I recently flashed my MT6000 with openwrt and are having a small issue setting up wireguard. It seems im unable to get a handshake when attempting to connect via my phone on cellular. I believe this is an issue with my firewall, it seems perhaps my ports arent open either.
I dont have CG-NAT.
Heres my details:
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[REDACTED]'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr '[REDACTED]'
config device
option name 'lan2'
option macaddr '[REDACTED]'
config device
option name 'lan3'
option macaddr '[REDACTED]'
config device
option name 'lan4'
option macaddr '[REDACTED]'
config device
option name 'lan5'
option macaddr '[REDACTED]'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr '[REDACTED]'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'modem'
option proto 'static'
option device 'eth1'
option ipaddr '192.168.0.10'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wg0'
option proto 'wireguard'
option private_key '[REDACTED]'
list addresses '10.0.100.1/24'
option listen_port '51820'
config wireguard_wg0
option description 'alanphone'
option public_key '[REDACTED]'
option private_key '[REDACTED]'
option endpoint_host '[REDACTED]'
list allowed_ips '10.0.100.2/32'
option endpoint_port '51820'
option route_allowed_ips '1'
config device
option name 'wg0'
option mtu '1280'
config wireguard_wg0
option description 'alanmacbook'
option public_key '[REDACTED]'
option private_key '[REDACTED]'
list allowed_ips '10.0.100.3/32'
option endpoint_host '[REDACTED]'
option route_allowed_ips '1'
option endpoint_port '51820'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan'
list network 'wan6'
list network 'modem'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'wireguard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.0.100.1'
option dest_port '51820'
config forwarding
option src 'wan'
option dest 'lan'
Im sure im missing something obvious here, but any help would be greatly appreciated.
Minor but important nit-pick... @zekica is correct, except that there is a typo in the port -- should be 51820 based on the current configuration.
But a few more things to check:
remove the endpoint port in the peer configs (this applies to both peers), and also remove the endpoint host, too.
Restart your WG interface and try again. If that doesn't work, let's see the latest config of the firewall and network files, as well as the output of wg show
This should be deleted (not sure that it would cause this problem, but it is a security issue):
Meanwhile, this doesn't show any peers...
The lack of peers in the wg show suggests that you have a key problem or some other reason that the peer is invalid.
Try deleting the peer and creating a new one with a new set of keys. Be sure to use care when transferring the keys to your phone (the QR code method is the most reliable).
Restart the router after fixing that and then check wg show again.
I created a new peer as you suggested psherman, that was part of the problem - it now lists with wg show.
However some previous changes seemed to have closed the wireguard port and my internal lan couldnt see wan (devices on the lan lost internet).
I had to add back in the rule zekica had me remove to get the wireguard port to be open. I also had to add back in the forwarding rule you had me remove or else my internal lan couldnt see wan, and so my devices lost their connection to the internet.
I feel like ive done something silly here and its not properly setup, but heres my configs as of now:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '[redacted]'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr '[redacted]'
config device
option name 'lan2'
option macaddr '[redacted]'
config device
option name 'lan3'
option macaddr '[redacted]'
config device
option name 'lan4'
option macaddr '[redacted]'
config device
option name 'lan5'
option macaddr '[redacted]'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr '[redacted]'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config interface 'modem'
option proto 'static'
option device 'eth1'
option ipaddr '192.168.0.10'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wg0'
option proto 'wireguard'
option private_key '[redacted]'
list addresses '10.0.100.1/24'
option listen_port '51820'
config device
option name 'wg0'
option mtu '1280'
config wireguard_wg0
option description 'alaniphone'
option public_key '[redacted]'
option private_key '[redacted]'
list allowed_ips '10.0.100.2/32'
option route_allowed_ips '1'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan'
list network 'wan6'
list network 'modem'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding (Note Alan added this back in to fix lan not seeing wan)
option src 'lan'
option dest 'wan'
config redirect (Note Alan added this back in to open 51820 port)
option dest 'lan'
option target 'DNAT'
option name 'forward-wg0'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.0.100.1'
option dest_port '51820'
root@OpenWrt:~# wg show
interface: wg0
public key: [redacted]
private key: (hidden)
listening port: 51820
peer: [redacted]
endpoint: [redacted]
allowed ips: 10.0.100.2/32
latest handshake: 52 seconds ago
transfer: 639.01 KiB received, 4.77 MiB sent
Of course you should have a rule from LAN to WAN but not the other way around. Allowing traffic from WAN to LAN opens up your network for everybody and is a huge security risk.
If WireGuard runs on the router you should only have to open up the port.
so delete this:
and replace it with:
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
Yes youre right, regarding the forwarding rule psherman spoke about, that was my mistake.
I've removed my redirect rule and added the wg rule as per your instructions, however with those changes now im now unable to connect via my phone on cellular. This is after a router reboot. And I should have clarified, im running wireguard on the router.
This previously worked with the redirect rule, which is very strange.
Any thoughts to this situation would be greatly appreciated.
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
list network 'wg0'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan'
list network 'wan6'
list network 'modem'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config rule 'wg'
option name 'Allow-wg0'
option src 'wan'
option src_port '51820'
option proto 'udp'
option target 'ACCEPT'
You have src_port and it should be dest_port
The destination of the port is the port the WG server is listening on.
The source port is the port the client is sending from this can be the same but usually the client uses an ephemeral port, meaning a high random port number
This rule you said you added back in... and I agree that it is necessary:
But the above rule is not the one I told you to remove. Look closely at the one below -- the source and destination are reversed relative to the way it should be:
