Hello, need help in configuring wireguard server in openwrt, there are isp to the router via cable to wan pppoe, need to be connected from the phone outside through wireguard to have access to the lan devices and use internet also from router. I have configured wg server from https://openwrt.org/docs/guide-user/services/vpn/wireguard/server
Have interface - VPN WG: ---General settings---
The server's allowed_ips don't match the phone tunnel IP. Change allowed_ips to 192.168.9.3/32.
If the tunnel is working you should be able to ping from the router to the phone through the tunnel using its 9.3 address.
Also to set the firewall to allow external connections to a service running inside the OpenWrt router (as this Wireguard server is), open the port directly. Don't forward it to 192.168.1.1
The VPN tunnel should be in its own firewall zone and firewall rules set up to forward from the vpn zone to wan and lan as desired.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Btw, it looks like you have a CG-NAT address on your WAN. This means that you will not be able to get a Wireguard 'server' (or any incoming connections) unless you have a public IPv6 address.
IPv6 doesn't need, maybe it's configured automated when I installed openwrt.
When I had keenetic router I could setting up wireguard server with this isp.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda9:5c8b:63a6::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'XXX'
option ipv6 '0'
config interface 'wan'
option device 'wan'
option type 'bridge'
option proto 'pppoe'
option username 'XXX'
option password 'XXX'
option ipv6 'auto'
config device
option name 'wlan1-1'
option ipv6 '0'
config device
option name 'wlan0'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config interface 'wwan'
option proto 'dhcp'
config device
option name 'wwan1-5G'
config wireguard_wg0 'wg'
option public_key 'XXXX'
option preshared_key 'XXX'
list allowed_ips 'xxx.xxx.xxx.0/24'
config interface 'vpn'
option proto 'wireguard'
option private_key 'XXX'
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn 'wgclient'
option preshared_key 'XXX'
option public_key 'XXX'
option private_key 'XXX'
option description 'Phone'
list allowed_ips '192.168.9.3/32'
list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
option route_allowed_ips '1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'REJECT'
list network 'wan'
list network 'wwan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Luci'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.1.1'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'openvpn'
list proto 'udp'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.1.1'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'ssh'
list proto 'tcp'
option src 'wan'
option src_dport '22'
option dest_ip '192.168.1.1'
config redirect
option target 'DNAT'
option name 'wg'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest 'lan'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vpn'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
You do have several errors, but before we spend time trying to fix those, we need to determine the cg-nat situation. Currently, you do not have a public ip address on your wan.
What, if anything, is upstream of your openwrt device? Do you have any control over it?
From isp I have private ip (100.xx.xx.xx) and public ip185.xx.xx.xx, inside my country with local isp I able to connect directly using private ip. I also configured ddns. Now I can connect to the router otside via ssh, web, scp through the ddns also.
Sorry, edited previous message, private ip is 100.70.xx.xx, public ip I can see only when I opening outside of my country web sites, when I use local services, web site and etc which are located in my country its used private ip.
Btw, I could configured openvpn server in linux on my laptop with previous router not with openwrt firmware and it's worked when I used isp's dns instead of another dns (google and etc), it's worked but not comfortably to use because it’s need to be always turned on laptop for that comfortably set up in my router any vpn server.
Does an incoming connection on the 186 IP route back to the 100 IP? This can be tested by starting a TCP-based service such as ssh on a particular port then using a port scan site to see if the port is open on your 186 IP.
If this is a state-controlled ISP where everyone in the country has a 100 IP, they may allow connections among them as if they were "public" IPs. But your home server would not work from outside the country.
Just need to use in my country, don’t need to be used outside. To 186 IP can’t access, no ping.
Now have access to ssh, scp, ping, Luci when connecting to my private ip and also with ddns (configured private ip to ddns because of dynamic private ip) both working.
Yes we all have among 100.xx.xx ip connections.
So you are positive that you can connect to your WAN address (100.70) from outside your network (and from a practical sense, from anywhere/everywhere you need)? If so, that would imply that your country (or at least the common ISP(s) are all on one CG-NAT network.
These should be deleted from the network config file:
This look like a vestigial fragment and should be removed.
Is there an OpenVPN or other (non Wireguard) tunnel running? If so, that might cause complication.s If not, delete the tun+ device from the lan firewall zone.
It is not recommended to open the LuCI web admin to the internet (even if it is on CG-NAT) - it is not hardened for general internet exposure. I'd recommend removing this rule, but if you must keep it, it should be a traffic rule, not a redirect.
same deal with the ssh server(although that is more secure, still not recommended for internet exposure)
And do you have an OpenVPN server running? This should also be a rule, not a redirect (or delete it if unused):
And on this, again it should be a rule, not a redirect.
Sorry, my bad, it's not handshaked now with these configs, before with another configs and firewall configs it could handshaked don't remember what configs was.