Turris Omnia wireguard

I have Linksys WRT3200ACM [192.168.21.1] with OpenWrt 22.03.2 & Turris Omnia on TurrisOS 6.2.3

Both are connected to a Local Modem (it has couple wan ports) and work as expected apart from wireguard sadly. It works on WRT but not on Omnia

I’ve replicated the setup from WRT to Omnia (with new keys and a different listening port).
I spend days on this and can’t figure out what’s going on, either replicating the same error or Omnia firewall needs some additional tweaking.
This is latest setup after restoring Omnia to defaults and starting over

basically never managed to get a handshake (monitoring using wireguard status in luci)
no problems on WRT (as mentioned before)

please find configs below:

wg show

root@turris:~# wg show
interface: wg0
  public key: ogqx[reducted]DEizi0=
  private key: (hidden)
  listening port: 51821

peer: vZIO[reducted]TCJDA=
  endpoint: [reducted]:51821
  allowed ips: 10.200.200.2/32
  transfer: 0 B received, 14.02 KiB sent
  persistent keepalive: every 25 seconds

network

root@turris:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd10:630a:da1a::/48'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ip6assign '60'
        option _turris_mode 'managed'
        list ipaddr '192.168.2.1/24'

config interface 'wan'
        option device 'eth2'
        option proto 'dhcp'
        option ipv6 '1'

config interface 'guest_turris'
        option enabled '1'
        option proto 'static'
        option device 'br-guest-turris'
        option ipaddr '10.111.222.1'
        option netmask '255.255.255.0'
        option ip6assign '64'

config device 'br_guest_turris'
        option name 'br-guest-turris'
        option type 'bridge'
        option bridge_empty '1'

config device 'br_lan'
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config device 'dev_wan'
        option name 'eth2'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'iBhpKRI6HiFeSs38c/N9PcLJ3dMzNv8x3ylGjBSWDn8='
        option listen_port '51821'
        list addresses '10.200.200.1/24'

config wireguard_wg0
        option public_key 'vZIOezAXrtbUvm2tepCGs5UWtxBR2BZVNu878UTCJDA='
        option description 'iphone'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option endpoint_host '[DDNS-reducted]'
        list allowed_ips '10.200.200.2/32'
        option endpoint_port '51821'

firewall:

root@turris:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone 'guest_turris'
        option enabled '1'
        option name 'tr_guest'
        list network 'guest_turris'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding 'guest_turris_forward_wan'
        option enabled '1'
        option name 'guest to wan forward'
        option src 'tr_guest'
        option dest 'wan'

config rule 'guest_turris_dns_rule'
        option name 'guest dns rule'
        option src 'tr_guest'
        option proto 'tcpudp'
        option dest_port '53'
        option target 'ACCEPT'

config rule 'guest_turris_dhcp_rule'
        option name 'guest dhcp rule'
        option src 'tr_guest'
        option proto 'udp'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule 'guest_turris_Allow_DHCPv6'
        option src 'tr_guest'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '546-547'
        option dest_ip 'fe80::/10'
        option dest_port '546-547'
        option family 'ipv6'
        option target 'ACCEPT'

config rule 'guest_turris_Allow_MLD'
        option src 'tr_guest'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'

config rule 'guest_turris_Allow_ICMPv6_Input'
        option src 'tr_guest'
        option proto 'icmp'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'

config rule 'wan_ssh_turris_rule'
        option name 'wan_ssh_turris_rule'
        option enabled '0'
        option target 'ACCEPT'
        option dest_port '22'
        option proto 'tcp'
        option src 'wan'

config rule 'wan_http_turris_rule'
        option name 'wan_http_turris_rule'
        option enabled '0'
        option target 'ACCEPT'
        option dest_port '80'
        option proto 'tcp'
        option src 'wan'

config rule 'wan_https_turris_rule'
        option name 'wan_https_turris_rule'
        option enabled '0'
        option target 'ACCEPT'
        option dest_port '443'
        option proto 'tcp'
        option src 'wan'

config rule 'turris_wan_6in4_rule'
        option enabled '0'

config rule 'turris_wan_6to4_rule'
        option enabled '0'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option name 'Allow-Wireguard-Inbound'
        option dest_port '51821'

I think you still have to open port 51821 on the WAN interface.

Thank you for your late reply. I already have this traffic rule in place

My /etc/config/network looks like yours.
In my /etc/config/firewall I don’t have an ‘Allow-Wireguard-Inbound’ rule, but I have this:

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wg_vpn'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option dest 'lan'
        option src 'wg_vpn'

config forwarding
        option dest 'wan'
        option src 'wg_vpn'

Modified the firewall, sadly no joy.

