bepis
January 27, 2021, 2:33pm
1
Hello,here to setup WG on openwrt.
[Interface]
Address = 192.168.9.10/32
PrivateKey = ...
[Peer]
PublicKey = ...
AllowedIPs = 0.0.0.0/0
... endpoint host - port...
sysctl ipv4 forwarding is enabled on router.
1 Like
Post the output:
uci show firewall; wg show
bepis
January 27, 2021, 2:50pm
5
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.network='wireguard-vpn lan wireguard'
firewall.lan.forward='REJECT'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='guest'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].network='guest'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='wan'
firewall.@forwarding[1].src='guest'
firewall.@rule[9]=rule
firewall.@rule[9].name='Allow-Guest-DNS'
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].dest_port='53'
firewall.@rule[9].src='guest'
firewall.@rule[10]=rule
firewall.@rule[10].dest_port='67-68'
firewall.@rule[10].src='guest'
firewall.@rule[10].name='Allow-Guest-DHCP'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
firewall.@redirect[1]=redirect
firewall.@redirect[1].dest_port='51820'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].name='Router-Wireguard'
firewall.@redirect[1].src_dport='51820'
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].proto='udp'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_ip='192.168.0.1'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51820'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.@rule[13]=rule
firewall.@rule[13].dest_port='51820'
firewall.@rule[13].src='guest'
firewall.@rule[13].name='Allow-WireGuard-Guest'
firewall.@rule[13].target='ACCEPT'
firewall.@rule[13].proto='udp'
interface: wireguard
public key:
private key: (hidden)
listening port: 51820
peer:
preshared key: (hidden)
endpoint: :62312
allowed ips: 192.168.9.2/32
latest handshake: 12 seconds ago
transfer: 2.06 MiB received, 8.93 MiB sent
persistent keepalive: every 25 seconds
peer:
allowed ips: 192.168.9.3/32
persistent keepalive: every 25 seconds
1 Like
uci set firewall.lan.forward="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart
The second peer has no handshake.
bepis
January 27, 2021, 3:58pm
7
Yes they do have unique key and working, I was just restarted the interface.
Thanks, setting lan forwarding rule do help somewhat, peers on lan network now can ping peer on the internet, but not vice versa. Do you know why?
1 Like
If the LAN PC is using Windows, allow ICMP/ping from outside the local subnet in the Windows firewall.
bepis
January 27, 2021, 6:13pm
9
Everythings working now, thank you
1 Like
system
February 6, 2021, 6:14pm
10
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.