Wireguard server on Mikrotik RB760iGS with version 22.03

I've been trying to setup a Wireguard server on my router, using the first script from this wiki page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/automated

I Can make a connection from inside my local network, but when trying from outside there is no connection.

My interface config looks like this:

config interface 'wg_lan'
	option proto 'wireguard'
	option listen_port '1234'
	list addresses ''
	option mtu '1420'

config wireguard_wg_lan
	option public_key '***'
	option preshared_key '***'
	option description 'Alpha'
	list allowed_ips ''
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_lan
	option public_key '***'
	option preshared_key '***'
	option description 'Bravo'
	list allowed_ips ''
	option route_allowed_ips '1'
	option persistent_keepalive '25'

Also, here is my firewall config:

config rule 'wg'
	option name 'Allow-WireGuard-lan'
	option src 'wan'
	option dest_port '1234'
	option proto 'udp'
	option target 'ACCEPT'

Thanks in advance for any advice given :slight_smile:

Edit: wrong port in firewall config, still does not work

If you listen on 1234 why did you allow 9995 ?

Did you add the WG interface (wg_lan) to the LAN zone in the firewall?

Does your router has a Public internet Address and is reachable?

Always test from the outside e.g. with your phone on cellular

Yes, I added the wg interface to the LAN zone, and yes - my router has an IP address and is reachable. I've tested with my android phone as client

Does anyone have an idea what could be the problem? I suspect the firewall configuration but am not sure...

How did you test this? You said that you are unable to connect to WG from outside the network, so what was the test method here?

I've used the Wireguard app, and used the configuration QR code from the router itself. I Can turn on the tunnel on the phone but Rx always displays 0

The tunnel will appear to turn on even if it isn't able to make a proper connection. That is not a sign that you have a public IP address.

Let's do it this way...

  • Look at the main status page in the OpenWrt LuCI web interface (the landing page when you first login) and find the IPv4 upstream section. What does it list as the IP address -- make a note of that.
  • Then google "what's my IP" and see if the two addresses match.

If so, you should be good. If not, you may not have a public IP.
If in doubt, post the first two octets of the IP address shown in the IPv4 Upstream section (in bold: aaa.bbb.ccc.ddd)

Well, I did what you said and indeed the addresses do not match. DDNS is supposed to solve this?

No... ddns simply gives you a dns entry (mydomain.com or whatever) that maps to a dynamically assigned IP address (i.e. DHCP or PPPoE connections to the ISP, where the IP may change periodically).

It does not fix the CG-NAT situation that you may find yourself in.

But before we assume it's a lost cause...

  1. Is there anything in front of your OpenWrt router such as an ISP modem+router combo unit?
  2. Do you have an IPv6 address?

Has the QR code been configured to provide a client configuration?

Long discussion: [?] luci-app-wireguard QR Code shows Private Key

I know you can press a button to create one.

  1. Well, no, my router is connected to fiber via SFP dongle provided by my ISP
  2. Currently, no... Is there a way to configure? I'm pretty sure my ISP supports IPv6 as they've notified me not too long ago about upgrading

Well, I've managed to get an IPv6 address after some messing around with the interface settings.

@psherman Any suggestions for the way forward?

Set the endpoint address in your remote peer to the IPv6 address of the OpenWrt router. You'll probably want to setup an IPv6 dynamic dns configuration.

OK, After getting an IPv6 address, I tried to set the endpoint address to the IPv6 address I have on my router, but there is still no connection.
I Do have a DDNS config running, and it is working when pinging it from outside the network.

Are there any more ideas?