Wireguard Server on OpenWrt for Remote Access

Installing and Using OpenWrt
1

Hi everyone. I have been trying to make Wireguard work on my FritzBox 7530 but to no avail. The first time I tried setting up the Wireguard Server on the router, it magically worked and I was able to remotely access my network. However, after a while it stopped working and it won't connect to the server no matter what I try.

I have changed the configuration, double-checked everything quite a few times but still no handshake occurs between the Wireguard server and the clients. I also changed the port from 51820 to 51000 just to make sure but still nothing.

I used this configuration setup to configure it and also searched a few topics here but I am not quite sure what I am missing. Just to clear everything up, my setup also includes a ProtonVPN instance through Wireguard which is always active and I use PBR to route traffic from this client VPN.

I use VDSL from my ISP-provided router which is connected in bridged mode. The Proton VPN interface is called wgvpn0 and the server interface is wgserver0 and below are my configs and output of some commands that were asked to be provided in some topics:

Configs 
{
        "kernel": "6.12.66",
        "hostname": "MainRouter",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 7530",
        "board_name": "avm,fritzbox-7530",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0-rc4",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32534-12374d88b9",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 25.12.0-rc4 r32534-12374d88b9",
                "builddate": "1769726182"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '0'
        option dhcp_default_duid '000498ce20052b454090827451b5460b4b0b'

config atm-bridge 'atm'
        option vpi '0'
        option vci '103'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        option stp '1'
        option ipv6 '0'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan1.20'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

config device
        option name 'dsl0'

config interface 'wan'
        option device 'br-wan'
        option proto 'pppoe'
        option username 'H74687859'
        option password 'ptcl'
        option ipv6 '1'
        option peerdns '0'
        option metric '1024'
        option keepalive '3 10'
        list dns '8.8.4.4'
        list dns '8.8.8.8'

### ISP Router in bridged mode
config interface 'ptcl'
        option proto 'dhcp'
        option device 'lan1'
        option defaultroute '0'

config device
        option type 'bridge'
        option name 'br-wan'
        list ports 'lan1.10'
        list ports 'dsl0.10'

### Proton VPN Interface
config interface 'wgvpn0'
        option proto 'wireguard'
        option private_key '####'
        list dns '10.2.0.1'
        list addresses '10.2.0.3/32'

config wireguard_wgvpn0
        option description 'PROTON VPN'
        option public_key '####'
        option endpoint_host '185.177.###.##'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'

### Local Wireguard Server
config interface 'wgserver0'
        option proto 'wireguard'
        option private_key '####'
        option listen_port '51000'
        list addresses '10.0.0.1/24'

config wireguard_wgserver0
        option description 'Peer 1'
        option public_key '####'
        option private_key '####'
        option preshared_key '####'
        list allowed_ips '10.0.0.2/32'
        option endpoint_port '51000'
        option persistent_keepalive '25'

config wireguard_wgserver0
        option public_key '#####'
        option private_key '#####'
        option description 'Peer 2'
        option preshared_key '####'
        list allowed_ips '10.0.0.5/32'
        option endpoint_port '51000'
        option persistent_keepalive '25'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list addnmount '/var/run/pbr.dnsmasq'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config host
        option name 'AhmarAftab-RA'
        option ip '192.168.1.181'
        option leasetime 'infinite'
        list match_tag 'known'
        option instance 'cfg01411c'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'ptcl'
        list network 'wan'
        list network 'wgvpn0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access Router'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65501'
        option dest_ip '192.168.1.1'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access AP254'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65502'
        option dest_ip '192.168.1.254'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access AP253'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65503'
        option dest_ip '192.168.1.253'
        option dest_port '22'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'Remote Access ISP Router'
        option src 'wan'
        option src_dport '65504'
        option dest_ip '192.168.10.1'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access Router Torrent'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65512'
        option dest_ip '192.168.1.1'
        option dest_port '65512'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ahmar Laptop Torrent'
        option src 'wan'
        option src_dport '65511'
        option dest_ip '192.168.1.135'
        option dest_port '65511'

config forwarding
        option src 'lan'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        option masq '1'
        list network 'wgserver0'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option src 'wan'
        option name 'Allow-Wireguard-Remote-Access'
        option dest_port '51000'
        option target 'ACCEPT'
        list proto 'udp'

