msnews
April 11, 2023, 6:17am
1
Hello,
I have strange problem on wireguard. I have peer created in openwrt, then I imported the same configuration to android/ios/windows 10.
I am testing in hotel room with hotel wifi. Wireguard connected successfully on android phone and I can access internet and also the LAN.
2023-04-10 23:03:33.596: [TUN] [pc] Sending handshake initiation to peer 1 (<external_ip>:1300)
[Interface]
PrivateKey = xxxxxxxxxxxxxxx
ListenPort = 1300
Address = 10.0.0.10/32
[Peer]
PublicKey = yyyyyyyyyyyy
PresharedKey = zzzzzzzzzzzzzzzzzz
AllowedIPs = 0.0.0.0/0, ::/128
Endpoint = <external_ip>:1300
PersistentKeepalive = 25
If I add DNS=192.168.10.1(the LAN ip) to windows 10 and IOS client in [Interface] section, I am able to access LAN from ios/windows client, but no internet.
so, why android client works fine without adding DNS to the configuration?
Any suggestion? Thanks
This isn’t really an issue related to openwrt, so it is bordering on off-topic. However…
Remove the listen port.
You may also need to remove the ipv6 allowed ips.
msnews
April 13, 2023, 11:00pm
3
Thanks for the reply. Unfortunately removing listenport and ip6 does not fix the ios/windows client issue.
let's see your config files from both the router and the latest from iOS.
And please confirm the following:
the exact same config works on Android but not on iOS/windows?
Wireguard on the Android is disabled while you are testing on iOS/windows? (a given peer config can only be used on one device at a time... setup multiple peer configs on the 'server' if you want to have multiple devices using WG at the same time).
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
cat /etc/config/network
cat /etc/config/firewall
1 Like
mk24
April 13, 2023, 11:26pm
5
Each peer that is going to be in use at the same time needs a unique private key (thus a unique public key) and a different IP address. In general don't copy configurations between peers unless you're going to completely retire the first one and replace with the second.
2 Likes
msnews
April 14, 2023, 1:05am
6
Hello,
Exact config file used on android/ios/windows. I did create a second peer in the router but not used. Only one device wg is activated during the testing.
network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
option delegate '0'
config interface 'guest'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'
option device 'eth0.10'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
option metric '5'
option hostname '*'
config device
option name 'eth1'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'tun0'
option ipv6 '0'
config device
option type '8021q'
option ifname 'eth0'
option vid '10'
option name 'eth0.10'
option ipv6 '0'
config interface 'wg'
option proto 'wireguard'
option private_key '**************************'
option listen_port '1200'
list addresses '10.0.0.1'
option peerdns '0'
list dns '192.168.10.1'
config wireguard_wg
option description 'Phone'
option public_key '******************************'
option private_key '******************************'
option preshared_key '****************************'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '10.0.0.10'
option endpoint_port '1300'
config wireguard_wg
option description 'PC'
option public_key '**********************'
option private_key '************************'
option preshared_key '***************************'
option route_allowed_ips '1'
option endpoint_port '1300'
option persistent_keepalive '25'
list allowed_ips '10.0.0.20'
config device
option name 'wg'
option ipv6 '0'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule 'ovpn'
option name 'Allow-OpenVPN'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option dest_port '1111'
config rule
option name 'Shadowsocks'
option src 'wan'
option target 'ACCEPT'
option dest_port '1234'
config rule
option name 'wireguad'
option src 'wan'
option dest_port '1300'
option target 'ACCEPT'
config rule
option name 'iPadTime'
list src_ip '192.168.10.45'
option dest 'wan'
option target 'REJECT'
option start_time '22:30:00'
option stop_time '08:30:00'
config rule
option name 'Xfinity '
list src_ip '192.168.10.59'
option dest 'wan'
option target 'REJECT'
option start_time '23:30:00'
option stop_time '09:30:00'
config rule
option dest_port '1723'
option _name 'pptp'
option target 'ACCEPT'
option proto 'tcp'
option src 'wan'
option name 'Allow-pptp'
option enabled '0'
config rule
option target 'ACCEPT'
option _name 'gre'
option src 'wan'
list proto 'gre'
option name 'Allow-GRE'
option enabled '0'
config zone
option name 'guest'
option forward 'REJECT'
option input 'REJECT'
list network 'guest'
option output 'ACCEPT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-Guest'
option src 'guest'
option dest_port '53 67-68'
option target 'ACCEPT'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'wan'
config rule
option name 'IPSec NAT-T'
list proto 'udp'
option src 'wan'
option dest_port '4500'
option target 'ACCEPT'
option enabled '0'
config rule
option target 'ACCEPT'
option name 'Allow-NFS-RPC'
option src 'lan'
option proto 'tcp udp'
option dest_port '111'
option enabled '0'
config rule
option name 'Allow-NFS'
option src 'lan'
option proto 'tcp udp'
option dest_port '2049'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-NFS-Lock'
option src 'lan'
option proto 'tcp udp'
option dest_port '32777:32780'
option target 'ACCEPT'
option enabled '0'
config include
option enabled '1'
option type 'script'
option path '/etc/firewall.user'
option fw4_compatible '1'
config rule
option name 'nextcloud'
option src 'wan'
option target 'ACCEPT'
option dest_port '443'
list proto 'tcp'
option enabled '0'
config include 'opennds'
option type 'script'
option path '/usr/lib/opennds/restart.sh'
msnews
April 14, 2023, 1:07am
7
Only one device use wg at a time. also I have 2nd peer created but have same issue
Remove the 2 DNS related lines -- they serve no purpose here:'10.0.0.1/24'
Remove the endpoint port from the peer config.'10.0.0.20/32'
Restart the router and test again.
msnews
April 19, 2023, 3:15am
9
Android and Windows client works fine. For IOS, I am able to access LAN on but no internet
Did you specify the dns server in the iOS wireguard app? What did you use? Try a public one like 8.8.8.8 and see if it fixes the issue.
msnews
April 19, 2023, 3:55am
11
I did not specify DNS on any client. However only ios does not work. Adding DNS=8.8.8.8 always works as I described on post #1 .
I guess ios has to be configured this way.
iOS doesn't need to have a public DNS, but it does need a DNS server specified.
Try 192.168.10.1 (your router's address on the lan interface)
1 Like
msnews
April 24, 2023, 3:40am
13
set DNS to 192.168.10.1 does not fix problem.
What about 10.0.0.1 (your WG interface address on the router)?
While we're at it, have you amde any changes to the way that DNS works on your router?
egc
April 24, 2023, 6:15am
15
I have noticed that not all routers (=WireGuard servers) have DNSMasq standard listen on the WireGuard interface.
So you have to check that on your router or set a publicly available DNS server like 8.8.8.8 as you are doing now with your iOS WG client.
msnews
April 24, 2023, 3:57pm
16
10.0.01 has same issue. I did not change DNS behavior myself, but I wonder if the two settings in DHCP and DNS would give any impacts.
Try disabling the local service only option.
msnews
April 24, 2023, 3:59pm
18
possible, but strange thing is android client never had issue. I am wondering if android client is implicitly using a public DNS?
msnews
April 24, 2023, 4:02pm
20
Will test and report back next time when outside.
