Thank you very much for the help.
Port forward deleted, Allow-wireguard untouched.
I have connected to the tunnel with the phone and this is my output from the command:
"kernel": "5.10.138",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACS",
"board_name": "linksys,wrt1900acs",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0",
"revision": "r19685-512e76967f",
"target": "mvebu/cortexa9",
"description": "OpenWrt 22.03.0 r19685-512e76967f"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'X/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option device 'br-lan.1'
option ipaddr '192.168.5.1'
config device
option name 'wan'
option macaddr 'XX:XX:XX:XX:XX:XX'
config interface 'wan'
option proto 'dhcp'
option device 'br-lan.20'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device 'br-lan.20'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'wan:t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'X='
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'X/64'
config wireguard_vpn
option description 'peer1'
option public_key 'X='
list allowed_ips '192.168.9.2/32'
option route_allowed_ips '1'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
list device 'tun+'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
11: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue st ate UP qlen 1000
inet 192.168.5.1/24 brd 192.168.5.255 scope global br-lan.1
valid_lft forever preferred_lft forever
12: br-lan.20@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue s tate UP qlen 1000
inet 100.110.195.141/16 brd 100.110.255.255 scope global br-lan.20
valid_lft forever preferred_lft forever
20: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN ql en 1000
inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
valid_lft forever preferred_lft forever
default via 100.110.0.1 dev br-lan.20 src 100.110.195.141
100.110.0.0/16 dev br-lan.20 scope link src 100.110.195.141
192.168.5.0/24 dev br-lan.1 scope link src 192.168.5.1
192.168.9.0/24 dev vpn scope link src 192.168.9.1
192.168.9.2 dev vpn scope link
broadcast 100.110.0.0 dev br-lan.20 table local scope link src 100.110.195.141
local 100.110.195.141 dev br-lan.20 table local scope host src 100.110.195.141
broadcast 100.110.255.255 dev br-lan.20 table local scope link src 100.110.195. 141
broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
local 127.0.0.1 dev lo table local scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
broadcast 192.168.5.0 dev br-lan.1 table local scope link src 192.168.5.1
local 192.168.5.1 dev br-lan.1 table local scope host src 192.168.5.1
broadcast 192.168.5.255 dev br-lan.1 table local scope link src 192.168.5.1
broadcast 192.168.9.0 dev vpn table local scope link src 192.168.9.1
local 192.168.9.1 dev vpn table local scope host src 192.168.9.1
broadcast 192.168.9.255 dev vpn table local scope link src 192.168.9.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
In case it helps, this is the WG log from my phone since the connection is made:
09-13 14:05:37.610 5350 5374 I WireGuard/GoBackend: Bringing tunnel olivencia5vpn UP
09-13 14:05:37.611 5350 5374 D WireGuard/GoBackend: Requesting to start VpnService
09-13 14:05:37.835 5350 5374 D WireGuard/GoBackend: Go backend ef5c587
09-13 14:05:37.835 5350 5374 D WireGuard/GoBackend/olivencia5vpn: Attaching to interface tun0
09-13 14:05:37.836 5350 5374 D WireGuard/GoBackend/olivencia5vpn: UAPI: Updating private key
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 1 - started
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 1 - started
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 1 - started
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 3 - started
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 2 - started
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 2 - started
09-13 14:05:37.836 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 2 - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 3 - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 4 - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 3 - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 4 - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 4 - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: TUN reader - started
09-13 14:05:37.837 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: event worker - started
09-13 14:05:37.837 5350 5374 D WireGuard/GoBackend/olivencia5vpn: UAPI: Removing all peers
09-13 14:05:37.838 5350 5374 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - UAPI: Created
09-13 14:05:37.838 5350 5374 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - UAPI: Updating endpoint
09-13 14:05:37.834 5350 5350 I auditd : type=1400 audit(0.0:7398): avc: denied { read } for comm="DefaultDispatch" name="somaxconn" dev="proc" ino=238827 scontext=u:r:untrusted_app:s0:c175,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.wireguard.android
09-13 14:05:37.834 5350 5350 W DefaultDispatch: type=1400 audit(0.0:7398): avc: denied { read } for name="somaxconn" dev="proc" ino=238827 scontext=u:r:untrusted_app:s0:c175,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.wireguard.android
09-13 14:05:37.838 5350 5374 D WireGuard/GoBackend/olivencia5vpn: UDP bind has been updated
09-13 14:05:37.838 5350 5374 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - Starting
09-13 14:05:37.838 5350 5374 D WireGuard/GoBackend/olivencia5vpn: Interface state was Down, requested Up, now Up
09-13 14:05:37.838 5350 5374 D WireGuard/GoBackend/olivencia5vpn: Device started
09-13 14:05:37.838 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: receive incoming v6 - started
09-13 14:05:37.839 5350 5388 D WireGuard/GoBackend/olivencia5vpn: Routine: receive incoming v4 - started
09-13 14:05:37.839 5350 5529 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - Routine: sequential sender - started
09-13 14:05:37.839 5350 5388 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - Routine: sequential receiver - started
09-13 14:05:39.769 5350 5350 I menu_item_selected: [0,Preferencias]
09-13 14:05:39.778 5350 5350 I wm_on_top_resumed_lost_called: [107389342,com.wireguard.android.activity.MainActivity,topStateChangedWhenResumed]
09-13 14:05:39.780 5350 5350 I wm_on_paused_called: [107389342,com.wireguard.android.activity.MainActivity,performPause]
09-13 14:05:39.788 5350 5350 I wm_on_create_called: [161980604,com.wireguard.android.activity.SettingsActivity,performCreate]
09-13 14:05:39.814 5350 5350 I wm_on_start_called: [161980604,com.wireguard.android.activity.SettingsActivity,handleStartActivity]
09-13 14:05:39.815 5350 5350 I wm_on_resume_called: [161980604,com.wireguard.android.activity.SettingsActivity,RESUME_ACTIVITY]
09-13 14:05:39.819 5350 5350 I wm_on_top_resumed_gained_called: [161980604,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed]
09-13 14:05:40.258 5350 5398 D OpenGLRenderer: endAllActiveAnimators on 0xb400007a9462aa40 (RippleDrawable) with handle 0xb4000079a4673f00
09-13 14:05:40.262 5350 5350 I wm_on_stop_called: [107389342,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM]
09-13 14:05:40.690 5350 5350 I wm_on_top_resumed_lost_called: [161980604,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed]
09-13 14:05:40.691 5350 5350 I wm_on_paused_called: [161980604,com.wireguard.android.activity.SettingsActivity,performPause]
09-13 14:05:40.708 5350 5350 I wm_on_create_called: [33672610,com.wireguard.android.activity.LogViewerActivity,performCreate]
09-13 14:05:40.708 5350 5350 I wm_on_start_called: [33672610,com.wireguard.android.activity.LogViewerActivity,handleStartActivity]
09-13 14:05:40.709 5350 5350 I wm_on_resume_called: [33672610,com.wireguard.android.activity.LogViewerActivity,RESUME_ACTIVITY]
09-13 14:05:40.713 5350 5350 I wm_on_top_resumed_gained_called: [33672610,com.wireguard.android.activity.LogViewerActivity,topStateChangedWhenResumed]
09-13 14:05:41.135 5350 5350 I wm_on_stop_called: [161980604,com.wireguard.android.activity.SettingsActivity,STOP_ACTIVITY_ITEM]
09-13 14:05:41.152 5350 5398 D OpenGLRenderer: endAllActiveAnimators on 0xb400007a9481e5a0 (RippleDrawable) with handle 0xb4000079a46729a0
Thanks again.