WireGuard server on TP-Link RE450

mtallon · February 6, 2023, 9:07am

Hi,
I am trying to get Wireguard running on OpenWrt installed on a TP-Link RE450.
I followed this tutorial: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

This is server configuration file:

[Interface]
PrivateKey = <server-private-key>
Address = 192.168.9.1/24
ListenPort = 51820

[Peer]
PublicKey = <client-public-key>
AllowedIPs = 192.168.9.2/32

I created this client configuration file:

[Interface]
Address = 192.168.9.2/32
PrivateKey = <client-private-key>

[Peer]
PublicKey = <server-public-key>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <my-ip>:22
PersistentKeepalive = 25

UDP port 22 on router is forwarded to port 51820 on TP-Link.
TP-Link is connected to my modem/router.
TP-Linl Lan IP is 192.168.0.3 and modem/router IP is 192.168.0.1

I tryed to connect from outside and I get this error:
"wireguard invalid handshake response"

Any ideas? Thanks in advance.
Marco

Bill · February 6, 2023, 9:24am

Take a moment to look at your /etc/config/network file again..
The peer look pretty jacked up.

Example

config wireguard_wg0
	option description 'optionalname'
	option public_key 'D5OScxIU6t70uiJwPwctLnNDtNUjsx1erSWOj9hWkWJ='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '192.188.228.exp'
	option endpoint_port '51820'
	option persistent_keepalive '25'

mtallon · February 6, 2023, 2:58pm

Hi Bill, this is the output of cat /etc/config/network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fde0:8fac:e820::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.3'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'
        option device 'br-lan'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<private-key>'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn 'wgclient'
        option public_key '<publickey>'
        option preshared_key '<pre-shared-key>'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'

Is there anything wrong??

Bill · February 6, 2023, 3:17pm

[quote="Bill, post:2, topic:150734"]

Do you have a ddns host?

All the rest is a moot point if since I missed the very important info in your post about failing with Phone.

Your config is for a Road Warrior. Your out and about and trying to get on your lan from a Data or Wift connected Cell, and in order to do that you have to have a publicly reachable DNS address that maps back thru your ISP modem to your TP-Link.

I apologize for the runaround.

mtallon · February 8, 2023, 11:21am

sure I have a ddns host.
I tryed regenerating all the keys and now I am able to connect but from outside I can reach only the wireguard server at 192.168.0.3 or 192.168.0.1, no internet and no other IP in lan...
Any suggestion?

Bill · February 8, 2023, 3:27pm

Suggest using the updated OpenWrt wiki page linked above. It has two scripts the reader (you), have to modify with input in the upper section.

The ## are the definitions of the value.
The # are the values you modify.

Create WireGuard interface and its keys

Download the script
Edit the configuration values at the top (or write a wrapper script to set environment variables and call this script)
Copy the script(s) to your OpenWrt system (such as with scp)

wg_roadwarrior

Create WireGuard peer configurations

Download the script
Edit the configuration values at the top (or write a wrapper script to set environment variables and call this script)
Copy the script(s) to your OpenWrt system (such as with scp)

add_roadwarrior_peer

mtallon · February 8, 2023, 7:30pm

Hi Bill, I read the guide linked in the script and I think it's not my context since in the so-called “road warrior” configuration OpenWrt and wireguard are on the router while in my case I have openwrt/wireguard behind the router:

internet <--> modem/router (192.168.0.1) <--> tp-link in bridge mode with openwrt/wireguard (192.168.0.3/192.168.9.1).

As I told before, after regenerating keys now I am able to connect from outside and handshake is ok. The problem is that from android phone or from a windows pc I can reach only the wireguard server at 192.168.0.3 or 192.168.0.1, no internet and no other IP in lan... Maybe the problem is the firewall on the openwrt? tp link with openwrt is connected by ethernet cable to the main router and is configured as a wireless access point following the official guide on openwrt doc.
Thanks in advance,
Marco

psherman · February 8, 2023, 7:37pm

Let's see your configuration on the OpenWrt side:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

mtallon · February 8, 2023, 8:43pm

Hi Psherman, this is the config on the OpenWrt side:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fde0:8fac:e820::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.3'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'
        option device 'br-lan'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '<private-key>'
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_vpn
        option description 'OP5'
        list allowed_ips '192.168.9.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key '<public-key>'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

psherman · February 8, 2023, 9:12pm

Since your RE450 running WG is not the main router, you need to do one of two things...
Option 1) If your main router supports static routes, add one that is 192.168.2.0/24 via 192.168.0.3
or
Option 2) If your main router doesn't support static routes, you need to adjust the firewall on the RE450.

split out the VPN into a different firewall zone (remove it from the lan zone)
enable masquerading on the lan zone
allow forwarding from the vpn zone > lan zone

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone 'vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vpn'

config forwarding
        option src 'vpn'
        option dest 'lan'

mtallon · February 9, 2023, 9:15am

Thank you psherman, it's all clear. My router doesn't support static routes so I have to go with option 2 and adjust the firewall on the RE450. Can I do it in Luci or I need to use command in ssh?

psherman · February 9, 2023, 3:24pm

You can do it in LuCI. All in the firewall.

Edit the lan zone -> remove vpn from the covered networks. Then enable masquerading.

Create a new zone (such as vpn). Add the vpn network as a covered network. Allow forwarding from the lan zone.

mtallon · February 9, 2023, 4:37pm

Ok I tried and but nothing changed.. I am only able to reach 192.168.0.3 / 192.168.9.1 that is the IP of RE450.. No other IP in LAN and no internet...
This is the firewall:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'vpn'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'vpn'
        option dest 'lan'

psherman · February 9, 2023, 4:40pm

Let's see the remote peer's wireguard configuration.

mtallon · February 9, 2023, 4:56pm

here it is:

psherman · February 9, 2023, 5:16pm

I'm sorry... to clarify, I meant the configuration that exists on the remote device, not the OpenWrt side.

mtallon · February 9, 2023, 5:25pm

psherman · February 9, 2023, 5:33pm

Have you tested this while on cellular or a remote network (i.e. make sure you're not testing while on your own wifi)?

If not, please try and then let us know the results of pinging the following:

192.168.9.1
192.168.0.3
192.168.0.1
8.8.8.8
google.com

mtallon · February 9, 2023, 7:59pm

I tested on cellular; tomorrow morning I will try on a remote network from my office pc and I will tell you the ping result.

mtallon · February 10, 2023, 8:55am

Good morning, this is the result of ping from pc on a remote network: