Another wireguard thread - no handshake

Hi all

I'm pulling my hair out here. I have an openwrt router that I'm trying to configure another instance of wireguard on. I have one instance already running and working as expected, but cannot obtain a handshake on the new one which is dedicated just to my personal laptop.

I know the following will be asked:

ubus call system board

{
	"kernel": "5.15.150",
	"hostname": "Home",
	"system": "ARMv8 Processor rev 4",
	"model": "Bananapi BPI-R3",
	"board_name": "bananapi,bpi-r3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

See below. Help/advice appreciated:

OpenWRT Router/Server:

  1. network > interface > new wg interface
  2. generate new key pair

Private Key: 123abc
Public Key: 456def

  1. listen port: 4000
  2. ip addresses 10.0.100.1/24
  3. Firewall > LAN
  4. Peers > Add Peer

Public Key: 890xyz
Allowed IP's: 10.0.100.2/32
Route Allowed IPs

  1. Save & Apply
  2. Network > Firewall > Port Forwards > Add

Protocol: UDP
Source Zone: WAN
External Port: 4000
Destination Zone: LAN/wg1
Internal IP Address: 10.0.100.1
Internal Port: 4000

  1. Save & Apply

Mac WireGuard Manager:

  1. Add New

[Interface]

PublicKey = 890xyz

PrivateKey = ghi567

Address = 10.0.100.2/32

DNS = 8.8.8.8

[Peer]

PublicKey = 456def

AllowedIPs = 0.0.0.0/0, ::/0

Endpoint = ddnsaddress.com:4000

Yields no handshake when attempting to connect remotely, but works if I adjust the client to connect when on the LAN. This is a firewall issue. I have also tried disabling the port forward and creating a traffic rule. Still no dice. Any advice?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd72:9f17:3fab::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth2'

config device
	option name 'eth2'
	option macaddr '-redacted-'

config device
	option name 'eth0'
	option macaddr '-redacted-'
	option promisc '1'
	option multicast '1'
	option multicast_router '2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr '-redacted-'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '-redacted-'
	option listen_port '51820'
	option ip4table '100'
	list addresses '10.10.9.2/32'
	option mtu '1300'

config wireguard_wg0
	option description 'SiteA'
	option public_key '-redacted-'
	option endpoint_host '-redacted-'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option disabled '1'

config rule
	option in 'lan'
	option src '10.0.1.80/32'
	option lookup '100'

config route
	option interface 'lan'
	option target '10.0.1.80/24'
	option table '100'
	option onlink '1'

config device
	option type 'bridge'
	option name 'tap_lan'
	option promisc '1'
	option multicast '1'
	option igmp_snooping '1'
	list ports 'tap0'

config interface 'lanvpn'
	option proto 'static'
	option device 'tap_lan'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

config device
	option name 'tap0'
	option multicast_router '2'
	option promisc '1'
	option multicast '1'

config wireguard_wg0
	option description '-redacted-'
	option public_key '-redacted-'
	option endpoint_host '-redacted-'
	option endpoint_port '51821'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config rule
	option in 'lan'
	option src '10.0.1.81/32'
	option lookup '100'

config route
	option interface 'lan'
	option target '10.0.1.81/24'
	option table '100'
	option onlink '1'

config route
	option interface 'lan'
	option target '10.0.1.71/24'
	option table '100'

config rule
	option in 'lan'
	option src '10.0.1.71/32'
	option lookup '100'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'kCyIMgsQyGPcj4QAPUOJtfqeNFvMGHUbEvgzIHfUYVY='
	option listen_port '4000'
	list addresses '10.0.100.1/32'

config wireguard_wg1
	option description '-redacted-'
	option public_key 'G2QxwJcp/6kPHUXnIiPNPynkmL+pt7w1248Bx204bXI='
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '10.0.100.2/32'
cat /etc/config/firewall

config defaults
	option flow_offloading '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	option src 'wan'
	option src_dport '32400'
	option dest_ip '10.0.1.12'
	option dest_port '32400'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Radarr'
	option src 'wan'
	option src_dport '7878'
	option dest_ip '10.0.1.12'
	option dest_port '7878'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'SABnzbd'
	option src 'wan'
	option src_dport '8080'
	option dest_ip '10.0.1.12'
	option dest_port '8080'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PlexPy'
	option src 'wan'
	option src_dport '8181'
	option dest_ip '10.0.1.12'
	option dest_port '8282'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Sonarr'
	option src 'wan'
	option src_dport '8989'
	option dest_ip '10.0.1.12'
	option dest_port '8989'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Pi VPN'
	option src 'wan'
	option src_dport '1194'
	option dest_ip '10.0.1.13'
	option dest_port '1194'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'VPN'

