Hallo Marc, habe ein Problem, kannst vielleicht mir Helfen? Habe eien OpenWRT basierende LTE-Router. Wireguard kann habe ich schon als Packet installiert. Habe einen Cloud-Server auf Hetzner, der als WireguardServer (auf Debian) agieren soll mit öffentlicher IPV4-Adresse. Habe Überwachungskamera die ich an LTRE-Router anschliesse via Netzwerkkabel. Habe ganze Wireguard-Konfigurationen gemacht, auf Clodserver, meinem Windows-Laptop und auf LTE-Router. Aber auf Kamer habe ich keinen Zugriff. Auf Router habe ich Zugriff. Anders gesagt, bis Router habe ich Zugriff über den Tunnel. Das Problem liegt glaube ich an NAT, Routing, Firewall. Mein Router ist Teltonika RUT950. Danke im Voraus.

Many thanks Manos, that’s very flattering (*blush*) 😉

Many thanks for your friendly feedback!

Hi Michael, thanks for pointing this out. I've changed the script.

Thank you very much ! Yes, I get caught by that on and on as well - you really need to restart the Wireguard interface, otherwise changes are not taken into account.

Hi Sergey, many thanks !

​@@OneMarcFifty I'm also Sergey and I confirm everything my namesake said. Keep it up, Marc!

Excellent, I am happy that it could help you.

Thanks a lot!

Awesome - glad it helped ;-)

Many thanks Stefanos. I have been thinking about doing a Wireguard troubleshooting video for quite a while now. There are many videos on Wireguard, but regularly people run into issues with DNS, routing and crypto routing.

Thank you Pat, much appreciated - I am glad you liked it.

Ouch! From what you write I assume that both your Wireguard and Openvpn on the router where in the lan zone? If this is the case then I can unfortunately see no way to het back in from a distance. Also - even if your Wireguard was in a different zone and you could potentially recover the keys locally (from scrolling back in the terminal or the cache of your browser or the like) - as your router doesn’t recognize you as a peer - no chance to het back to it… Did you hit “save and apply?” - you might be lucky if you had waited for luci to time out (in which case the changes you made could have been reverted). In this case, connecting again over openvpn could work. If you refreshed your browser or the like then you’re probably locked out. Do you have ipv6? Maybe you have a slim chance to get to some host in your Lan over ipv6 if you had not locked it down completely. But from what you tell me I would assume that you are unfortunately locked out for good. Sorry….. :-(

Try an nmap to your router’s public address to see if by “chance” you left a port from the wan open. Maybe there is something that can be exploited…

But your best chance would be to have someone go to your home And put the router into recovery mode, revert the firewall change and reboot it I am afraid

Hi it is true that the solution as it is shown is not made to access the internet over the VPN but rather to access internal home resources from the internet. Having said that, if you enable zone forwarding and masquerading from the VPN zone to the WAN zone it should be possible. I haven’t tested this though...

Heya, have you tried this ? Did it work ? Please let me know. If not, I'll mock it up in my environment and provide troubleshooting steps.

@@OneMarcFifty I did this and it worked for me, thank you!

@@MrGreeneon Awesome, many thanks for letting us know !!!

OneMarcFifty I get it to work! Thank you!

Hi, I do have a video in the planning for VPN auto-routing. However, it will presumably not use an existing provider but we will rather build our own with IAC/IAAS providers such as vultr or linode on demand - not sure if I'll cover OpenVPN or Wireguard or both ;-)

Thank you

I'll give that some thought as it comes up quite often. Are you talking about mobile network / USB stick scenario or would you be abe to install something on the perimeter router (i.e. the "last" router that has a public IP address) ?

@@OneMarcFifty There are places where internet is complicated 😊 Situation: We have two ISPs, lets call them (X) and (Y). Y may lend “white” IP, NAT by default. X connected thru Y and not able to provide external addresses to customers, NAT is only option there. We do not have access to any of NATs/ISP configs. For this reason, we can’t expose home router's WAN(W) to internet directly. Even DDNS do not work properly due to double NAT. To get access to W, and therefore to home network, from internet-outside-connected client(C), as I understand, we need to have “leverage”(L) server somewhere outside, in the internet. Just like Hamaci or TeamViewer works - both clients (W and C) connecting to L, establish connection, but all traffic goes peer-to-peer. Do you know any solution to be able to use VPN like that? Or maybe you know something better to expose personal VPN server at router to internet thru multiple NATs? Thx!

