Wireguard VPN configuration not working

I have
1- Wireguard server running on a remote TP-Link, OpenWRT router and
2- Wireguard client running on my local TP-Link, OpenWRT router.

They seem to be communicating because keep-alive packets are being sent by client and received and registered at both ends.

But I cannot get any traffic to go through the VPN tunnel.

With OpenVPN as soon as the VPN is enabled all traffic is directed through the VPN but with Wireguard all traffic stays on the same non-vpn routes.

I have assigned the remote server address 10.8.0.1 and ping gets no response.

I am quite wary of modifying any routing rules and more so when they involve both OpenWRT and Wireguard.

What can I do or test?

On the client Enable route Allowed IPs in the Peers section of the wg client interface

Thanks but it is already checked.

If I ping the WG server at 10.8.0.1 I get no response.

If I do traceroute 10.8.0.1 I see the route goes out the non-vpn gateway and gets stuck to nowhere.

How can I force packets through the vpn tunnel?

Let's see the following from both devices:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Thanks, here goes the client side, I will need some time to get the server side. I have added some comments where they might seem helpful. I will also add that I would like to disable all IPV6 because this setup is all in the IPV4 domain.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "Atheros AR9132 rev 2",
	"model": "TP-Link TL-WR1043ND v1",
	"board_name": "tplink,tl-wr1043nd-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdae:d844:cedd::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config interface 'wwan'  <<-- Note I am using WiFi for WAN
	option proto 'dhcp'

config interface 'WG_VPN'
	option proto 'wireguard'
	option private_key 'asPgu.....'
	option listen_port '5port9'
	list addresses '10.8.1.2' << Client, Server is 10.8.1.1
	option defaultroute '0'

config wireguard_WG_VPN
	option endpoint_host 'Endpoint IP'
	option endpoint_port '5port9'
	option description 'VPNserver'
	option public_key 'public key'
	option private_key 'private key'
	option persistent_keepalive '25'

config rule
	option in 'lan'
	option out 'WG_VPN'
	option dest 'X.X.X.X/32' << This looks like left over from some experimenting I did

config device
	option name 'WG_VPN'
	option ipv6 '0'

config route
	option target '0.0.0.0/0'
	option gateway 'local gateway ip'
	option interface 'lan'

config route
	option interface 'WG_VPN'
	option target '10.8.1.1/24'
	option gateway '10.8.1.1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG_VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'WG_VPN'

config forwarding
	option src 'WG_VPN'
	option dest 'lan'

config forwarding
	option src 'WG_VPN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'WG_VPN'

config forwarding
	option src 'wan'
	option dest 'WG_VPN'

root@OpenWrt:~# wg show
interface: WG_VPN
  public key: public key=
  private key: (hidden)
  listening port: 5port9

peer: public key=
  endpoint: X.X.X.X: 5port9
  allowed ips: (none)
  latest handshake: 29 seconds ago
  transfer: 6.56 KiB received, 24.26 KiB sent
  persistent keepalive: every 25 seconds

root@OpenWrt:~# 

Remove the default route line.

Add this to the stanza above:

	option route_allowed_ips '1'

Delete all of this:

Remove masquerading from the lan zone:

This is dangerous - change input and forward to reject:

Delete these:

And delete this:

Reboot and test again.

WOW!, Thanks but please take into account I am a total newbie and quite ignorant of all this and I am using the luci GUI to do things. I do not know if there may be a more effective way by editing some file directly.

While I have a look at all that I will mention that I noticed something odd on the server side and it is that even though the client configuration info has the correct endpoint ip and port, "wg show" shows the correct ip but another, incorrect port.

Any idea?

Remove the default route line

I do not see that option in luci GUI

Add this to the stanza above:
option route_allowed_ips '1'

Again I do not see that option in the GUI

I am guessing I need to extract a file from the router to my computer, edit it and sent it back to the router.

Yes? If so, what file and how can I do this?

Edit: I am looking around the files in the router file system to see if I can find any likely candidates but I cannot find any with any obviously suspicious names lie with "wireguard" or wg in their names. I have no idea where the configuration is kept.