If that’s out of the question (as it is the same as you have) then perhaps there’s something up with the keys.
I’ve seen some issues with QR code generation but that might be for never wiregard version (pure Openwrt) IIRC

Look at the wg logs. If the problem is not in the firewall, you should see it there. debian buster - How to see debug logs for WireGuard (e.g. to see authentication attempts) - Server Fault

that was slightly confusing so managed to find a different guide (especially the same thing with more context) WireGuard VPN - Troubleshooting | Ubuntu. Sadly dont see any changes reg wireguard

Does your modem forward port 51821/udp to the Turris Omnia?

BTW you shared your private key through the config dump, you might want to change it.

The local modem is actually a router that’s set to work in modem mode. It has a built-in switch with multiple wan ports; therefore no settings on that one.

I’ve already swapped wan between routers to double-check if that’s a factor. My Linksys Wireguard worked on the port where Omnia was previously plugged in, so no.

Thank you for tip about priv key. This is only a temp test config.
Also, I tried WireGuard setup [Turris wiki] and didn’t have any luck.

The only known difference between the setups is that Linksys has DDNS setup and Omnia doesn’t.
It’s using the same hostname in wireguard configs, but the hostname resolves to the same ipAddress.

Honestly, I spend so much time on this that I’m losing my will to live. I’m considering even paying someone to get this done.

I would get rid of “endpoint_host” configuration - my understanding is that turris is “server side”, so it basically tries to bind to IP that resolves from that hostname (not sure if the public IP is available on your turris, as it is behind another router? maybe I got it wrong)…

you can check if WG is actually bind to any interface…

netstat -lpn | grep 51821

To clarify here is the setup


Here is netstat on both routers


Here is wireguard peer setup on WRT


Here is firewall zone setup on WRT


I literally just set firewall zone settings and traffic rule “Allow-Wireguard-Inbound” exactly as in WRT still no joy. Triple-checked the vpn app settings on my phone make sure keys are ok and all settings are exactly the same (just different port used). There must be some specific Omnia setting that’s required. I dont really see any other way.
Thinking about just literally copying WRT etc/config/network && firewall to Omnia and see what happens

the Diagram on top with modem and 2 routers + WAN is confusing.
Could you add your LAN devices and more importantly your ISP connectivity into the picture?

I’m sorry if I go into very basics, but I don’t know what is your level of networking and wireguard knowledge. At least one of the peers must be able to connect to the other one to initiate the connection. I assume that you want to setup VPN over the internet and not just within your network. This implies that one of them must be accessible on the internet.
I assume that your omnia is the peer with a public IP address or that there is a NAT or port forwarding to achieve this. If not, you need to arrange to either have a public IP address on your omnia WAN or that your ISP configures 1:1 NAT for your omnia, or some similar setup.
You simply cannot have both peers behind a NAT without any way for any of them to connect to the other one. If you think that by setting up DDNS your omnia public IP address is learned by the other peer and that this is enough for the the other peer to connect, you are mistaken.

as user quoing recommended earlier, remove the option endpoint_host from the wireguard config if the IP address isn’t static.

I assume your other wireguard peer device (your iphone) is not connected to your omnia’s LAN, e.g. via wifi. If it is this could be your problem.

Start tcpdump on omnia like this:
tcpdump -i eth2 -nn -v port 51821

when the other peer is connecting you should see packets incoming to your omnia WAN interface from your omnia’s WAN default GW.

If you want to test just the wireguard functionality, you can try it over LAN first.

  • connect the other peer (your iphone) on the local omnia wifi, which I assume is in the LAN zone
  • change endpoint host in wireguard config of your other peer (your iphone) to your omnia LAN interface IP address
  • try to connect by enabling wireguard on your iphone

you should see traffic incoming in tcpdump on omnia and also the command wg or wg show should show some transferred data. If it doesn’t work even on the LAN, you might have some typo mistake in the configs, like missing or an additional (maybe hidden) character in public or private keys etc.

To add to what Johnny mentioned above: Could you please also give us an idea of what you’re actually trying to achieve? You have two routers and and one iPhone (at least that’s mentioned in the Wireguard peer config). Between which of the three devices do you want to establish Wireguard tunnels?

If the iPhone is part of the setup, please mention in which case(s) you want it to connect via Wireguard: a) when it’s connected to your routers’ local networks (LAN) and/or b) when it’s somewhere on the Internet (“north” of the modem).

Most network people think of “bridge mode” when you mention “modem mode” but that excludes having multiple downstream devices (like in your case). Therefore, I’m guessing that your modem does NAT and needs some configuration which controls to which downstream device (WRT vs. Omnia) it should forward incoming Wireguard packets. Hence my question about port forwarding.