I configured it as you described it
But it´s not working.
I start the Android Tunnel, but no handshake.
Could it be that the Internet Router (before OpenWrt) "not understand what to do with Subnet 192.168.30.0" ?
Don't you have to enter an IP in the interface under the tab "General Settings"?
Which interface are you talking about?
Add static routes to both your internet facing routers for 192.168.30.0/24.
i mean the general tab in vpn interface
i added static route in internet router (like static routes for site to site)
i added a 2nd Peer in Side A as you wrote:
Public Key is the Public Key from Android Wireguard App
And in the App i configured:
Adress: 192.168.30.1/32
Peer:
Public Key from Side A
Allowed IP´s: 0.0.0.0/0, ::/0
Endpoint: dns from Side A
Did you include the port in the endpoint address?
yes.
xxx.de:51820
Isn´t it necessary to config a ip adress in general tab?
No.
Are you testing the connection on the android device from outside the LAN?
yes.
tested with LTE (Wifi deactivate)
tested also with Wifi
Can you copy the output of the following commands on Site A and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd92:1a4e:164c::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'dhcp'
option delegate '0'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xxx'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
option macaddr 'xxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 6t'
config interface 'vpn'
option proto 'wireguard'
option listen_port '51820'
option private_key 'xxx'
config wireguard_vpn
option description 'Site A'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_port '51820'
list allowed_ips '192.168.10.0/24'
option endpoint_host 'dns from site b'
option public_key 'publickey from site b'
config wireguard_vpn
option route_allowed_ips '1'
option description 'Android'
option public_key 'public key from wireguard app'
list allowed_ips '192.168.30.1/32'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan vpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul t qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro up default qlen 1000
inet 192.168.1.8/24 brd 192.168.1.255 scope global br-lan
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev br-lan proto static src 192.168.1.8
109.193.140.47 via 192.168.1.1 dev br-lan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.8
192.168.10.0/24 dev vpn proto static scope link
192.168.30.1 dev vpn proto static scope link
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0 .1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168 .1.8
local 192.168.1.8 dev br-lan table local proto kernel scope host src 192.168.1.8
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.1 68.1.8
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
interface: vpn
public key: xxx
private key: (hidden)
listening port: 51820
peer: xxx
endpoint: xxx:51820
allowed ips: 192.168.10.0/24
latest handshake: 1 minute, 55 seconds ago
transfer: 131.57 KiB received, 28.74 KiB sent
persistent keepalive: every 25 seconds
peer: xxx
allowed ips: 192.168.30.1/32
root@OpenWrt:~#
Just for testing try the current public IP for Site A, rather than a domain name, as the endpoint on the android device.
I used the current Public IP.
Not working.
I configured Site B now as "Server" and it works 
But i don´t know why it´s not working on Site A???
It doesn´t matter now...
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.