Wireguard setup help

That's much better now. Unless there is some mistake in the keys, it should work.
What puzzles me is that the iphone client uses public key for the interface. Not sure if it is typo or indeed you need to specify there the public key that iphone produced.

2 Likes

even when starting from scratch on wireguard app, you cannot input text into the public key, you need to hit generate pair
so as far as i can tell its suppose to be the iphones generated public key

2 Likes

Can you describe the procedure that you used to generate the Private and Public Keys?

1 Like

i followed the tutorial

created that wireguard directory, cd into it, then ran
wg genkey | tee privkey | wg pubkey > pubkey

then i just coppied the key to the interface, per

If you are using LuCI to configure WireGuard, it's enough to run “wg genkey” and copy the output into the field “Private Key”; The public key is then later shown in the LuCI interface under Status > WireGuard status.

1 Like

@Owengerig, per the thread below, if you've been using QR Codes, please attempt manually copying the OpenWrt public key to your iPhone. There might be a bug with the QR code generation.

1 Like

qr code makes the interface set to the same public key as openwrt has

but it seems that the way it should be is that you generate a priv/pub key pair on the app to use as your interface settings

but for peer settings on the ios app; this is where you use the public key of the server (openwrt)

(edited after reviewing the thread not on mobile and realizing the tunnel may not be coming up at all)

With the current configuration, can you ping the OpenWRT tunnel address from the iPhone?

Run this command via ssh to the server to see if a connection was established:
wg show
If so (remote peer has a last handshake entry), is there is any traffic received by your firewall rule? run:
iptables -L -v
Find your Wireguard firewall rule(s) in the output and see if there are any packets received to it. If not then there is something blocking UDP 1200. Either ISP or local. If so then make sure you have forwarding set up between wg and lan.

2 Likes

Run also a tcpdump on the server to verify that packets from client really get to it.
tcpdump -i eth1.2 -vvn udp port 1200

2 Likes

OK, I have tested this QR Code thing.

It actually provides the entire config for the OpenWrt side, including peers and the OpenWrt's private key. This is not helpful to setup a peer device.

I would think it gives you the public key of the interface.

1 Like

Yes

resulted in :

root@OpenWrt:~# wg show
interface: wireguardVPN

I did create a port forward rule, but there was already a firewall rule allowing traffic on port 1200

root@OpenWrt:~# tcpdump -i eth1.2 -vvn udp port 1200
tcpdump: listening on eth1.2, link-type EN10MB (Ethernet), capture size 262144 bytes
05:34:18.636590 IP (tos 0x0, ttl 55, id 63707, offset 0, flags [none], proto UDP (17), length 176)
    166.171.251.7.37533 > 69.131.49.158.1200: [udp sum ok] UDP, length 148
05:34:23.881231 IP (tos 0x0, ttl 55, id 62037, offset 0, flags [none], proto UDP (17), length 176)
    166.171.251.7.37533 > 69.131.49.158.1200: [udp sum ok] UDP, length 148
05:34:29.098710 IP (tos 0x0, ttl 55, id 65161, offset 0, flags [none], proto UDP (17), length 176)
    166.171.251.7.37533 > 69.131.49.158.1200: [udp sum ok] UDP, length 148
05:34:34.329892 IP (tos 0x0, ttl 55, id 20095, offset 0, flags [none], proto UDP (17), length 176)
    166.171.251.7.37533 > 69.131.49.158.1200: [udp sum ok] UDP, length 148
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

I was surprised to see these packets, especially since the Wireguard interface still shows 0 for rx/tx

but i thought we verified the key structure
on ios app
interface public key - generated on the phone
peer public key - generated on server (openwrt)

Have a look here, this may or may not help you:

3 Likes

Then proceed. So long as you've set up the keys correctly.

1 Like

as far as i can tell this is what i have setup, with 2 minor changes
checking (making true) - Route Allowed IPs
I noticed my firewall rule had Destination Zone set to Device (input), which i changed to Any Zone - this wasnt specified in that tutorial but seemed wrong to me

update

i recreated vpn using this tutorial but results are the same :frowning: still not working

There seems to be a new issue
My interface has its private key set (i even re-set it to the same value and luci complained about no changes to save)

however when i go to WireGuard Status page it says

Interface does not have a public key!

last week when working on this my public key was showing in the status page so idk when or what caused this change

root@OpenWrt:~# wg showconf WireGuard VPN
Usage: wg showconf <interface>
root@OpenWrt:~# wg show
root@OpenWrt:~#

The firewall rule is correct by setting it to destination device input as this is what shows in my rules and works.
Have you tried restarting the interface and then rechecking?

1 Like

yes, no change :frowning:

There can't be a space in the interface name. The output shown from your "wg showconf WireGuard VPN" command is telling you the syntax is wrong. Based on previous replies it should be "wg showconf WireGuardVPN" (no space). Could you try that and post the result?

But first...
The command "wg show" returns nothing on your router. I can re-create this if the interface is down. Try "ifup WireGuardVPN" and then "wg show". If it's still blank the interface is probably down. You could check with:
ubus -v call network.interface.WireGuardVPN status | jsonfilter -e '@.up'
If up it will return true.

1 Like

i was using the wrong name its actually: wireguardVPN
its the protocol that has the space: WireGuard VPN

but ya it looks like interface is down

root@OpenWrt:~# ifup wireguardVPN
root@OpenWrt:~#  wg show
interface: wireguardVPN
root@OpenWrt:~# ubus -v call network.interface.wireguardVPN status | jsonfilter -e '@.up'
false

but i dont understand, it shows started in luci

Bring up on boot
IS checked (true)
i rebooted but it still reports false

interface is down

Well, that makes sense if it was also having a problem with the key(s). The driver may not be able to come online. You could try and look at /etc/config/network and try to see what's missing (if anything).

But if it was mine I wouldn't mess with the current config since it's been driven over so much. I would delete the firewall zone, the wg interface, any wg conf files you were using. Then check in /etc/config/network and make sure it's clean - no wg entries. If there are any remaining wg entries in there, remove them before going forward. Then start again using the guide posted just above.

You already know a lot of what was wrong in the original config, so maybe something in the files has been hanging you up without having a full reset?

At any rate, good luck with it.