I am tring to connect from a mobile to a OPENWRT 24.10.02 WIREGUARD server without success. I tried from both ANDROID 15/IOS 18.5 but no handhsake was made.
However I was able to estabilished properly a tunnel between this router and another router using wireguard, and also have this router as a client to PROTON VPN
So more or less I know how to properly set up wireguard but in this case no luck. It sems packets are comming and going from this router but no way to know if they reach mobile phone. No wireshark on mobile phone. Are there any ways to activate some wireguards logs?
1 Like
egc
June 29, 2025, 6:16pm
2
I run multiple WireGuard tunnels server, clients and site-to-site.
I have made some notes how to setup, maybe they are helpful:
There is also a paragraph in the Server setup guide about running a concurrent WireGuard "server" and "client"
rparge
June 30, 2025, 10:24pm
3
I used this guide and it worked perfectly, used it today camping.
Android 16
Unfortunattely is not working I was able to estabilished wireguard tunnel to another VPN provider and also to another site without any issue. Everything was ok. But to mobile not. I suspected the UDP sent from openwrt does not reach mobile phone. I tried also IPSEC, same problem. I see packets coming and going from router connection sais is OK, but no traffic. I tried also openvpn . With TCP works fine, with UDP not. So I'm almost sure the UDP is the issue. For the moment I was able to create tunnel with openvpn. Is there any way to make wireguard using TCP instead of UDP?. I know there are some tools to tunnel udp throuigh TCP, but did not find such tool for mobile phones which are not even rooted.
Are you talking wireguard udp packets or general internet connectivity? Can you connect from your phone to your WAN IP, like at least see SYN packet in tcpdump?
1 Like
Yes I'm talking about wireguard udp packet. So running tcpdump on router I see UDP packet coming from mobile, router respond to that packet, then again mobile send a packet , and router respond to i. All packets send by mobile same size, all packet responded by trhe router same size, bu that's it. No traffic ocurr, and wh show does not show any handshake. It is like the packet sent by router does not reach. It is an assumption as I dont have wireshrk on mobile'
1 Like
egc
July 1, 2025, 4:59pm
7
Make sure to disable all other VPN connections while testing the WireGuard server.
I did, I also delete them entirely, but without success
Let's take a look at the configs:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
And please show the config from the phone as well.
brada4
July 1, 2025, 5:59pm
10
In configs add last 5 characters of the keys in configs, for us to tell them from eachother.
psherman:
cat /etc/config/firewall
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.93",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi AX3600",
"board_name": "xiaomi,ax3600",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "qualcommax/ipq807x",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd05:e01d:2c8b::/48'
option packet_steering '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
option flow_offloading '0'
option packet_steering '0'
option flow_offloading_hw '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.105.2'
option netmask '255.255.255.0'
list dns_search 'b'
option delegate '0'
option ipv6 '0'
option metric '10'
config interface 'wan'
option device 'wan'
option proto 'static'
option ipaddr '192.168.106.2'
option netmask '255.255.255.0'
option gateway '192.168.106.3'
option metric '20'
option delegate '0'
option ipv6 '0'
config interface 'wan2'
option proto 'pppoe'
option username 'XXX'
option password 'XXX'
option metric '10'
option peerdns '0'
option ipv6 '0'
option delegate '0'
option device 'lan1'
config device
option name 'wan'
option ipv6 '0'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
option mtu '1420'
option private_key 'zYlM='
list addresses '192.168.108.161/28'
option disabled '1'
option auto '0'
config wireguard_wg0
option description 'Campulung'
option public_key 'K6k4='
list allowed_ips '0.0.0.0/0'
option endpoint_host 'XXX'
option endpoint_port '51820'
option route_allowed_ips '1'
config route
option interface 'wg0'
option target '192.168.107.0/26'
config route
option interface 'wg0'
option target '192.168.110.0/28'
config route
option interface 'wan'
option target '0.0.0.0/0'
option table '100'
option metric '10'
option onlink '1'
option gateway '192.168.106.3'
option disabled '1'
