Wireguard server on openwrt router behind isp-router; firewall config

Using

• OpenWrt 23.05.0 on Linksys WRT3200ACM

Goal

• I want to be able from remote locations to access my LAN at home; previously I used openvpn for that, but I now want to use Wireguard to do this

Situation

• ISP router

  • 192.168.2.254

• openwrt router

  • 192.168.2.253 (WAN interface)
  • 192.168.1.1 (internally)

• I managed to configure Wireguard so that I can setup a tunnel from my Iphone. Iphone says "VPN". But I cannot reach any site, neither in my LAN, nor in the internet when the wireguard connection is active.

• I suspect that my firewall config is the problem. Below you find my /etc/config/firewall file. I have "playing" with the wireguard interface in a separate zone, and in the 'lan' zone, but without any result.

All help is welcome

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option family 'ipv4'
        option target 'ACCEPT'
        option name 'OpenVPNupd1194'
        option enabled '0'

config rule
        option name 'OpenVPNtcp443'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'tcp'
        option dest_port '443'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'GTD'
        list proto 'tcp'
        option src 'wan'
        option src_dport '5000'
        option dest 'lan'
        option dest_port '4001'
        option dest_ip '192.168.1.15'

config redirect
        option target 'DNAT'
        option name 'ncp'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.1.15'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ncps'
        option src 'wan'
        option src_dport '443'
        option dest_port '443'
        option dest_ip '192.168.1.15'

config rule
        option name 'wireguard'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        list proto 'udp'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'lan'

and /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd79:b69f:3db8::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '26:f5:a2:c5:9f:48'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.2.253'
        option netmask '255.255.255.0'
        option gateway '192.168.2.254'
        list dns '192.168.2.254'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wireguard'
        option proto 'wireguard'
        option network 'lan'
        option private_key 'REPLACED'
        option listen_port '51820'

config wireguard_wireguard
        option description 'Basios2'
        option public_key 'REPLACED'
        option private_key 'REPLACE'
        option endpoint_host 'myhomeurl.com'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config wireguard_wireguard
        option public_key 'REPLACED'
        option private_key 'REPLACED'
        option description 'metallowedips'
        list allowed_ips '10.0.0.0/32'
        option route_allowed_ips '1'
        option endpoint_host 'myhomeurl.com'

option forward should be 'ACCEPT', but that is not your main problem

config forwarding should be:

config forwarding
	option dest 'lan'
	option src 'wireguard'

config forwarding
	option dest 'wireguard'
	option src 'lan'

# if you want to allow internet access from attached clients then allow to forward from WG to WAN
config forwarding
	option src 'wireguard'
	option dest 'wan'

But it is actually easier to just add the network wireguard to the lan zone although in your case that is not a good idea as you enabled masquerading on the lan zone, is this intentionally?

Thanks for your prompt reaction!

• I corrected the forward option in the config zone wireguard
• and put in the forwarding between lan en wireguard in both directions
• I also put in the forward between wireguard and wan
  After restarting the firewall, I tested but it was still not working.

As the masquerading on the lan zone, was just one of my tries to make wireguard working, I turned it off, and want to go for teh easiest solutions as you advised.

• I put the wireguard interface in the lan zone. I can set up an tunnel, but it I can still not reach any locations with an active wg connection. What am i missing?
  My firewall config is now as follows

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wireguard'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option family 'ipv4'
        option target 'ACCEPT'
        option name 'OpenVPNupd1194'
        option enabled '0'

config rule
        option name 'OpenVPNtcp443'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'tcp'
        option dest_port '443'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'GTD'
        list proto 'tcp'
        option src 'wan'
        option src_dport '5000'
        option dest 'lan'
        option dest_port '4001'
        option dest_ip '192.168.1.15'

config redirect
        option target 'DNAT'
        option name 'ncp'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.1.15'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ncps'
        option src 'wan'
        option src_dport '443'
        option dest_port '443'
        option dest_ip '192.168.1.15'

config rule
        option name 'wireguard'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        list proto 'udp'

Did you rebooted the router after changing?

Did you test from outside e.g. with your phone on cellular?