The files to edit are
/etc/config/network
/etc/vonfig/firewall

Ha. The files to edit should have been obvious to me since they were the ones being displayed. I guess I am no Sherlock Holmes.

At any rate, I have learned to transfer the files to my desktop with scp, edit them and then transfer back again using scp.

Again, I have no idea what any of this means or does and I am going blindly but I think getting rid of any IPV6 stuff might make things simpler and clearer.

I believe I have done everything you told me and here is the result:

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix ':/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'WG_VPN'
	option proto 'wireguard'
	option private_key '...='
	option listen_port '5p'
	list addresses '10.8.1.2'

config wireguard_WG_VPN
	option endpoint_host 'endpoint'
	option endpoint_port '5p'
	option description 'VPNserver'
	option public_key 'r='
	option private_key '0E='
	option persistent_keepalive '25'
	option route_allowed_ips '1'



 cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip ':/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WG_VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'WG_VPN'

config forwarding
	option src 'lan'
	option dest 'WG_VPN'

root@OpenWrt:~# 



root@OpenWrt:~# wg show
interface: WG_VPN
  public key: ...=
  private key: (hidden)
  listening port: 5p9

peer: ...A=
  endpoint: correct ip:5p9
  allowed ips: (none)
  latest handshake: 34 seconds ago
  transfer: 552 B received, 1.87 KiB sent
  persistent keepalive: every 25 seconds

I will have a look at the server side.

Here goes server side.One thing that calls my attention is that even though the client endpoint port # is correct in the configuration a wrong port # appears in wg show. It seems to be just a random number.

ubus call system board

	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"





cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '.....::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'WLAN'
	option proto 'static'
	option device 'phy0-ap0'
	list ipaddr '192.168.0.1'

config interface 'WLAN5'
	option proto 'static'
	option device 'phy1-ap0'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'

config device
	option name 'phy1-ap0'
	option ipv6 '0'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key '....='
	option listen_port '5port9'
	list addresses '10.8.1.1'

config device
	option name 'Wireguard'

config wireguard_Wireguard
	option description 'Client1'
	option public_key '.....='
	option endpoint_port '5port9' >>> Port correct
	list allowed_ips '10.8.1.1/24'


cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'lan'
	list network 'wan'
	list network 'Wireguard'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config forwarding
	option src 'wan'
	option dest 'Wireguard'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '5port9'
	option dest_ip '10.8.1.1'
	option dest_port '5port9'





 wg show
interface: Wireguard
  public key: .....=
  private key: (hidden)
  listening port: 5port9

peer: f5e4E=
  endpoint: correct: >>> PORT NOT CORRECT
  allowed ips: 10.8.1.0/24
  latest handshake: 1 minute, 46 seconds ago
  transfer: 11.07 KiB received, 3.05 KiB sent

From the client side, remove the listen port:

The only port that actually matters is the 'server' side of the equation since it is listening for inbound connections. The other peer ('client') will indeed use a random port number.

Not related to WG, but you have issues on the 'server' side

These two networks interfaces are invalid because they are the same address and subnet as your lan. They also should not reference the radio hardware. Delete them (or if they're needed, they need to be on different subnets; but delete the device lines):

Delete these:

You need a subnet size -- change the address below to 10.8.1.1/24:

Delete this:

The allowed IP is wrong here -- it must not be the same as the main interface, and it needs to be a /32. use 10.8.1.2/32. You also need to remove the endpoint port, and then add one line: option route_allowed_ips '1':

You can only have a network in a single firewall zone... the wan and lan do not belong here, remove them:

Delete this:

This should be deleted and replaced with a standard traffic rule that accepts UDP port [insert your port number] from src wan:

And there is one more issue -- your 'server' and 'client' router's have the same subnet for the lan. They must be different. Change the address on one or the other, ideally to a really uncommon one such as 192.168.132.1.

Once that is done, reboot and try again.

I'll be happy to review the two files from each system after you're done.

Wow! This is escalating and more complicated than I had anticipated. We shall see if I can keep up. I am doing what I can but it is all very complicated for me and I may have made mistakes or introduced errors. All this file transferring and editing is a bit confusing and easy for me to make mistakes.