config redirect
	option dest 'VPN'
	option target 'DNAT'
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.10.9.2/32'
	option dest_port '51820'

config zone
	option name 'lanvpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option log '1'
	list network 'lanvpn'

config forwarding
	option src 'lanvpn'
	option dest 'wan'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config rule
	option name 'wg1'
	list proto 'udp'
	option src 'wan'
	option dest_port '4000'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'OpenVPN'
	list proto 'all'
	option src 'wan'
	option dest 'lanvpn'
	option target 'ACCEPT'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'homeVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'homeVPN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'homeVPN'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'homeVPN'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option src_dport '4000'
	option dest_ip '10.0.1.1'
	option dest_port '4000'
	option enabled '0'

wg0 is the working interface which has some IP addresses routed through it via a remote openwrt router acting as the server. wg1 is what I cannot get to work.

You created a firewall rule for port 4000, but it is disabled. option enabled should be set to '1' (or removed, I think that '1' is the default). You do not need redirect rules for services running on your router.

I did have it enabled but was switching between Traffic Rules and Port Forwarding to see if I could trigger the handshake to work. I have re-enabled it and restarted and it's still not allowing wireguard through.

Try with the 'remote' peer connected to the lan (10.0.1.0/24) network and set the endpoint address (on the remote peer) to 10.0.1.1.

I’ll give this a go when I’m next on my network. At home I can change the endpoint on the client device to 10.0.100.1:4000 and the vpn connects and handshakes. It’s just appears to be a firewall issue when trying to connect remotely.

Well, ideally the endpoint should be the router's address on the lan, or its address on the wan. Not the router's address on the wireguard interface/

That said, if it connects and handshakes, that means the wireguard tunnel is properly key'd and such and that the problem is probably related to other elements of your config -- namely that you have several VPN connections, routes, and PBR and stuff. That's going to be a bit tricky to untangle since there's so much going on.

Oh, I follow you now. I will definitely test this when I’m back.

Really, only one other VPN is running, wg0. The tap connection I don’t use anymore and neither do I use the openvpn instance that was running on the other network device. wg1 is intended to replace openvpn. I left some of these in place in the event I need to revert and not have to re-configure.

I do have some routing set up for certain devices I’m forcing to use the wg0 setup, currently only one device, but that’s it. I will do some housekeeping and remove what isn’t being used. It’s my understanding this is a port/firewall issue as I can rule out the keys being misconfigured. What elements are initially jumping out to you as the culprit? I’m 99% sure this needs to be configured as a traffic rule and not a port forward, so I will remove that as well.

If you have an outbound vpn (such as one tm a commercial vpn service), you’ll need to use PBR to ensure that the inbound vpn traffic can send the return traffic (egress) via the regular wan and not the other outbound tunnel.

Ok, on the LAN, I can set the endpoint to the owrt router to 10.0.1.1:4000 and the VPN connects and handshakes.

Still no luck with the firewall when connecting remotely. @psherman - the VPN is not a commercial one. My home owrt router is acting as the "server" and my iPhone and macbook should be able to connect so I can use devices on my LAN/route my traffic through my home.

I have the following traffic rule enabled:

Name: wg1
Protocol: UDP
Source Zone: WAN/WAN6
Source Address: --
Source Port: --
Destination zone: homeVPN(wg1)
Destination address: 10.0.1.1
Destination port: 4000
Action: accept

Firewall - Zone Settings:

Name: homeVPN
Input: Reject
Output: Accept
Intra zone forward: Reject
Masquerading: Yes
MSS clamping: Yes
Covered networks: wg1
Allow forward to destination zones: --
Allow forward from source zones: LAN

If the VPN service, i.e. Wireguard, is running on your router, you need to change the traffic rule:

Name: wg1
Protocol: UDP
Source Zone: WAN/WAN6
Source Address: --
Source Port: --
Destination zone: Device(input)
Destination address: --
Destination port: 4000
Action: accept

Traffic coming from WAN will not have an internal IP address as destination.

VPNs are IMHO slightly easier to set up if you put the wg1 network into the LAN firewall zone. Once this works, you can still separate the zones if required.