Lets see some more:
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
ip route show
wg show (while you are connected with your client)
wg configuration of your client

Yes I did reboot,
and yes I tested on Iphone via cellular (turned off wifi)

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.2.253'
        option netmask '255.255.255.0'
        option gateway '192.168.2.254'
        list dns '192.168.2.254'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.0.0.0/32'

config wireguard_wireguard
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option description 'bas3'
        option endpoint_host 'REDACTED=mypublic ip address'
        list allowed_ips '10.0.0.0/32'

ip route show

default via 192.168.2.254 dev wan
86.95.214.166 via 192.168.2.254 dev wan
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.2.0/24 dev wan scope link  src 192.168.2.253

wg show (while you are connected with your client)

interface: wireguard
  public key: REDACTED
  private key: (hidden)
  listening port: 51820

peer: REDACTED
  endpoint: 31.161.221.182:53510
  allowed ips: (none)
  latest handshake: 8 minutes, 16 seconds ago
  transfer: 212 B received, 188 B sent

wg configuration of your client

addresses 10.0.0.3/32
listen port: automatic
MTU: automatic
DNS servers 192.168.1.1  (openwrt)
preshared key: optional
endpoint: 192.168.2.253:51820
allowed IPs 0.0.0.0/0,::/0
exclude private IPs: not set
persistent keepalive: off

I hope this is useful info for you.

It should be like this:

list address was wrong, list allowed ips was wrong, endpoint should be removed, option route_allowed_ips '1' is added.

On the client set:
persistent keepalive: 25
You have the endpoint set as internal WAN address which is fine if you are connected to the main router

Reboot after changing your settings and try again

Thanks again!
I changed /etc/config/network as you suggested:

...
config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wireguard
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option description 'bas3'
        list allowed_ips '10.0.0.3/32'
        option route_allowed_ips '1'

and rebooted openwrt.

Tested on iphone via wifi and via cellular: cannot access internal and external sites.

On the cllient side I also tried to change the endpoint to my public IP address. But still without positive result.

To rule out ipv6 problems delete from the wg client ::/0
and change dns server to 9.9.9.9

When connected show output of wg show on the router again.

If your phone is using android you can install and use fing to ping the router at 10.0.0.1 and 192.168.1.1

I deleted ::/0 on both my iphone and android phone, and also changed the DNS to 9.9.9.9 on both iphone and android phone.
Still the same problem.

An android I installed fing.
Pinging to both 10.0.0.1 and 192.168.1.1 during an active wg connection, resulted both in 100% packet loss (via mobile network, wifi off).

interface: wireguard
public key: REDACTED
private key: (hidden)
listening port: 51820

peer: REDACTED
endpoint: 31.161.221.135:13312
allowed ips: 10.0.0.3/32
latest handshake: 6 minutes, 49 seconds ago
transfer: 13.26 KiB received, 12.84 KiB sent

Just some extra info:

tcpdump -i wan udp|grep 51820
gives following

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
16:09:28.542174 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 128
16:09:28.542570 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 128
16:09:28.549234 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 96
16:09:28.550081 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 148
16:09:28.551414 IP 192.168.2.253.51820 > 31-161-221-135.mobile.kpn.net.13337: UDP, length 92
16:09:28.584102 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 32
16:09:30.211602 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 128
16:09:30.211813 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 128
16:09:30.211813 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 96
16:09:31.065571 IP 31-161-221-135.mobile.kpn.net.13337 > 192.168.2.253.51820: UDP, length 32
16:09:34.902839 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 148
16:09:34.904210 IP 192.168.2.253.51820 > 31-161-221-135.mobile.kpn.net.13338: UDP, length 92
16:09:34.931674 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 32
16:09:36.831673 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 128
16:09:36.839558 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 128
16:09:36.839558 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 96
16:09:36.839559 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 96
16:09:40.951628 IP 31-161-221-135.mobile.kpn.net.13338 > 192.168.2.253.51820: UDP, length 128

When I do tcpdump -i wireguard udp
I do not see any traffic at all (during setting up/deleting) an wg connection)

This is all wrong.

For a "server" that receives connections from a phone you want this:

config interface 'wireguard'
    option proto 'wireguard'
    list addresses '10.0.0.1/24'
    option private_key '<SERVER's PRIVATE KEY>'
    option listen_port '51820'

config wireguard_wireguard
    option public_key '<PHONE's PUBLIC KEY>'
    option preshared_key '<PHONE's PRESHARED KEY> (if used)'
    list allowed_ips '10.0.0.2/32'

The phone's wireguard IP should be 10.0.0.2/24. The peer's endpoint_host is YOUR HOUSE's PUBLIC IP or FQDN :51820> and the allowed_ips 0.0.0.0/0.

You can add more peer phones by assigning them IPs 10.0.0.3, etc.