config rule
option src '192.168.105.7/32'
option lookup '100'
option disabled '1'
config device
option type 'macvlan'
option ifname 'lan1'
option mode 'private'
option name 'lan1wan2'
option mtu '1492'
config device
option name 'lan1'
config interface 'hcl'
option proto 'static'
option ipaddr '192.168.111.2'
option netmask '255.255.255.192'
config device
option name 'wg1'
option ipv6 '0'
config interface 'wg1'
option proto 'wireguard'
option private_key 'QzmQ='
list addresses '10.2.0.2/32'
list dns '10.2.0.1'
option metric '30'
option disabled '1'
option auto '0'
config wireguard_wg1
option description 'Imported peer configuration'
option public_key 'fIGI='
list allowed_ips '0.0.0.0/0'
option endpoint_host '185.183.33.11'
option endpoint_port '51820'
config rule
option src '192.168.105.62/32'
option out 'wg1'
option lookup 'default'
config interface 'wg2'
option proto 'wireguard'
option private_key 'gy1k='
list addresses '192.168.108.177/28'
option listen_port '51821'
option metric '40'
config wireguard_wg2
option description 'XS'
option public_key 'gGmc='
option private_key 'FVls='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
config interface 'vpn0'
option proto 'none'
option device 'tun0'
root@OpenWrt:~# wg show
interface: wg2
public key: xr1A=
private key: (hidden)
listening port: 51821
peer: gGmc=
endpoint: 109.166.135.90:50096
allowed ips: 0.0.0.0/0
transfer: 38.73 KiB received, 24.08 KiB sent
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option fullcone '1'
option fullcone6 '0'
option synflood_protect '1'
option drop_invalid '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
list network 'wg0'
list network 'vpn0'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option forward 'REJECT'
option input 'REJECT'
option mtu_fix '1'
list network 'wan'
list network 'wan2'
list network 'wg1'
list network 'wg2'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option target 'ACCEPT'
list icmp_type 'echo-request'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'SMTP'
list proto 'tcp'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port '25'
option enabled '0'
config rule
option name 'RDP'
list proto 'tcp'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port '3389'
option enabled '0'
config rule
option name 'HTTP PI'
list proto 'tcp'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port '80'
option enabled '0'
config rule
option name 'HTTPS PI'
list proto 'tcp'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port '443'
option enabled '0'
config rule
option name 'IMAPS'
list proto 'tcp'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
option dest_port '993'
option enabled '0'
config rule
option name 'STUN'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option dest_port '3478-3479'
option enabled '0'
config rule
option name 'STUNS'
option src 'wan'
option dest 'lan'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option dest_port '5349-5350'
option enabled '0'
config ipset
option name 'blockIP'
option family 'ipv4'
option match 'dest_ip'
option storage 'hash'
option flags 'interval'
option loadfile '/etc/config/config-files/blockIP'
config ipset
option name 'blockDOH'
option family 'ipv4'
option match 'dest_ip'
option storage 'hash'
option loadfile '/etc/config/config-files/blockDOH'
config rule
option name 'WIREGUARD'
list proto 'udp'
option dest_port '51820'
option target 'ACCEPT'
option src 'wan'
config rule
option name 'WIREGUARD1'
list proto 'udp'
option src 'wan'
option dest_port '51821'
option target 'ACCEPT'
config rule
option name 'PING1'
list proto 'icmp'
option target 'ACCEPT'
option src 'wan'
option dest 'lan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
list proto 'tcp'
option src 'wan'
option src_dport '448'
option dest_ip '192.168.105.55'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTP'
list proto 'tcp'
option src 'wan'
option src_dport '82'
option dest_ip '192.168.105.51'
option dest_port '80'
config rule
option name 'HTTPS U'
list proto 'tcp'
option src 'wan'
option src_port '448'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPPI'
list proto 'tcp'
option src 'wan'
option src_dport '81'
option dest_ip '192.168.105.7'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPSPI'
option src 'wan'
option src_dport '445'
option dest_ip '192.168.105.7'
option dest_port '443'
list proto 'tcp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTP'
list proto 'tcp'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.105.7'
