Wireguard Server on Dumb AP

I am pretty new to this and have only setup Wireguard on Ubuntu systems before so any help is appreciated

Goal: I want to be able to access my home network devices when I am outside the network or on the go.

I am trying to Setup a WireGuard server on my Dumb AP (I followed the openwrt dumb AP guide) but running into issues.

  1. Wireguad client not able to do a handshake
  2. No internet connection when connected to the WireGuard server
    I also tried replicating this guide (Wireguard server on dumb AP)
    but still nothing.

I am able to ping WireGuard server IP from luci diagnostics page but other than that nothing,
Also when I try to ping any hostname like openwrt.org, it starts saying specify the destination.

Here is a diagram of how my network looks like, hope it helps:

This is how my network configuration looks like:

root@OpenWrt-N1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5a:0cd2:b164::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.10.1'
        list dns '192.168.10.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'my private keysssssssssssss'
        option listen_port '51876'
        list addresses '10.66.66.1/24'
        option auto '0'
        list dns '192.168.10.1'
        list dns '192.168.1.1'
        list dns '1.1.1.1'

config wireguard_wg0
        option description 's20plus'
        option public_key 'KI7Z5uDur69UUZmkVdsrDFgV6zVIeQfgDd730Id2DyI='
        option private_key 'my private keysss'
        option preshared_key 'my preshared keyssssssss'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option route_allowed_ips '1'


This is how my firewall configuration looks like:

root@OpenWrt-N1:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

I am using DDNS to reach my server as I have Dynamic Public IP and the DDNS client is also running and the IP is resolving Okay

The port is also forwarded, from ISP router and also Main router.

port forward on main router:

port forward on isp router:

I also read that you need a static route on main router but if you enable masquerading you don't need to do it. I have masquerading enabled so don't know if this is the issue and if it is, how do i set a static route from main router to dumb AP wireguard?

Thank You for reading till last.

Tags: Linksys, Velop, Linksys Velop, whw01, mesh

I did not looked through everything but your Allowed IP's for the Peer seems wrong

Usually for the Allowed IP's on the server you just enter the WG address e.g if your S20Plus address is 10.66.66.2:
list allowed_ips '10.66.66.2/32'
You do not seem to use IPv6 for WG so remove the list allowed_ips: '::/0'

1 Like

Sorry for the late reply, I'll try your fix and report back

The suggestion from @egc is a good one (important to fix), but there is more that needs to be done...
Remove the dns entries from the WG interface (they don't do anything) and also remvoe the option auto '0'. It will look like this when you're done:

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'my private keysssssssssssss'
        option listen_port '51876'
        list addresses '10.66.66.1/24'

as already covered by @egc, fix the allowed_ips:

config wireguard_wg0
        option description 's20plus'
        option public_key 'KI7Z5uDur69UUZmkVdsrDFgV6zVIeQfgDd730Id2DyI='
        option private_key 'my private keysss'
        option preshared_key 'my preshared keyssssssss'
        list allowed_ips '10.66.66.2/32'
        option route_allowed_ips '1'

Turn on masquerading in the lan zone:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

Turn off masquerading in the vpn zone:

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

Delete this (it doesn't do anything)

add this to the firewall:

config forwarding
        option src 'vpn'
        option dest 'lan'

To answer this:

Yes, this is true. It looks like the main router is running OpenWrt, so you can easily set a static route, if you want.

The idea is that your WG interface is another subnet. However, if masquerading is used, the WG subnet 'hides behind' (i.e. masquerades) the lan address of your wireguard 'server' device, which it already knows about. However, if masquerading is disabled, the main router needs to know how to send traffic back to that network (i.e. it needs to know the gateway for that subnet).

You had this configured slightly incorrectly... you need to masquerade the upstream network/zone (i.e. the lan in this case), not the downstream (wg)

As for static routes... see this documentation for configuring static routes. In your case, you'll use

config route 'route_example_1'
        option interface 'lan'
        option target '10.66.66.0'
        option netmask '255.255.255.0'
        option gateway '192.168.10.3'
1 Like

The way you have it now only forwards from the ONU to the Main Router. Then the Main Router needs to continue to forward 51876 UDP from its wan to its lan at 192.168.10.3 so the Dumb AP which is running Wireguard will receive it.

There are better ways to do this so that the whole network has less NAT.

  • Put the ONU into "IP Passthrough" or "Bridge" mode so that Main Router's WAN holds the house's public IP.
  • OR In the ONU install a route to 192.168.10.0/24 via 192.168.1.2 then turn off NAT in Main Router. The route back to the VPN tunnel also belongs here in the ONU: 10.66.66.0/24 via 192.168.10.3.
1 Like

I thought that, too... but the OP did handle that (below is the main router, not the one with WG)...

I agree with this, assuming the ONU supports either of those features.

1 Like

BTW, @fockoemfirmwares -- since it seems that your main router is also running OpenWrt, why not simply put Wireguard there? Why is it on the dumb AP?

1 Like

The thing is I have two ISPs and sometimes, when I face outage (3rd world country problems) I just unplug cable from one ONU to other and also the ONU has IP tv, VOIP and Internet services so I don't think it's a good idea to put it into bridge mode. let me know if I am wrong or right?

At first, I was trying to configure it on the main router but it was messing with the internet connection and there are many clients connected to that router so I thought I would first try on the dumb AP, which doesn't have many clients.

Can you tell me what will be the benefits and drawbacks of running it on Main vs Dumb AP? I am not very knowledgeable about the NAT and how it affects the network. I also thought it would save me some ram and storage space if I run it on dumb AP, am I right or wrong?

Also as @mk24 said to mak it less NAT, If i do it how will it benefit me? any performance or latency benefits? or just ease of configurations/changes?

To anyone who stumbles upon this thread at a later time.
Objective: Accessing Home network from outside the network or on 4g

This is how my configs look like after applying all the fixes:

root@OpenWrt-N1:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
root@OpenWrt-N1:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5a:0cd2:b164::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.10.1'
        list dns '192.168.10.1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'my private keyssss'
        option listen_port '51876'
        list addresses '10.66.66.1/24'

config wireguard_wg0
        option description 's20plus'
        option public_key 'my public keysssss'
        option private_key 'my private keyssssss'
        option preshared_key 'my preshared keysssss'
        list allowed_ips '10.66.66.2/32'
        option route_allowed_ips '1'

config wireguard_wg0
        option description 'inspiron'
        option public_key 'my public keysss'
        option private_key 'my private keyssssss'
        option preshared_key 'my preshared keyssssss'
        list allowed_ips '10.66.66.3/32'
        option route_allowed_ips '1'
1 Like

@psherman I am facing an issue, I am able to access main router gateway but not able to access ONU gateway, where as without VPN I am able to do it. is there any way to fix it? any help is apppreciated

What is the device that is unable to reach the ONU? And how is it connected to the newtwork?

Nevermind, It is working now.
BTW I am grateful for all the help you have provided.
Have a nice day, Mate

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.