Hi
Have wanted a VPN to allow remote administration. Tried OPENVPN and found my laptop just wouldn’t handle/run it. Then heard about WIREGUARD, liked what read about it and tried to install. Documentation sucks on Wireguard and the only install thing I found was editing config files direct to implement it. Disaster for me, had to revert to get Omnia back, put on back burner.
Present day, found post by someone way smarted than me on how to completely set up only using Luci and Peer GUI’s only. Looked easy peasy and it was. Had Wireguard running on my iPhone in less than an hour. Had WG running on laptop in 30 min (tested by turning iPhone tunnel down and hotspoting to isolate the laptop from any kind of local network connection) . Totally jacked. Started exploring accessing some devices on my 192.168.1.x lan and could access them using the local Omnia 192.? lan from iPhone and hotspoted laptop. Was able to get into Luci and Fortus(both). Went to a close separate wifi site and tested them and was able to get great communications, all except 4 devices ??? Got home and started to poke around look as to why. Tried pinging, tried their web interface, tried direct 192.xxx??? communication. Went back and forth between laptop and iPhone. Then it happened, I shut down laptop tunnel one last time and got back on local to try local pinging and went into Luci and poked around the 4 addresses again looking for something/anything. No luck/answers. On local network they work, can ping them, can talk to them, web interfaces work. Grabbed IPhone to see if I could find any errors on logs while I was trying from iPhone wg tunnel. No internet access on I phone. Omnia says tunnel is up but no handshaking. IPhone logs verifies this. Shut down iPhone tunnel and went back to hotspot mode and isolated Laptop offline locally and wg tunneled and same thing, tunnel active but no hand shaking. I DIDN’T DO ANYTHING WHILE POKING AROUND THE 4 PORTS !!!, PROMISE Just looked at how they were mapped, static addresses, ect. It’s like Omnia Firewall seen something happening it did’t like and went BANG! got ya Wireguard. Haven’t got it up since. Looking for smarter than me’s to help me figure this out. Wireguard ran for about 3 hours on both devices locally and @remote site and in an Instant both dead.
Any Ideas anyone?
It’s really quite impossible to help you without any structured configuration/troubleshooting details such as the contents of /etc/config/network (with private keys removed).
This might help, too: Turris Academy - new date announcements & recorded TAs to watch - #7 by F.B
Thanks for responding
Since I used GUI’s on this install I am not sure what/where to go to get the info anyone might need. I don’t know Luic well enough to know what system files the GUI’s might have touched/modified . A list of what you would like to see would be helpful.
You mentioned “/etc/config/network” so I can get working on that and anything else you want.
I could also get the instructions/template I followed in setting this up. Meanwhile I am going to play around a little with some info I got out of the Academy video
Thanks in advance
Got pulled away from this project. Here is the latest.
Found out what happened to my laptop was there was a update for wireguard came thru and it trashed my config. Why I have no Idea. It has updated many many times with no problem.
All my old tunnels from attempts past and the most recent one are all gone. Created a new tunnel with garbage for public keys and private key for local laptop tunnel. Will rebuild it when can.
Worked with I phone and after some studying with questions raised after the tutorial video I came to the conclusion I have to have hard coded port endpoints. The instruction I followed this last time had me believing no big deal on port assignments they were optional. No in my case. After hard-coding ports in my iPhone tunnel came right up and I had internet but unlike the other day’s per-fail successes I still can’t access Luci-Fortis and no devices on my lan.
Here is my network config
config interface ‘loopback’
option ifname ‘lo’
option proto ‘static’
option ipaddr ‘127.0.0.1’
option netmask ‘255.0.0.0’
config globals ‘globals’
option ula_prefix ‘fd7c:de15:260e::/48’
config interface ‘lan’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘192.168.1.1’
option netmask ‘255.255.255.0’
option ip6assign ‘60’
option bridge_empty ‘1’
option ifname ‘lan0 lan1 lan2 lan3 lan4’
config interface ‘wan’
option ifname ‘eth2’
option proto ‘dhcp’
option ipv6 ‘0’
config interface ‘guest_turris’
option enabled ‘1’
option type ‘bridge’
option proto ‘static’
option ipaddr ‘10.111.222.1’
option netmask ‘255.255.255.0’
option bridge_empty ‘1’
config interface ‘wan6’
option ifname ‘@wan’
option proto ‘none’
config interface ‘wg0’
option proto ‘wireguard’
option private_key ‘REDACTED’
option listen_port ‘1234’
list addresses ‘10.14.0.1/24’
list addresses ‘192.168.1.1/24’
config interface ‘wg1’
option proto ‘wireguard’
option listen_port ‘51821’
option private_key ‘REDACTED’
list addresses ‘10.14.0.10’
list addresses ‘198.162.1.1/24’
config wireguard_wg0
option public_key ‘GljhsUpblEeNrSX8s8RrHxwDQ/+owRl1aR29q9bBHzk=’
option description ‘Phone’
option preshared_key ‘REDACTED’
option route_allowed_ips ‘1’
option persistent_keepalive ‘25’
option endpoint_port ‘1234’
list allowed_ips ‘10.14.0.1/24’
list allowed_ips ‘192.168.1.1/24’
config wireguard_wg1
option public_key ‘Gqg46OZy/9ZSto/jK5Hq+l0qFA7nW+cbB/ImRXITaRU=’
option description ‘Laptop’
option preshared_key ‘REDACTED’
option route_allowed_ips ‘1’
list allowed_ips ‘10.14.0.3/32’
list allowed_ips ‘192.168.1.1/24’
option endpoint_port ‘5678’
note only wg0 is anywere tested wg1 is probably in la la land.