I have removed the listen port from the client as you said.

Regarding what you say that the client uses a random port number I trust this is set up by WG and I do not need to forward this port at the router level to the client... which is impossible since we don't know the port number. So I trust I do not need to be concerned with this and I will just leave the issue aside.

On the server side, regarding "two networks interfaces are invalid because they are the same address and subnet as your lan", I am confused by this. Those two interfaces are the two 2.4 and 5 band WiFi interfaces and they appeared there when I installed OpenWRT. It seems to me they need to be on the same subnet as the Ethernet LAN. Rather than delete or change anything I have just disabled both WiFis as I can get by without WiFi for now and I can deal with this issue once I have the VPN working ... a target which seems to be moving away rather than closer.

So, on the server side now I only have three interfaces UP: Ethernet IPV4 LAN, Ethernet WAN and Wireguard VPN.

On the client side I have Ethernet IPV4 LAN, WG_VPN and WiFi WWAN enabled and the rest, including Ethernet WAN, disabled.

Regarding your comment "And there is one more issue -- your 'server' and 'client' router's have the same subnet for the lan. They must be different. Change the address on one or the other, ideally to a really uncommon one such as 192.168.132.1." I understand what you mean but with OpenVPN I had them on the same subnet without problem precisely so they could be mutually "local". What I do to prevent address collisions is all devices have static IPs assigned to avoid any duplicates. This is what I want, if possible, and it works fine with OpenVPN. Can it work the same way with Wireguard provided I avoid duplicate IPs?

I am posting the Server side files for now before I mess up much more and will post the client side later.

With these changes I have made so far I still cannot get to ping 10.8.1.1 from the client.

I appreciate your help. Thanks.

 cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '.......::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'WLAN'
	option proto 'static'
	option device 'phy0-ap0'
	list ipaddr '192.168.0.1'

config interface 'WLAN5'
	option proto 'static'
	option device 'phy1-ap0'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'

config device
	option name 'phy0-ap0'
	option ipv6 '0'

config device
	option name 'phy1-ap0'
	option ipv6 '0'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key '......='
	option listen_port '5p9'
	list addresses '10.8.1.1/24'

config device
	option name 'Wireguard'
	option ipv6 '0'

config wireguard_Wireguard
	option description 'Client1'
	option public_key '.........='
	option endpoint_port '5p9'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth0.2'
	option type '8021q'
	option ifname 'eth0'
	option vid '2'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'eth1.1'
	option type '8021q'
	option ifname 'eth1'
	option vid '1'

= = = = = = = = = = = = = = = 
 cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'Wireguard'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '5p9'
	option dest_ip '10.8.1.1'
	option dest_port '5p9'

Here is the client.

cat network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '.........::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '0'
	option enable_vlan4k '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 5t'

config interface 'wwan'
	option proto 'dhcp'

config interface 'WG_VPN'
	option proto 'wireguard'
	option private_key '......='
	option listen_port '5p9'
	list addresses '10.8.1.2'

config wireguard_WG_VPN
	option endpoint_host 'correctip'
	option endpoint_port '5p9'
	option description 'VPNserver'
	option public_key '.........='
	option private_key '.......='
	option persistent_keepalive '25'
	option route_allowed_ips '1'


= = = = = = = = = = = = = = = = = = 

cat firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'REJECT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	list src_ip 'fe80::/10'
	option family 'ipv6'
	option target 'REJECT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option target 'REJECT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'REJECT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'WG_VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'WG_VPN'

config forwarding
	option src 'lan'
	option dest 'WG_VPN'

= = = = = = = = = = = = = = = =

I notice now that the WG server still sends and receives packets but the client only sends but does not receive.

Well, there were quite a few errors.

Correct. You don't need to do anything... it handles everything automatically.

No, these were not there by default. WiFi would have been bridged against a single subnet called lan which includes both Ethernet and WiFi by default.

Delete the two interfaces I flagged, and then go to the wireless config and set your SSIDs to attach to the lan network. Disabling WiFi is at best a stopgap since this needs to be addressed.

I promise you, your target is getting closer.

It's likely you were using a TAP configuration of OpenWrt. Wireguard works only as a routed tunnel device. Trust me when I tell you that you must change the lan subnet on one side or the other.

I'll respond to the config files in a moment.

Server side:

As I said previously, delete these:

And delete this:

Add the allowed IPs for the 'client' and route allowed IPs... so add the following 2 lines to the peer stanza shown below it:

	list allowed_ips '10.8.1.2/32'
	option route_allowed_ips '1'

You can delete these, too:

Remove the masq and mtu_fix lines from the Wireguard firewall zone:

Delete this and replace it with a standard traffic rule (not a redirect):

Client Side:

You need to change the lan address of either the server or client side. I'd recommend changing the client side:

Remove the listen port. And then make the address 10.8.1.2/24:

Everything else here looks fine.

Restart both sides and test again.

OK, I think this is my last ditch effort. I've run out of ditches here and I am clearly out of my depth.

I've had a small disaster, got confused, loaded the wrong file, destroyed the server configuration and have had to rebuild it as best I could. This is due to working remotely with the server, which is a continent away from me. This is proving to be too much for me.

Then I have a feeling the OpenWRT system is modifying the configuration files on its own. I don't know. Maybe I am just confused but it seems to me I keep deleting this

config device
	option name 'Wireguard'
	option ipv6 '0'

And when I started with Wireguard at least the server and client were exchanging, sending and receiving, keep alive packets. Now not even that.

Initially I was trying to install OpenVPN on OpenWRT but I got stuck with generating the necessary passwords, credentials, certificates and sundry bureaucracy and someone recommended Wireguard because "it is simpler and easier". Well, it's not working out so easy for me.

To tell the truth I would prefer to get OpenVPN working on the OpenWRT router and this for several reasons. Linux Mint, which I am using, supports OpenVPN client natively and very simple and I am already using it. Some routers have OpenVPN with a very simple GUI and I was hoping I could install OpenVPN with OpenWRT. Maybe it is time for me to give OpenVPN another try. What is your opinion?

In any case, this is the server config I have now which is probably messed up due to the mistake I made. How do you see it?

Network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '.......::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key '.......='
	option listen_port '5p9'
	list addresses '10.8.1.1/24'

config wireguard_Wireguard
	option description 'Client1'
	option public_key '...='
	option route_allowed_ips '1'
	list allowed_ips '10.8.1.2/32'

config device
	option name 'Wireguard'
	option ipv6 '0'

 = = = = = = = = = = = = = = = = = = = =

Firewall


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Wireguard'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

config rule
	option dest 'lan'
	option target 'DROP'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '5p9'
	option dest_port '5p9'
	option family 'ipv4'
	list dest_ip '10.8.1.1'

config redirect
	option dest 'Wireguard'
	option target 'DNAT'
	option name 'Wireguard'
	option src 'wan'
	option src_dport '5p9'
	option dest_port '5p9'

config forwarding
	option src 'wan'
	option dest 'Wireguard'

= = = = = = = = = = = = = = =

I would remove the following:

WireGuard setup as a server needs to allow access to its interface (that is done) and to open up the WireGuard listen port on the WAN.
You are obfuscating the listen port, which is not necessary in the case of WireGuard, so I cannot give you the exact config but it should be something like:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '<your-listen-port>'
	option proto 'udp'
	option target 'ACCEPT'

Reboot and check again

I am working on some notes for setting up WireGuard maybe they can be useful although it is still a W.I.P.
See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/notes

Yikes... but as long as your keys are correct (either restored from the originals, or regenerated and properly exchanged), you should be fine.

No, it shouldn't be.

Having worked with both, I can tell you unequivocally that WireGuard is far easier to work with (and it's also much faster/more performant). But my first time configuring WG was also a bit bumpy.

Assuming the keys are correct, as I mentioned earlier, the WG config on the server looks fine.

It's your firewall that's the problem.

Delete all of this:

Add this:

config rule
	option name 'Wireguard'
	option src 'wan'
	option proto 'udp'
	option dest_port '5p9'
	option target 'ACCEPT'

Obviously make sure that 5p9 is replaced with the actual port number used in the wg config.
Then restart.