head: /etc/firewall.user: No such file or directory
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.10.5/24 brd 192.168.10.255 scope global lan1
       valid_lft forever preferred_lft forever
1007: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
1012: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc cake state UNKNOWN group default qlen 3
    inet 182.181.144.161 peer 182.181.128.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
1068: wgserver0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.0.0.1/24 brd 10.0.0.255 scope global wgserver0
       valid_lft forever preferred_lft forever
1069: wgvpn0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc cake state UNKNOWN group default qlen 1000
    inet 10.2.0.3/32 brd 255.255.255.255 scope global wgvpn0
       valid_lft forever preferred_lft forever
default via 182.181.128.1 dev pppoe-wan table pbr_wan
default via 10.2.0.3 dev wgvpn0 table pbr_wgvpn0
default via 182.181.128.1 dev pppoe-wan proto static metric 1024
10.0.0.0/24 dev wgserver0 proto kernel scope link src 10.0.0.1
182.181.128.1 dev pppoe-wan proto kernel scope link src 182.181.144.161
185.177.125.4 via 182.181.128.1 dev pppoe-wan proto static metric 1024
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev lan1 proto kernel scope link src 192.168.10.5
local 10.0.0.1 dev wgserver0 table local proto kernel scope host src 10.0.0.1
broadcast 10.0.0.255 dev wgserver0 table local proto kernel scope link src 10.0.0.1
local 10.2.0.3 dev wgvpn0 table local proto kernel scope host src 10.2.0.3
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 182.181.144.161 dev pppoe-wan table local proto kernel scope host src 182.181.144.161
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.10.5 dev lan1 table local proto kernel scope host src 192.168.10.5
broadcast 192.168.10.255 dev lan1 table local proto kernel scope link src 192.168.10.5
0:      from all lookup local
29997:  from all sport 51000 lookup pbr_wan
29998:  from all lookup main suppress_prefixlength 1
29999:  from all fwmark 0x20000/0xff0000 lookup pbr_wgvpn0
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

interface: wgserver0
  public key: ###############
  private key: (hidden)
  listening port: 51000

peer: #################
  preshared key: (hidden)
  allowed ips: 10.0.0.2/32
  persistent keepalive: every 25 seconds

peer: ################
  preshared key: (hidden)
  endpoint: 192.168.1.146:51000
  allowed ips: 10.0.0.5/32
  transfer: 592 B received, 21.17 KiB sent
  persistent keepalive: every 25 seconds

interface: wgvpn0
  public key: ################
  private key: (hidden)
  listening port: 49504

peer: #################
  endpoint: 185.177.125.4:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 38 seconds ago
  transfer: 15.01 MiB received, 1.62 MiB sent

If someone can provide me insight on what is going wrong or point me in the right direction, please do so. Thanks.

2

You can remove mtu-fix and masq

Reboot afterwards

At one point there was a connection, make sure to connect from outside with your phone on cellular and the routers Public IP address as endpoint in your phone config

If that does not help stop the Proton VPN and stop Policy based routing, reboot and test again with your WG server

Oh and your LAN and WAN interface setup look very strange, you have vlans but no swconfig neither DSA but maybe that is correct for your router

3

Yes, done. I saw that from one of the threads as well where you have provided a detailed guide.

Also disabled PBR and Proton VPN interface but it did not help. When I connect from my mobile using cellular, I can see the cellular IP in the Wireguard status screen but still no traffic and no handshake between Server and Client.

image
image1110×160 9.7 KB

Updated Config 
config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wgserver0'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option src 'wan'
        option name 'Allow-Wireguard-Remote-Access'
        option dest_port '51000'
        option target 'ACCEPT'
        list proto 'udp'
        option family 'ipv4'

root@MainRouter:~# wg show
interface: wgserver0
  public key: E84DLXSfBEJnVAfCHirz1yj5MWypRD7cSlUeTCjb3Dk=
  private key: (hidden)
  listening port: 51000

peer: GqW+qV7RN+oZx9SbwTMwFvURf+HXW20+zTPPJ+mHVlI=
  preshared key: (hidden)
  endpoint: 37.111.156.57:22914
  allowed ips: 10.0.0.2/32
  transfer: 1.59 KiB received, 13.71 KiB sent
  persistent keepalive: every 25 seconds

peer: h4RiS/6hfeYfRjMIVZZnVPN3N41SCHFq/AufnA4MuGg=
  preshared key: (hidden)
  allowed ips: 10.0.0.5/32
  persistent keepalive: every 25 seconds

Those VLANs are only for tagging ISP-router traffic for Internet and TV etc. No other purpose, therefore I have tagged the LAN 1 where the ISP router is connected.

4

Remove endpoint_port from the server's client configurations. You can also remove private_key from those, that is used only for setting up the client, and for operation the server only should have the client's public_key(*). Double check your keys. Note that the server and each client must have a unique private/public key, though preshared_keys can be reused.

  • Security best practice is to have the clients generate their own private_key and keep it secret inside the client. Use an out of band method to copy the client's public_key to the server.
5

So I guess there was a problem with cellular connection. Therefore I was not able to connect from the Cellular at home. Now I tried to connect the same through my office Wi-Fi and everything is working. Thanks for your valued input. Much appreciated.

Sure, will do that.

1 Like