Now here is the interesting part. I got the iPhone tunnel up and was trying different ip configurations to establish local lan communications and when I had no success and the brain matter turned to mush, I put it aside. Had some other network failures to deal with yesterday and about noon I came back to it and found right out of the box iPhone tunnel has collapsed again. No hand shake today. It was fine when I quit the late other-day. The only thing that transpired was just TIME. I made no changes to iPhone tunnel prior to shutting it down now it’s dead again.
I am running out or time for this trip up and I just can’t believe this is that difficult. I have only been able to find 3 tutorials on wireguard, the one on the Turris website, one by a poster that took the Turris post and made more sense of it but, both Turris and the second requiring lots of editing of system files wasn’t for me. The third was a poster that took the second poster’s process and ported it to a GUI interface setup only which really liked and initially worked.
Where do I find realy good how to docs on Wireguard. The web site is not really helpfull in that it assumes you already know all about Wireguard and their offerings are just a refresher.
Thanks .IK
It looks like You have wrong address spaces in the interfaces and they are clashing.
An example of config interface ‘wg’:
config interface ‘wg0’
option proto ‘wireguard’
option private_key ‘REDACTED’
option listen_port ‘1234’
list addresses ‘10.14.0.1/30’
config interface ‘wg1’
option proto ‘wireguard’
option listen_port ‘51821’
option private_key ‘REDACTED’
list addresses ‘10.14.1.1/30’
i.e., minus IP addresses.
This is true for IPv4, in IPv6 it’s a bit different.
Also, You will need this firewall setup:
Thanks FB
I was afraid of clashes. I am not sure just how all the values I put into the little spaces really interact with each other. Very very unclear on this subject. All the instructions I have just say put this in here and that in there, with no real explanation on any of them, what they do and how they interact. Is there any kind of guide that explains any/all of this? Do these clashes exist even if the wg tunnels are not up at the same time? Do clashes exist even if the tunnels are not up at all?
I noticed you changed “list addresses” 10.14.1.1/30. My question now is the wireguard docs say /30 and /31 are invalided in wireguard. Is that not the case anymore? That is why I used /32 to keep the subnet as small as possible and be legal.
On the zones I was instructed to go to Firewall/Port Forwards and I created wg0 and wg1 and assigned them to the Lan zone there. Is that what you essentially did on your screen shot of doing it on firewall/zones?
This is a shot of Firewall/forwards and how I did it. I have seen this done in many posts of other posters showing screen shots and wondered what is was all about until I seen the GUI version of wg installation. Is you way and my way the same thing? Which is better?
(Luci Firewall/Portworwards)
I have four devices on my land that will not respond unless they see that communicating devices are on the same subnet. 192.168.1.XXX That is why one of the reasons I used 192.168.1.1/24 on the wg1 interface, the second reason was another poster could not get internet access unless he used that ,which was one of my problems until I did the same thing, solving my problem.
So with 192.168.1.1/24 being assigned to wg1 what would valid for wg0?
Thanks in advance IDK
Well a great big THANKS!!! ARE IN ORDER!!!
I am on WIREGUARD. Writing this on it right now. Thanks for finally getting thu to me on proper addressing and avoiding clashes. Final test at a remote site in a few hours just to make sure that My sucess is not a DNS leak thru my hotspot. Disregard anything above this point now but I still have one problem.
I still have 4 devices that won’t communicate. They are funny in that they won’t respond unless the ip addr communicating with them is on the same subnet, 192.168.1.???. So if I hit a web browser and type in 192.168.1.120 does the device see that address over wireguard?
If I hit a DOS box and enter address + commands (direct command of device mode) does the device see 192.168.1.120 ip address over wireguard. If so they should respond but they don’t.
Does any one have any thoughts on this??? This is the last hurtle I have and these 4 dev are the most important devices on the network next to having remote LUCI/FORUS access which I now have.
I am leaving this site in a few hours so I will not be able to play with the dev in question and try solutions until I get back up here again. So If you have any ideas chime in and let me know and I will try them later.
THANKS!!! again for all the help and I knew it simply could not be that hard. Just did not have enough documentation and some bad documentation and not enough understanding of WireGuard to get thru it.
Idaho Kid
Hi
back at the site and WireGuard worked fine so closing this out and will create an other post on the other problem I mentioned to keep it simple and fresh. Don’t need the clutter of the wireguard problems muddling op this new topic.
Thanks again to all of those who contributed to WireGuard problem.