168.0.2). If the phone's client allows - use different less-known port. It is better to use NAT over the second router, since you will use its IP to access the LAN resources. Otherwise, the remaining LAN devices will refuse access to the different network, despite being over the LAN side of the first router. You may need to create a new firewall zone for the wireguard in order to get the NAT easily working or to move the AP to the WAN side and the wireguard to the LAN of the second router. You can do the basic firewall with the web interface if installed. If using uci, the rules and the zones could be numbered, so you should check your setup if not editing directly the /etc/config firewall. There are also luci-app-wireguard for the web interface and WireGuard Installer (client & server) packages available.

config zone
        option name 'vpn'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan' -> This one exists. Add only the following line:
        option masq '1'

3rd line
wg genkey | tee wgclient.key | wg pubkey > wgclient.pub

You'll add it in the client configuration.

Go to firewall, tick the masquerade for lan zone and save/apply.

2 Likes

(The app itself can also generate keys and allows you to copy the Public Key for what you generated.)

2 Likes

I couldn't manage to create establish a connection between my phone and the router while connected to the wi-fi using this method. The QR code from the peers section didn't do anything when I scanned it with my phone.
I managed to establish a connection using this tutorial https://www.reddit.com/r/openwrt/comments/bahhua/openwrt_wireguard_vpn_server_tutorial/, but I didn't have access to the internet or to 192.168.0.2 or 192.168.0.1 .

I don't know what to do next, I did masquerade the LAN->WAN connection .

let's see your configs... we need the ones from your router as well as the phone.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless

I don't think that I will find a step-by-step tutorial for this kind of setup, it takes too much time to write it. I barely established a connection, using the reddit tutorial, but I had no idea what I have done.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'REDACTED'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '1234'
        list addresses '10.14.0.1/24'
        option private_key 'REDACTED'

config wireguard_wg0
        option description 'realme'
        option public_key 'REDACTED'
        list allowed_ips '10.14.0.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'REDACTED'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'REDACTED'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

Also it seems that from time to time I lose internet access when connecting an ethernet cable from a LAN port from the second router to my laptop.

I meant to ask for the firewall file (sorry I left that out of the original question)... can you post that, too?

Also, let's see the output of wg show

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'
        option masq '1'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'lan'
        option src_dport '1234'
        option dest_ip '192.168.0.2'
        option dest_port '1234'

I don't get any output when doing wg show

I see several problems in the firewall file:

remove the wg0 network from the lan zone. A network can only be in one zone.

This can be removed (it's only relevant for the wan and is a port you're not using):

You can also remove this since it shouldn't be a redirect, and it's operating on the lan that already allows input:

You need to add forwarding from the vpn zone to the lan

config forwarding
        option src 'vpn'
        option dest 'lan'

Are you getting literally no output? Can you show exactly what happens?

3 Likes

I removed the things you said.
I added a new forwarding rule from the vpn zone to lan, port 1234.
This is what I get from wg show when connected with my phone .

 wg show
interface: wg0
  public key: REDACTED
  private key: (hidden)
  listening port: 1234

peer: REDACTED
  allowed ips: 10.14.0.3/32
  persistent keepalive: every 25 seconds

I still don't get access to the internet. Perhaps I have to to something with my main router?

You don't need this. You can remove it.

You're not getting a handshake.. but that could be related to your main router.

So, try the following:

  • on your phone, change the endpoint to 192.168.0.2:1234
  • Connect to the wifi (so your phone has an address in the 192.168.0.0/24 network) and then try connecting.
2 Likes

Deleted the forwarding rule.
Modified the endpoint to 192.168.0.2:1234.
Connected to the wifi.
Still no access to the internet.
Perhaps I should try again to setup from the beginning, from a simple dumb ap to creating a wireguard server. Maybe port forward from the main router to the second? Idk what is wrong with my setup. I really don't want to modify the setup ( I have some appliances connected to my main router via wifi and I don't want to modify them). I only want to be able to connect from another place to my home network so I can have my home ip.

Did you get a handshake? (wg show)

1 Like
interface: wg0
  public key: REDACTED
  private key: (hidden)
  listening port: 1234

peer: REDACTED
  endpoint: 192.168.0.102:47836
  allowed ips: 10.14.0.3/32
  latest handshake: 1 minute, 1 second ago
  transfer: 36.58 KiB received, 20.31 KiB sent
  persistent keepalive: every 25 seconds

Yes, you did get a handshake. That's good!

let's see the latest firewall file.

1 Like
cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'