Another wireguard setup without RX packets

Hi, I am struggling to get Wireguard working on a single port router TP-LINK WA730RE with OpenWrt 18.06.9. I get no RX packets. I have read many other similar posts but still unable to fix it.

I have a home network 192.168.1.0/24 which connects to the internet via another router.

The WA730RE connects to this network via the single port eth0. Devices connect to WA730RE via wifi which has its own subnet 192.168.10.0/24

Before configuring wireguard I successfully prepared this recommended setup from another post: https://forum.openwrt.org/t/help-setup-openwrt-vpn-with-single-port-tl-wr802n/140416/35

My configuration:

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd43:xxxx:xxxx::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0'
	option peerdns '0'
	option dns '10.255.255.2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxx'
	list addresses '100.x.x.x/32'
	option listen_port '45005'

config wireguard_wg0
	option description 'wg peer'
	option public_key 'xxxx'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option endpoint_port '65142'
	option endpoint_host '212.x.x.x'
	option persistent_keepalive '25'



/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'wg0'
	option input 'REJECT'
	option masq '1'

config forwarding
	option dest 'vpn'
	option src 'lan'

config forwarding
	option dest 'wan'
	option src 'lan'


Thanks in advance if anyone able to spot what I am missing/did wrong.

You shouldn't need that for the vpn firewall zone. However, your issue is probably either incorrect keys or a missing firewall rule to allow traffic in.

What is the output of

ubus call system board

This appears to be a connection to a commercial service. You do need to masquerade into the tunnel since they will not have routes back to your LANs configured on their end.

Run wg show on the CLI to see if there has been a handshake. If not, check that the server is reachable (most will respond to pings) and that the keys are correct. This is an outgoing connection so no firewall changes should be needed to get the handshake.

1 Like

ok thanks i'll remove it

root@OpenWrt:~# ubus call system board
{
        "kernel": "4.9.243",
        "hostname": "OpenWrt",
        "system": "Atheros AR7240 rev 2",
        "model": "TP-Link TL-WA730RE v1",
        "board_name": "tl-wa901nd",
        "release": {
                "distribution": "OpenWrt",
                "version": "18.06.9",
                "revision": "r8077-7cbbab7246",
                "target": "ar71xx\/tiny",
                "description": "OpenWrt 18.06.9 r8077-7cbbab7246"
        }
}

yes that's right, it is trying to connect to windscribe.

wg show, tx ok, no rx:

root@OpenWrt:~# wg show
interface: wg0
  public key: xxxx
  private key: (hidden)
  listening port: 45005

peer: xxxx
  endpoint: 212.x.x.x:65142
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 14.45 KiB sent
  persistent keepalive: every 25 seconds

and a ping to the server seems to comeback ok

PING 212.x.x.x (212.x.x.x): 56 data bytes
64 bytes from 212.x.x.x: seq=0 ttl=55 time=38.704 ms
64 bytes from 212.x.x.x: seq=1 ttl=55 time=35.623 ms
64 bytes from 212.x.x.x: seq=2 ttl=55 time=35.634 ms
64 bytes from 212.x.x.x: seq=3 ttl=55 time=35.530 ms
64 bytes from 212.x.x.x: seq=4 ttl=55 time=35.474 ms

--- 212.x.x.x ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 35.474/36.193/38.704 ms

To verify the keys were ok I used the same keys on my phone connected via wifi directly on the home network 192.168.1.0/24 with a wireguard app and it connects ok (ie without using the openwrt router).

I don't think that Wireguard has changed since OpenWrt 18 but that is a very old version that should not be used any more, especially when security is important.

Wireguard uses a client's public key (related to the private key) to identify and route traffic to it. You cannot have two clients with the same private key connected to a server at the same time. Every client should have its own key.

Agree 100%, it is an old router so stuck on 18 on this one (just trying to use it for a side project and it is temporary and not critical). Yes about the keys, will only use this key on the openwrt router, just did a temporary test on phone to confirm they worked.

Thanks everyone, found the issue. I just realised that on the old openwrt 18 the optional preshared key field must be added manually to the page. Once I did that and provided the value and a reboot the rx packets started to flow in.

Many thanks

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.