Hi there. I was struggling for a couple of weeks to get a Wireguard VPN server running on my TL-WR740N (192.168.1.2, running OpenWRT) which is working as a dumb AP with ISP's router (192.168.1.1). Dumb AP works just fine after I followed this guide https://openwrt.org/docs/guide-user/network/wifi/dumbap the CLI one, I have no LuCI to save space for the Wireguard package and its dependencies.
Some routers don't masquerade all egress traffic, but only what matches their lan subnet. So in this case you'd need to enable masquerade on lan firewall zone. uci set firewall.lan.masq='1'; uci commit firewall; /etc/init.d/firewall restart
Some tcpdump would be useful to understand if packets come and go as they should. However the above mentioned NAT should fix this.
Check the keys.
Verify that you actually see these packets: tcpdump -i eth0.1 -evn udp port 51820
Also you don't need the 2 firewall rules, forwardings can cover that.
The simplest way to do this is to masquerade from the wiregaurd tunnel to the LAN. Thus the main router doesn't see any .9.0 IPs, Internet use by the road warrior appears to come from the WR740 on the LAN. Also you can access LAN resources from the road. The only thing is if someone on the LAN needs to initiate any connections to the road warrior you'll need to forward ports or not use masquerade.
Check that the client's routing table is correct. Its route to the Internet (with an exception for the one IP of the Wireguard server at home) needs to be 192.168.9.1 on the wireguard interface. This will also cover reaching the home LAN without needing an explicit route for it.
The allowed_ips field is wrong. It should be a /32 address in the same subnet as the main WG interface. For example, 192.168.9.2/32 (which matches your 'client' configuration).
You also need to add the following to that peer config (on the OpenWrt side): option route_allowed_ips '1'
And you can remove the following from your firewall (it is not necessary since you already have forwarding rules configured):
Not sure if this is an error or a warning, but after that I see no changes in /etc/config/firewall. Also, I've got no space to install tcpdump, so I'll have to re-build the image. I will come back with tcpdump results if I succeed.
Creating the wg0 interface with .9.0/24 IP automatically installs a route for it. route_allowed_ips is for adding additional networks that exist on the other side of the tunnel, that the server would not otherwise know about. A road warrior client only has its one IP which is already on the tunnel and covered by the automatic route. So its authorization on the server should be for that one IP.
On the allowed IPs, I found that 0.0.0.0/0 works in a 'server' context, but only for one 'client' connection. If you attempt to setup a second peer with 0.0.0.0/0, WG won't start. At least that was my experience when I first started using WG a few years back
Regarding the route allowed IPs -- AFAIK it is absolutely possible to run WG without it, but a route must be created on the local device (i.e. the OpenWrt side) in order for it to work properly (the OP already has a route already installed on the main router). I didn't see a route on OpenWrt, so this option would make sense.
Do I have any of those bits wrong or misunderstood? If so, lmk so I can be more aware of the options and nuances with this type of config.
I can ping 192.168.9.1 form 192.168.1.0 subnet, a consequence of setting the static route to 192.168.9.0 on the main router. I failed to get tcpdump on the WR740, so now I'm trying to apply all the suggestions from this thread. Thank you.
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'wireguard'
option network 'wg0'
option forward 'ACCEPT'
config forwarding
option dest 'wireguard'
option src 'lan'
config forwarding
option dest 'lan'
option src 'wireguard'
WG client
[Interface]
PrivateKey = (private key)
Address=192.168.9.2/32
[Peer]
PublicKey = ZWMprq+TvcnQwdCokySRRylGzYq3njaKSFX7s9OD1Hs=
# if I try 192.168.9.2/32 here, I can't get successful handshake in any case
AllowedIPs = 0.0.0.0/0
Endpoint = (dump AP's IP/public IP):51820
On the 'client' side, this should be 0.0.0.0/0 if you want all traffic to go through the tunnel.
Do your iPhone and your PC have exactly the same configuration? You only have a single peer defined in the OpenWrt config... this means that the two devices must have the same private key or the handshake will fail. Obviously the rest of it must also be identical.
Two things to check here:
on your primary router, have you port forwarded UDP 51820 > 192.168.1.2:51820?
Have you verified that you have a proper public IP address on the WAN of your primary router?
I have a static public IP which wasn't changed for years. As far as I know, it is only my network behind this IP (I would like to check, if this is possible).
I haven't tried it with multiple clients. In that case I would add also the specific addresses in case it would not work. However I get the feeling that it is some kind of access list and not necessarily an identifier.
Regarding the route, as @mk24 pointed out, you have the /24 on the server side, so that is enough.
It's an error alright. Add it manually. option masq '1' inside config zone lan
OMG! There is handshake from Internet, but still no Internet connection, I'll keep experimenting, I think I saw somewhere on OpenWRT forum similar topics with this problem while looking for solutions. Thank you!
Everything seems to work fine, both from local and Internet, all LAN members are visible for VPN clients. The last problem was that I haven't added DNS to WG config file. So now it is like that: