One client(my phone): It works, it can reach to LAN clients too.
The other client(my laptop, connected from phone hotspot): Internet works, but can't reach the LAN clients on the wireguard(which is an openwrt router).
I am in no way newbie to this. But another open source firmware, freshtomato got this so easily. You just click click and done. Maybe is it because of laptop connecting via hotspot? I'll try again later but this is the config files:
#this is my phone's config, works well.
[Interface]
PrivateKey = somestuff=
Address = 10.0.50.2/32
ListenPort = someport
DNS = 192.168.5.1
[Peer]
PublicKey = somestuff2
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myddns:51820
# PersistentKeepAlive not defined
#this is my laptop
[Interface]
PrivateKey = somekey
Address = 10.0.50.3/32 #I totally don't get this part. Why don't we write 10.0.50.0/24 ?
ListenPort = someport
DNS = 192.168.5.1
[Peer]
PublicKey = somekey
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myddnsname:51820
# PersistentKeepAlive not defined
The address field is to specify the peer's local address on the tunnel subnet. That is to say, 10.0.50.3 is a host address, while 10.0.50.0/24 is the entire subnet. You must assign a specific address, and it must be the same on both sides of the tunnel. However, you can use 10.0.50.3/24 in that field.
For the remote peers, you usually don't need the ListenPort -- you can remove that.
As stated above, though, we need to see the OpenWrt side of the config:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
Okay so I restarted the wireguard interface, but now it says device is not present. I think only reboot can fix this right? Anyway here is the stuff you asked for:
root@OpenWrt-AX59U:~# ubus call system board
{
"kernel": "6.6.73",
"hostname": "OpenWrt-AX59U",
"system": "ARMv8 Processor rev 4",
"model": "ASUS RT-AX59U",
"board_name": "asus,rt-ax59u",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0",
"revision": "r28427-6df0e3d02a",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
"builddate": "1738624177"
}
}
root@OpenWrt-AX59U:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'something/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
option igmp_snooping '1'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan.35'
option proto 'pppoe'
option username 'xxxx@ttnet'
option password 'xxxx'
option ipv6 'auto'
option keepalive '0 1'
config device #this is for iptv
option type '8021q'
option ifname 'wan'
option vid '55'
option name 'wan.55'
config device #iptv related
option type 'bridge'
option name 'br-tivibu'
list ports 'lan3'
list ports 'wan.55'
option ipv6 '0'
config interface 'tivibu' #iptv related
option proto 'none'
option device 'br-tivibu'
config interface 'tailscale'
option proto 'none'
option device 'tailscale0'
config interface 'wg0'
option proto 'wireguard'
option private_key 'mykey'
option listen_port '51820'
list dns '8.8.8.8'
list addresses '10.0.50.1/24'
config device
option name 'wg0'
config wireguard_wg0
option description 'samsung phone'
option public_key 'xxxx'
option private_key 'xxxx'
list allowed_ips '10.0.50.2/32'
option route_allowed_ips '1'
option endpoint_host 'myddnssecret.org'
option endpoint_port '51820'
config wireguard_wg0
option description 'dell laptop'
option public_key 'xxxx'
option private_key 'xxxx'
option route_allowed_ips '1'
option endpoint_host 'myddnssecret.org'
option endpoint_port '51820'
list allowed_ips '10.0.50.3/32'
root@OpenWrt-AX59U:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'tailscale'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'tailscale'
config forwarding
option src 'tailscale'
option dest 'lan'
config forwarding
option src 'tailscale'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'tailscale'
config zone
option name 'Wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'lan'
list network 'wg0'
config forwarding
option src 'Wireguard'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'Wireguard'
config redirect
option dest 'Wireguard'
option target 'DNAT'
option name 'Wireguard'
option src 'wan'
option src_dport '51820'
option dest_ip '10.0.50.1'
option dest_port '51820'
list proto 'udp'
root@OpenWrt-AX59U:~# wg show
#this didn't show anything because I restarted the wireguard interface. Maybe that's why?
Because the router itself is the device that runs the service, you do not need to forward the request... you simply need to accept it. That's why I said to delete the redirect (port forward), and replace it with this rule:
I see relay servers go down, but when I took a closer look at the log file it was the ISP link dropping out which triggered relay services messages in the log file.
Okay okay it works, DDNS blown for a second. I've used the real ip at the config, then it worked. So one thing, if I add another client, it's IP will go like:
10.0.50.2/32
10.0.50.3/32
and 4 and 5 right?
Sorry it's broke again after I delete everything and re-do everything. Now nothing can connect to the wireguard Do I need to assign a firewall? It seems there is no firewall attached to the interface. If it's not working, well time to give up.
