Wireguard Server on Secondary Router - can't connect from client using mobile network

Hello,

I am fairly new to OpenWRT and would like to seek help in getting my client able to connect to the secondary router (Wireguard Server) using mobile network.

My connection: ISP -> Main Router (AsusWRT) -> Secondary Router as a dumb AP (Wireguard Server)(Nanopi R4S)

  1. I am able to connect my client (phone) to the secondary router (hand shake shown as connected) while using Wi-Fi only, but not mobile network.

Main Router: 192.168.1.1
Secondary Router: 192.168.1.2 (set as static)

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'REDACTED'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        list dns '192.168.1.1'

config device
        option name 'eth0'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'WG_0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.14.0.1/24'

config wireguard_WG_0
        option description 'iphone14p'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        list allowed_ips '10.14.0.3/32'
        option route_allowed_ips '1'

I would be glad if fellow members here would guide me on troubleshooting and solve this matter. Thank you very much

Accessing the Wireguard tunnel over the mobile network implies being able to access it over the public Internet. You need to use a public IP address (or even better, a dynamic DNS name) on your phone. Then you need to configure the main router to forward Wireguard packets to your Nanopi R4S.

No, I did'nt do any settings on the main router beside setting Static IP for the Nanopi R4S.

Is it port forwarding?

Yes, but before you set all this up you need to set up dynamic DNS (also called DDNS) because the IP address on your main router can change.* You need to pick a DDNS provider. You can start with one of these free providers. Once you get this going then accessing Wireguard over the internet from your mobile data becomes practical.


*You can get static IP address for the WAN but if you had that you probably already know how to do all this :grin:

1 Like

Yes, you must port forward UDP Port 51820 to 192.168.1.2 Port 51820.

Also, you must have one of the following configured:

  • your OpenWrt lan firewall zone must have masquerading enabled,

or

  • you must set a static route on your primary router for 10.14.0.0/24 via 192.168.1.2
2 Likes

I tried to port forwarding but unsuccessful, tested using https://www.canyouseeme.org/

and is this shows lan firewall zone 'masquareding enabled'

I assume you're noting that the scan didn't work?

  • Most UDP ports won't reply to test scans
  • Wireguard is designed to be silent to non WG traffic (e.g. no key, wrong key, etc.)
1 Like

Somehow I managed to connect using mobile network to the Wireguard server by:

  1. Edit the endpoint from the peer side (client) to the wan ip / ddns instead of the secondary router
  2. Port forward UDP Port 51820 to 192.168.1.2 Port 51820 .

Thanks @elbertmai @psherman @lleachii for the assistace. Cheers

1 Like

Yes, you "somehow managed" by doing what you're supposed to do to get this kind of setup working. Congrats! :tada:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.