Hi Fernando, the video might have slight bugs here and there - if you check out the discord Server, I have posted screenshots of a working config there

fixed the problem using persistent keep alive = 25

That was quick 😉

First try to remove the optional "preshared key" - sometimes this is defined only on one side and makes handshaking impossible. Second, double check that port forwarding is working OK if there is a router in between (like your ISP's router), then try setting persistent keepalive to 25. Last but not least double check on all other values (Port number, IP address etc.) If you can't get it to work you can of course join the discord session on sunday

Omg I had that issue after running the script... turns out I had to restart the WG interface

Many thanks for sharing !!!

The public key that you need to add on your router is the one that shows up on your iphone, i.e. if you go to the wireguard client, then click on the connection you see your own public key and that of your peer. You need to put your own public key into that input line of the remote. I do not know why your interface shows up as "vpn" rather than wg0. Which version of OpenWrt are you using ? Maybe it's a bit older ? Last ressort you might just rename it... Port forwarding can be tested in various ways. First you need to make sure that you connect to the right device, meaning if you are using Dynamic DNS check with the IP address first. Then you could either open a port on a well known service such as ssh and see if you can connect. Did you configure port forwarding at all ? Second solution would be to use a tool such as wireshark or even nmap would do in order to see if the packets get a reply back. Third possibility but this is hardware and firmware dependent would be to check if you have access to any logfiles on the modem. Hope that helps ;-)

If you can‘t get it to work please join me on discord this Sunday and we can fix it together

@@OneMarcFifty Thank you for your reply. I was running an almost updated version of OpenWRT but I also flashed my router to be on the safer side. I also found the reason why my interface was being shown as VPN instead of WG0. I had used the code from openwrt.org/docs/guide-user/services/vpn/wireguard/server instead of using your GitHub code word to word. My router is behind a modem and I have forwarded 51820 on the modem (i.imgur.com/eRRPnbL.png). My IP is static for now and does not change very often therefore I am using my global IP address to use it on my iPhone. Here are my configurations that you may please look at and let me where I may be wrong. i.imgur.com/azYAtth.png i.imgur.com/0bxzCQI.png i.imgur.com/e1gLOxe.png i.imgur.com/TQKb3Lg.png i.imgur.com/93TqZ7k.png

@@OneMarcFifty I will appreciate it if you can help me fix it up, please. Share the link where I can join you.

discord.com/invite/DXnfBUG - see details in this video kzbin.info/www/bejne/jKDYdHWqZrOHoNk

Creating a VPN connection between the two will be easy (i.e. VPN to the endpoint from where you are) as the VPN network will have a different IP range. Where things will become difficult is when you want to do LAN-to-LAN routing - that might require some Layer2 tunneling (batman or the like) to put both networks on the same switch. How exactly would you want to connect them (might be easier to change the IP range for one of you though ;-) )

@@OneMarcFifty I suppose the more general question is what to do if my subnet is used somewhere on the originating network before it hits the Internet. Maybe the answer is to reduce that probability by using something less common than 192.168.1.0/24 🙂

Hi Anton, I‘ll have a look into that - a scenario that I want to address is VPN on demand. Like connect to one wifi with vpn and another one without vpn. Your suggestion adds another interesting scenario here.

You're welcome, glad you liked the vid ;-)

Hi Gary, if you want to VPN into your home then yes, you would either have a fixed IP or use Dynamic DNS

@@OneMarcFifty thanks

Hi Fredrik, none that I would be aware of w/r to Wireguard really

Hi Gürkan, I've noticed that Wireguard can be tricky to troubleshoot. I might at some point do something more in detail on this. Many thanks for your feedback!

You can use any - either your main router or google or cloud flare

Hi, that would really need a closer look into how you set up routing and forwarding. If you want then you can share your config on the discord server.

Hi John - sounds like a subject for a video on its own ;-) In order to not keep you waiting until then you may check out Thomas Haller's blog here : blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/ he describes the necessary steps or some of the service providers do have good howtos as well, like ivpn: www.ivpn.net/setup/wg-linux-netman.html Let me know if this helps.

@@OneMarcFifty hello, thanks! But I need something simpler for the graphical interface. Could you make one video showing it? thanks again in advance.

I’ll think it over 😉

Hi Rene, yes you can do it that way. You would however need to add the routes manually (or using the PostUp/PostDown settings in th Wirguard Config File. Problem is that the Access point is presumably not the default gateway for the other nodes and hence you would need to add those routes by hand. Potentially you would also need to use masquerading. See lines 150-160 in this code github.com/onemarcfifty/wireguard_vps_vpn/blob/master/wireguard.sh for an example on how to set up masquerading.

Hi Tomás, well - it depends ;-) Bandwidth will be slower of course if you first go through the VPN - but in essence it depends who you trust more - your home's ISP or the 4G network ;-)

Hi Peter - yes the LuCI interface of Wireguard has changed

The package name had changed from wireguard to wireguard-tools. The script should be updated.

