Hey,

I have read a lot, but I am running into serious trouble figuring out or troubleshooting, what I am doing wrong.

What I am trying to achieve:

I have a Router (running OpenWrt) at Home, which is connected to a Modem that has Internet Access. On that Router, I want to establish a WireGuard VPN Connection to my WireGuard Server on my Linux Ubuntu VPS and route every traffic through the VPN connection.

What I did:

  1. Installed WireGuard on my Linux Ubuntu VPS

  2. Generated a private and public Key, saved them into /etc/wireguard/private.key & public.key

  3. Created a wg0.conf File which is as follows: 

[Interface]
Address = 10.8.0.1/24 
SaveConfig = true 
PostUp = ufw route allow in on wg0 out on ens3 
PostUp = iptables -t nat -I POSTROUTING -o ens3 -j MASQUERADE 
PreDown = ufw route delete allow in on wg0 out on ens3 
PreDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE 
ListenPort = 51820 
PrivateKey = </etc/wireguard/private.key from WireGuardServer Value>

  1. Created & Started the WireGuard Service using systemctl start wg-quick (systemctl start wg-quick@wg0.service

Status: 

 wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor preset: enabled)
 Active: active (exited) since Fri 2024-02-09 13:00:42 UTC; 57s ago
   Docs: man:wg-quick(8)
         man:wg(8)
         https://www.wireguard.com/
         https://www.wireguard.com/quickstart/
         https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
         https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Process: 27029 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
Main PID: 27029 (code=exited, status=0/SUCCESS) CPU: 277ms
Feb 09 13:00:41 ubuntu systemd[1]: Starting WireGuard via wg-quick(8) for wg0... Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] ip link add wg0 type wireguard Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] wg setconf wg0 /dev/fd/63 Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] ip -4 address add 10.8.0.1/24 dev wg0 Feb 09 13:00:41 ubuntu wg-quick[27029]: [#] ip link set mtu 1420 up dev wg0 Feb 09 13:00:42 ubuntu wg-quick[27029]: [#] ufw route allow in on wg0 out on ens3 Feb 09 13:00:42 ubuntu wg-quick[27059]: Rule added Feb 09 13:00:42 ubuntu wg-quick[27059]: Rule added (v6) Feb 09 13:00:42 ubuntu wg-quick[27029]: [#] iptables -t nat -I POSTROUTING -o ens3 -j MASQUERA>Feb 09 13:00:42 ubuntu systemd[1]: Finished WireGuard via wg-quick(8) for wg0.

My Network interface on that VPS is called "eth3".

Now, when I come to my OpenWrt Router, here is where I am getting confused. Here is what I did:

  1. Installed wireguard-tools, kmod-wireguard, luci-app-wireguard, luci-i18n-wireguard-en, luci-proto-wireguard packages on the Router

  2. Created a WireGuard Interface

  3. Generated a Private/Public Key Pair for the Interface

  4. Added 10.8.0.2/24 as IP address

  5. Under "Peers" created a new Peer (if I understand correctly, I should enter the Information of my VPS (which is running the WireGuard VPN Server) because that's the peer?)

  6. Entered the Public Key of my WireGuard VPN Server under "Public Key"

  7. Entered 10.8.0.0/24 under "Allowed IPs"

  8. Entered the result of "ip route list table main default" of my WireGuard Server as the "Endpoint Host" (which is different from the Public IP of my VPS. My public VPS's IP is XXX.XX.209.79, while it outputs XXX.XX.208.1 in the ip route list table main default command for my ens3 network interface

  9. Entered the Port, that it is in wg0.conf of the WireGuard Server (51820) into "Endpoint Port"

  10. Set Persistent Keep Alive to 25

  11. Ticket "Route Allowed IPs" (Apparently creates routes for Allowed IPs for this peer

Firewall:

  1. Created a FW Zone called "vpnblu1", with following settings: 

Input: reject
Output: accept
Forward: reject
Masquerading: true
MSS clamping: true
Covered Networks: <the interface I earlier created>
Allow forward to destination zones: NULL
Allow forward from source zones: lan

  1. Edited my lan -> wan Forwarding:

Changed from 

Allow forward to destination zones: wan
Allow forward from source zones: NULL

to 

Allow forward to destination zones: vpnblu1, wan

Allow forward from source zones: wan

Wireguard Server:

  1. Edited wg0.conf, by adding following lines to the bottom: 

[Peer]
PublicKey = <publicKey of the OpenWrt Interface> AllowedIPs = 10.8.0.2/32

Now, whenever I try to connect to anything, it is not using the WireGuard VPN, but just normally routes through my original IP. Why does this happen and what am I doing wrong? I don't even know what exactly to troubleshoot.

  1. The WireGuard Server apparently runs, but how can I check, if i can actually reach it from the outside?

  2. How can I know if my Firewall Zones are configured properly?

  3. How can I know, if my VPN Interface is setup correctly?

  4. How can I know, if I forgot something in the wg0.conf? Some other people had more Rows under the "Peer" section, for example the "Endpoint" Key. What value should I enter here (on the WireGuard Server side), the Public IP of my internet connection?

Thanks for any help in advance