option dest_port '25'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'IMAPS'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.105.7'
option dest_port '993'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'STUN1'
option src 'wan'
option src_dport '3478'
option dest_ip '192.168.105.7'
option dest_port '3478'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'STUN2'
option src 'wan'
option src_dport '3479'
option dest_ip '192.168.105.7'
option dest_port '3479'
option name 'STUN2'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'STUNS1'
option src 'wan'
option src_dport '5349'
option dest_ip '192.168.105.7'
option dest_port '5349'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'STUNS2'
option src 'wan'
option src_dport '5350'
option dest_ip '192.168.105.7'
option dest_port '5350'
list proto 'tcp'
list proto 'udp'
config rule
option name 'BLOCK DNS overTLS (DOT)'
option dest 'wan'
option target 'DROP'
option src '*'
option dest_port '853'
config rule
option name 'BLOCK DNS overTLS (DOT)'
option dest 'wan'
option target 'DROP'
option dest_port '853'
config rule
option name 'BLOCK DOH'
option dest 'wan'
option target 'DROP'
option ipset 'blockDOH'
option dest_port '443'
config redirect
option target 'DNAT'
option src 'lan'
option src_dport '53'
option dest_ip '192.168.105.2'
option dest_port '53'
config rule
option name 'BLOCK TPLINK'
option src '*'
list src_mac '9C:A2:F4:8C:80:6C'
option target 'DROP'
list proto 'all'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SMTPS'
option family 'ipv4'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.105.7'
option dest_port '587'
config rule
option name 'Allow Auctionnet'
option dest 'wan'
list dest_ip '193.14.90.203'
option target 'ACCEPT'
option src '*'
list src_ip '192.168.105.26'
list src_ip '192.168.105.62'
list proto 'all'
config rule
option name 'Deny auctionnet'
option direction 'out'
option target 'DROP'
option dest 'wan'
option device 'wan'
option src '*'
list dest_ip '193.14.90.203'
list proto 'all'
option enabled '0'
config rule
option name 'sshin'
option src 'wan'
option dest_port '444'
option target 'ACCEPT'
config zone
option name 'lan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
config forwarding
option src 'lan1'
option dest 'wan'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'hcl'
list network 'hcl'
config forwarding
option src 'hcl'
option dest 'wan'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config rule
option src 'wan'
option name 'ALLOW OPENVPN'
list proto 'tcp'
option dest_port '1194'
option target 'ACCEPT'
root@OpenWrt:~#
Mobile
Interface:
Private Key FVls=
Public Key gGmc=
Address
Listen Port
MTU
DNs servers 192.168.108.177
Peer:
Public Key: wxr1A=
Endpoint XXX:51821
Allowed IPs 0.0.0.0/0, ::/0
brada4
July 1, 2025, 6:20pm
12
How did you land with such config? steering in bridge definition looks more like chatbot "enhancement"?
There's a lot in there that is making this more complex.
It seems you have 2 wans, one of them is behind an upstream router and the other one is directly terminated via a local PPPoe connection. You've also got macvlans and a bunch of wg vpns still in there, some custom routes, and custom routing tables.
There's also some stuff that doesn't make sense -- for example:
where did some of these things come from? Are you still using all of the elements of this config (multiple VPNs, multiple WANs, macvlan, etc.)?
Yes, I am using 2 wan load balanced through mwan3
Thease are caming from previous openwrt releases where iptables were using. They should be removed
brada4
July 1, 2025, 6:44pm
16
That is a complete lie, you restored config from some OpenWrt clone, you need to reset the device and create all configs from zero.
What do you men a lie. It was upgraded from 21.xx to 22.x to 23.x to 24.x What clone are you talking about?
I don't recall any official OpenWrt releases that ever used these options.
But regardless, it's going to be fairly challenging to figure out what's wrong with the config given the number of variables here.
The one thing I see here that stands out immediately is your allowed IPs... in the peer...
It should be 192.168.108.178/32
Ad likewise, you don't have an address on the phone's config:
The address should be the same as the peer address I just described. Listen port should be blank (as it probably is).
If that doesn't fix the issue, I'm not entirely certain what is causing the problem (too much to read through and untangle in this config).
I tried propesed changes but satill same. Any Thank you for trying to help