Hi Henning, first off many thanks for your feedback. Now - I have learnt that there are a couple of challenges with videos about tech. The first challenge is that regardless of the technical level you aim at, you will always fly too high or too low for roughly 80% of the potential audience - that's just a matter of life and statistical spread I assume. So with regards to your questions - yes, it is true that I don't explain the UCI commands etc. Please keep in mind that the main goal of the video is to show how to install wireguard. Another challenge when using script commands to do stuff is that you might find different environments when the script runs. Now I could either add a lot of if...then statements into the script or rather just bluntly say to rename zones into default values. Or - in other words - tell people what the zone is supposed to be. Of course rather than renaming the zone to lan and then set network.lan.x to something I could have used a variable and then set network.$variable to something.. correct. But please keep in mind that my goal is not to sell and document a software here but rather make a video that could be of interest for an as-large-as-possible audience. Now there is another double-cutting sword here. I could of course make the video longer and then just go into details on everything. But this would make the video quite lengthy and looking at the statistics people are more likely to watch a ten minutes video than watch a 30 minutes video... With regards to the allowed IPS, it mainly depends on how you want to set up your interface, i.e. do you want to allow the whole network range or just one device. Mainly the question is how many Wireguard devices will you have connecting to the interface. If it is only one and only one, then set IP/32. If you might add more, then define a larger network. Woaaahh !!!! Long reply! Now _I_ will shut up - hey if you want to discuss or chat be my guest on discord ;-)

Had that too - it only works in 22.03 if the private key is present as well

@@OneMarcFifty Thanks for fast response. The only place I see any sign of QR codes is under Interfaces » WG0 » Edit peer. Not under /cgi-bin/luci/admin/status/wireguard like you showed in your video. Is this the same thing? Is this the new place for it now?

Yes, correct.

@@OneMarcFifty Thanks, I got this working on my Mac and Android devices but for some reason it doesn't work on iOS. I tried both the QR code and import methods and neither works on either my iPhone or iCloud. Maybe the iOS app is bugged.

Hi Arion, did you forward the port from the outside to the OpenWrt ? Did you add an allow on the Firewall in OpenWrt ?

There's a couple of things that typically can go wrong here - first, you always need to restart the wireguard interface on the openwrt router when you make changes. Second, untick the "default gateway" box on the Wireguard interface because otherwise it will mess up the routes on the server. Third, add the Wireguard Interface to the right firewall zone, e.g. LAN or a separate VPN zone that you allow to forward to WAN.

I'm currently building a web-service bastion host for the family with an IPv6 Wireguard backbone - might pick that up for a video ;-)

Thanks for pointing this out.

Have a look at avahi-daemon. It does what you need. You can run it in reflector mode or create your own services files.

@@OneMarcFifty Got it working! Actually it was a bit rough. Main issue was with AllowedIPs not having mDNS IPs, Point to Point enabled in Avahi and (I think it doesn't have any effect) "multicast on" on Wireguard device. Well, had to apply some filtering, Sonos reflection worked, but left it just for printers, remote ADB (for a TV), HomeKit working outside of second home without having an AppleTV, etc. So good!

Hi David, tut mir leid dass es in Deiner Konfiguration nicht klappt. Schau mal auf dem Discord Server nach, dort habe ich vor längerer Zeit mal eine funktionierende Konfiguration geposted.

Hi Marcos, I believe you have asked that question on the discord server as well, so please let me relay the answer here. I thought that this would be more or less by design as the VPN would typically be used to get into the LAN from the WAN. However, someone else mentioned that you could set the allowed IPs to something outside your LAN and that would fix it - curious to read from you if this works.

Marcos, me arriesgo a que hables español, que así lo puedo explicar más fácil: abajo de todo en las opciones del iPhone tenés Bajo Demanda. Podes configurar ahí que se active la VPN siempre que no estés conectado a tu wifi.

Hi Will, basically you just add additional peers and scan the QR code on them. Just make sure you don't overlap the networks of the AllowedIPs.

Hi Arion, I am not sure about that. I haven't used DD-WRT at least for a decade... sorry.... But there is an article on the DD-WRT Wiki here : wiki.dd-wrt.com/wiki/index.php/Wireguard

@@OneMarcFifty Thank and let me try to converse DD-wrt to Open-wrt firstly and then try from this video, thanks.

Let me know how it goes!

Hey, you’d need to double check on everything then - do you have port 51820 udp forwarded to your router? Firewall open? All keys ok? Maybe jump on the discord server and share some screenshots?

@@OneMarcFifty Thanks again, double checked my config. i've decided to use copy and paste via SSH not the openwrt LUCI. it's working now. Regards

Hi Arion, I think I’ll make a separate episode on Wireguard at some point.