On the router the wireguard interface needs to have a separate firewall zone so it can NAT into LAN (set masq on the lan zone, not on the wireguard zone). This will make requests from the phone for the Internet or a home LAN IP appear to come from the OpenWrt router, so it isn't necessary for the home network to be aware of the 10.0.0.0/24 network.

@mk24 thanks for your tips.

I changed the network config as you suggested.
On my Iphone I also executed your suggestions.
I created a new fw zone, and put the wg-interface in it. And activated masq on the LAN zone.
I did NOT set zone forwarding; and forward for the wg zone is 'reject'.

Now it is partially working:

• I can access from my Iphone via mobile data, my openwrt router (192.168.1.1)
• but I cannot access the internet when connected via wg

If you are forwarding from wireguard to lan (which leads to the Internet) both lan devices and the Internet should be reachable through the tunnel.

The only forward that is applicable to this use case is wireguard->lan. Setting lan->wireguard will not work (LAN devices can't initiate a connection to the phone) because NAT is in use.

Also while testing at home make sure the phone wifi is off so it is using the cellular connection and not the home router.

in the zone=>forwardings I now set
wireguard =>LAN

On phone wifi is OFF
I rebuild the wg connection form phone; internet is still not reachable.

I use nu.nl as test URL on the phone; when I ping this site from the command line on openwrt, I get back responses from an IPv6 address. Could that be a problem?

let's see the latest information:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.2.253'
        option netmask '255.255.255.0'
        option gateway '192.168.2.254'
        list dns '192.168.2.254'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wireguard
        option public_key 'REDACTED'
        option description 'bas3'
        list allowed_ips '10.0.0.2/32'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option proto 'udp'
        option dest_port '1194'
        option family 'ipv4'
        option target 'ACCEPT'
        option name 'OpenVPNupd1194'
        option enabled '0'

config rule
        option name 'OpenVPNtcp443'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'tcp'
        option dest_port '443'
        option family 'ipv4'
        option enabled '0'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'GTD'
        list proto 'tcp'
        option src 'wan'
        option src_dport '5000'
        option dest 'lan'
        option dest_port '4001'
        option dest_ip '192.168.1.15'

config redirect
        option target 'DNAT'
        option name 'ncp'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.1.15'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ncps'
        option src 'wan'
        option src_dport '443'
        option dest_port '443'
        option dest_ip '192.168.1.15'

config rule
        option name 'wireguard'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        list proto 'udp'

config zone
        option name 'wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wireguard'

config forwarding
        option src 'wireguard'
        option dest 'lan'

wg show

interface: wireguard
  public key: REDACTED
  private key: (hidden)
  listening port: 51820

peer: REDACTED
  endpoint: 77.63.36.98:13632
  allowed ips: 10.0.0.2/32
  latest handshake: 2 minutes, 12 seconds ago
  transfer: 206.08 KiB received, 297.66 KiB sent

Your wg peer needs to have the route allowed ips option enabled.:

Turn off masquerading on your lan zone:

Add forwarding from wg > wan by adding this to your firewall:

config forwarding
        option src 'wireguard'
        option dest 'wan'

Restart and try again.

Everything seems to be working yeahh!!, but when I go to interfaces via Luci I get " RPCError

RPC call to uci/get failed with ubus code 9: Unspecified error at ClassConstructor.handleCallReply (http://192.168.1.1/luci-static/resources/rpc.js?v=git-23.236.53405-fc638c8:15:3)"

I did reboot openwrt

I found the cause of this error by issuing the command

uci get network

that gave the line in the /etc/config/network where the error was

So, I have one wg client (on iphone) working, great!

Now I want to have a second client.
I created a new peer on openwrt, and via the QR code imported it to wg on my ihpone as peer2.
I changed the IP address for peer2 to 10.0.0.3/32 (peer1 is using 10.0.0.2/32).
Further all settings are the samen for peer2 as for peer1 (double checked it on my phone).

Peer1 is still working on my iphone. I turn off peer1, and turn on peer2.

But peer2 does not succeed in getting a handshake (according to the wg log on iphone). And there is no access to local or internet.

any ideas?

You need to have unique key pairs and addresses for each remote peer. Did you do that?

Thanks for your tips!

I have generated a new key pair for the second peer, and those are different from the keys of peer1

For the IP address I am not convinced whether I did the right thing.

On iphone I have the following for the two peers:

• peer1 (is working fine)
  • addresses: 10.0.0.2/24
  • allowed IPs 0.0.0./0
• peer (not getting a handshake)
  • addresses: 10.0.0.3/24
  • allowed IPs 0.0.0.0/0

Both peers have the public key of the wg server on openwrt configured.