Hi Guys,
i want to Connect 2 Networks with Wireguard VPN.
I read a few Threads in this Forum and tested a few Configs. But nothing will work 
I have an OpenWrt Router behind the Internet Router on each Side.
Side A: 192.168.1.0
Side B: 192.168.10.0
The Locations are accessible with DynDNS
In my Internet Router i added a Static Route to the OpenWrt Router.
Port 51820 is forwarded to the OpenWrt Router on each Side
Here´s my Config. Could someone help me, please?
Can you copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; WG
side A:
root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; WG
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd92:1a4e:164c::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'dhcp'
option delegate '0'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xxx'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
config wireguard_vpn
option public_key 'xxx'
option description 'Site A'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_port '51820'
list allowed_ips '192.168.10.0/24'
option endpoint_host 'dns from side b'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.8/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-lan proto static src 192.168.1.8
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.8
192.168.10.0/24 dev vpn proto static scope link
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.8
local 192.168.1.8 dev br-lan table local proto kernel scope host src 192.168.1.8
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.8
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
-ash: WG: not found
Side B:
root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; WG
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdce:1861:47d4::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'dhcp'
option hostname 'mikrotik-openwrt'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xxx'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'xxx'
option listen_port '51820'
config wireguard_vpn
option public_key 'xxx'
option description 'Site B'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_port '51820'
list allowed_ips '192.168.1.0/24'
option endpoint_host 'dns from side a'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.10.72/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.10.1 dev br-lan proto static src 192.168.10.72
192.168.1.0/24 dev vpn proto static scope link
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.72
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.10.0 dev br-lan table local proto kernel scope link src 192.168.10.72
local 192.168.10.72 dev br-lan table local proto kernel scope host src 192.168.10.72
broadcast 192.168.10.255 dev br-lan table local proto kernel scope link src 192.168.10.72
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
-ash: WG: not found
Sorry, can you add the output from wg as well. I mistyped it in my last post as WG which is the wrong command.
Can you also confirm what static route you added to each internet router?
side A + B
root@OpenWrt:~# wg
interface: vpn
public key: xxx
private key: (hidden)
listening port: 51820
root@OpenWrt:~#
Static Route Side A:
Static Route Side B:
192.168.1.8 and 192.168.10.72 are the OpenWrt Routers
Private Key and Public Key are the same on both Sides
What do you mean they're the same on both sides?
There's nothing in your configs which at first glance appears obviously wrong. The vpn interface appears to have started but the peers aren't connecting. That usually indicates an issue with keys or the firewall.
For Example
Private Key: thisistheprivatekey
Public Key: thisisthepublickey
On Side A + B the same (but private an public key are different)
Sorry, still not clear. Each side should have it's own private key and public key.
The VPN interface on Side A should use the Side A private key and the peer should use the Side B public key.
This should then be reversed on Side B, so the interface uses the Side B private key and the peer uses the Side A public key.
Is this how it's set up?
HHm, i have on both sides the same entry in Private Key in the Tab "Interfaces/VPN/General Settings
and also in Public key in Tab "Interfaces/VPN/Peers"
could you give me an example, please?
On each OpenWRT run wg genkey | tee privatekey | wg pubkey > publickey
This will create two files privatekey and publickey which contain generated keys. Use privatekey to set up the vpn interface on the router. Use publickey to set up the peer on the other router.
sorry for beeing a pain,
just to verify:
on side A:
i put "generated side A private key" in VPN/General Settings/Private key
which entry should i use in Peer/PublicKey?
on Side B:
i put "generated side B Public Key" in VPN/Peers/PublicKey
which entry should i use in General Settings/PrivateKey?
No. On each side you use the private key you generated on that router. Then you use the public key on the peer on the other router.
So Site A uses the Site A private key and Site B public key.
Site B uses the Site B private key and Site A public key.
You are my Hero 
It´s working now
I still have a question: How can I integrate a client?
e.g. an Android device
I assume you'll want the android device to access both sites? Are you just wanting to access local resources or do you want all internet traffic from the device to go through the VPN?
I want to access both sides with android
Ok, first you need to pick a subnet you're not already using. For this example I'll use 192.168.30.0/24. Change it to a different subnet if you're already using that one.
Install the wireguard app on the android device. It'll auto-generate the private and public keys when you create a new tunnel. Give it the address 192.168.30.1/32. You can leave DNS servers blank. For the peer config, use the public key from Site A and Site A's endpoint details (including the port). In Allowed IPs put 192.168.1.0/24, 192.168.10.0/24
On site A, create a new peer, use the public key from the android app. Allowed IPs should be 192.168.30.1/32 and make sure Route Allowed IPs is checked. Leave everything else blank.
On site B, edit the existing peer (so the one for Site A) to add 192.168.30.1/32 as an allowed IP.
Restart the wireguard interfaces on both routers.
can i use the qr code on side A to set up Android with Wireguard app?
Possibly, I've never tried it and can't confirm what results you'll get.
will try it later.
Thanks in Advance 
Update:
It´s not working 
No handshake...