I’d just test it ;-)

@@OneMarcFifty Always test in IT :p I will try and if I don't forget, report back here my findings.

Hi, what exactly is the problem when adding others or printing QR codes ?

Hi Tomás it should work with V21, as I am not using any specifics such as VLAN etc. I haven't tested it though ;-(

Hi Volker, Du kannst die automatische Übersetzung für Untertitel aktivieren - vielleicht hilft das ;-) Ich muss demnächst mal die ganzen Skripte, die ich in Videos verlinkt hatte prüfen - da sind sicher ein paar Versions-Themen drin.

Hi Nick, in order to deactivate Wireguard you need to deactivate the wg0 interface, either in luci or in ssh with ifconfig wg0 down. If you want to get rid of it completely, just uninstall the wireguard software

OneMarcFifty I turn off the wg interface in the graphical shell, but then the Internet disappears.

Then probably you have ticked the box “set default gateway”? Untick it. In order to repair, up and down your wan interface - that should restore default routes

Hang on, which device are we talking about ? The openWrt router?

Hi Jordan, this is the IPv6 address of the wireguard interface. If you are not using IPv6 you can remove it but you would also need to remove the line that assigns it via uci: uci add_list network.${WG_IF}.addresses="${WG_ADDR6}" and later uci add_list network.wgclient.allowed_ips="${WG_ADDR6%/*}/${WG_ADDR6#*/}" - alternatively you can of course change it as wanted/needed.

First try to remove the optional "preshared key" - sometimes this is defined only on one side and makes handshaking impossible. Second, double check that port forwarding is working OK if there is a router in between. Then try setting persistent keepalive to 25. Last but not least double check on all other values (Port number, IP address etc.) If you can't get it to work you can of course join the discord session on sunday. Port forwarding needs to be done on your ISPs router only if you are coming from the outside i.e. the internet. Usually ayou can do that on your own.

@@OneMarcFifty I have read this in other comment and by setting persistent keep alive I can establish a handshake. Hurray! But the connection is very slow and the live view doesn't load up. After researching possibly I'm in double nat and that slow things down, perhaps??? Sadly I can't do anything with the ISP router. It is totally blocked for cofing.

In essence you would just need to add more peers on the wireguard interface.

Great point, many thanks for the comment - however, this is more relevant in a scenario where you use _outbound_ VPN (i.e. you want to cover traffic by using a public IP VPN) as opposed to the here suggested scenario which is _inbound_ VPN (i.e. connect to your home environment in a secure manner from the internet).

First off, I am sorry that the script didn't work for you - it's true that a script can never check for all eventualities. But you're raising an important point here - folks, if you run scripts or stuff, please make sure that either you feel comfortable reverting your stuff back if things go belly-up or - like the commenter - you have a backup. If you need help, please check in my discord server at any time.

Hi, when you say that the connection can not be established - diubke check on all parameters and also keep in mind that Wireguard runs in kernel space, i.e. restart your network after each change. I am using it for a longer time now and never had any issues with reliability really

Hi Yousif. Please keep in mind that the documentation you link to is about connecting your router as a client to a commercial outbound vpn. My video is about connecting a client to your router at home.

@@OneMarcFifty Hi Marc. Yes, I noticed. I am now following to connect my Android phone to my router but despite the VPN shows connected there's no Internet and no LAN access. Can you speficy more on the IP 192.168.0.170 in 5:25 as I can't determine what mine shall be.

192.168.0.170 is the ip of my router. I have ran all the tests in an internal network. So in your case - if you want to connect to your home router you would need to specify the public IP of your home environment there ore - alternatively - as this IP might change periodically you could use a dyndns service and let's say connect to yourhome.dyndns.org or whatever you called your home ip to be.

@@OneMarcFifty Thanks for the feedback. This video took my two days vacation already. In one time I manage to get it working. Then I read that there's some issue called Double-NAT where like in my case the OpenWRT router is behind the ISP 4G modem (with SIM card hence I can not remove it or replace it). I following some documentation in OpenWRT to remove the WAN and add it the LAN VLAN and make the Netgear/OpenWRT as Dump AP. Since then the 4G router provide the DNS and DHCP but for unknown reason I couln't make the Wireguard to connect ever again. Did I messed up very bad or I can still get it working without the WAN port in the OpenWRT? I reentered your script command again one by one except for the WAN and IP6 lines.

Hi Yousif, sorry to hear that you spent your whole vacation with this 😟 - the script is in fact not made for NATted environments - I would need to make some adjustments to the scripts for this. Now - turning the router into a dumb access point is possible but I would not recommend it - it just removes a layer of security. Have you been able to open a port on your 4G modem? In a nutshell I’d say it would be best ro revert to WAN/LAN and I shall add a fix to the scripts.