Can’t initiate handshake with OpenWrt WireGuard client

Hi, I'm facing a problem with the WireGuard client. I'm trying to connect to a tunnel using the interface in OpenWrt but I don't get handshake. I can confirm the tunnel works because it does connect in the WireGuard client in Windows. I followed several guides (This is the last one I tried: https://www.ivpn.net/setup/router/openwrt-wireguard/) but cannot make it to work in OpenWrt. The router i'm using is the ER-X from Ubiquiti and the wan connection is PPPoE. What should I do? Thanks.

try this it worked for me

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

And also please show us the remote peer’s config.

This is the output of the commands from the ER-X:

ubus call system board

{
        "kernel": "5.15.150",
        "hostname": "NAGISA",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti EdgeRouter X",
        "board_name": "ubnt,edgerouter-x",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd37:0c3c:6f75::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        option igmp_snooping '1'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '6'
        option name 'eth0.6'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '2'
        option name 'eth0.2'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0.6'
        option username 'adslppp@telefonicanetpa'
        option password 'adslppp'
        option ipv6 'auto'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'iptv'
        option proto 'static'
        option device 'eth0.2'
        option ipaddr '10.83.x.x'
        option netmask '255.192.0.0'
        option gateway '10.83.x.x'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'vlan20'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '192.168.177.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'eth1:t'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4:t'

config interface 'lan'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '192.168.77.1'
        option netmask '255.255.255.0'

config interface 'wg_twentyfive'
        option proto 'wireguard'
        option private_key 'KJkUXkiV7pp1gUGvI7zGXHdquhe0nghUkdxxxxxxxxxx'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option defaultroute '0'
        list addresses '192.168.225.2/32'

config wireguard_wg_twentyfive
        option description 'twentyfive'
        option public_key 'bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx'
        option preshared_key 'VludBNCuuxgMVyEFBe568DzCDEuSfDS7K9xxxxxxxxxx'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'x.duckdns.org'
        option endpoint_port '51820'
        option persistent_keepalive '25'

cat /etc/config/firewall


config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'vlan20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan20'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'WAN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'iptv'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'iptv'

config forwarding
        option src 'lan'
        option dest 'iptv'

config forwarding
        option src 'iptv'
        option dest 'lan'

config forwarding
        option src 'vlan20'
        option dest 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'http'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.77.210'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'https'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.77.210'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'qBittorrent-DSM'
        option src 'wan'
        option src_dport '34534'
        option dest_ip '192.168.77.215'
        option dest_port '34534'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuard-VPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '57775'
        option dest_ip '192.168.77.222'
        option dest_port '57775'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-IMAP-I'
        list proto 'tcp'
        option src 'wan'
        option src_dport '143'
        option dest_ip '192.168.77.218'
        option dest_port '143'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-IMAP-II'
        list proto 'tcp'
        option src 'wan'
        option src_dport '993'
        option dest_ip '192.168.77.218'
        option dest_port '993'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-POP3-I'
        list proto 'tcp'
        option src 'wan'
        option src_dport '110'
        option dest_ip '192.168.77.218'
        option dest_port '110'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-POP3-II'
        list proto 'tcp'
        option src 'wan'
        option src_dport '995'
        option dest_ip '192.168.77.218'
        option dest_port '995'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-SMTP-I'
        option src 'wan'
        option src_dport '25'
        option dest_ip '192.168.77.218'
        option dest_port '25'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-SMTP-II'
        list proto 'tcp'
        option src 'wan'
        option src_dport '587'
        option dest_ip '192.168.77.218'
        option dest_port '587'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Posteio-Mail-Sieve'
        list proto 'tcp'
        option src 'wan'
        option src_dport '4190'
        option dest_ip '192.168.77.218'
        option dest_port '4190'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'wg_twentyfive'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

A couple notes:

  • The firewall rule "WireGuard-VPN" is for other WireGuard server in my network, nothing to do with this configuration.
  • I don't have the option "Use default gateway" checked in the WireGuard interface as I plan to use Policy Routing.

This is the peer configuration file from the WireGuard Server (which is another OpenWrt router, ASUS TUF Gaming AX4200, also in a PPPoE connection, the configuration it's working since the Windows WireGuard client does the handshake and connects without any problem, if you want me to show you anything from this router tell me):

[Interface]
PrivateKey = KJkUXkiV7pp1gUGvI7zGXHdquhe0nghUkdxxxxxxxxxx
Address = 192.168.225.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx
PresharedKey = VludBNCuuxgMVyEFBe568DzCDEuSfDS7K9xxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = x.duckdns.org:51820

Hi, thanks for the answer, but this is to create an WireGuard server, in my case I'm trying to connect to a WireGuard server from my router (WireGuard client).

Every peer that is simultaneously connected to the same server must have a unique Private Key. The key pair is how the service identifies peers to route traffic to them.

Can OpenWrt properly resolve your server's name x.duckdns.org ?

Yes, I know, I’m not keeping the windows client connected. I only used it to verify that the config file worked.

Yes, it resolves to the correct IP. I can see it in the “Status > WireGuard” but it doesn’t do the handshake

Can you confirm that the intent of this interface is to be used as a server (i.e. listening for inbound connections)?

Hi, no, the intent is to use it as client, to connect to a WireGuard Server and use it to route LAN hosts to use that connection for internet

Ok....

What is the output of wg show?

1 Like

option defaultroute is not applicable in a wireguard interface (route_allowed_ips with /0 allowed_ip triggers the default route installation, if you want it). I don't know if that will break anything though but you really should take that line out. Other than that the configuration looks correct.

I think that persistent_keepalive will cause an immediate handshake even though nothing has been routed into the tunnel. Otherwise Wireguard will not handshake until a packet has been submitted into the tunnel. If you define the tunnel IP as 192.168.225.2/24 (assuming the server end is 192.168.225.1) then you can try to ping the server's tunnel IP through the tunnel.

interface: wg_twentyfive
  public key: P7UvbuqQxXIKrMqHzwgI9NSMLVnT4jZbYXxxxxxxxxxx
  private key: (hidden)
  listening port: 43219

peer: bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx
  preshared key: (hidden)
  endpoint: 83.34.x.x:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 1.30 KiB sent
  persistent keepalive: every 25 seconds

Aside from what @mk24 mentioned (specifically, remove the default route line), I'm not seeing anything that would prevent the handshake.

I would recommend removing these lines:

Then restart the wiregaurd interface and see if that fixes the issue.

How do I take it out? I did everything with the GUI.

I tried with "Use default gateway" to send all the traffic through the VPN and I lost internet access in all the LAN

This should be checked.

In the same section (Network > Interfaces > [edit Wireguard interface] > Advanced settings), you'll see the DNS servers which should also be removed.

That is expected if the tunnel doesn't come up or if you don't have the firewall configuration to allow egress via the tunnel. Make sure that the laptop's WG interface has been disabled before starting/restarting your router's WG interface.

Once you've made the changes and restarted the interface, let's see the output of wg show again.

I removed the corresponding lines in: /etc/config/network and still nothing. The wg show command returns the same as before. I don't know what is happening. Also I remember that the wireguard package in EdgeOS had problems with offloading, I don't know if this affects OpenWrt

Let's see the latest network config file as well as wg show

Also, please double check that your laptop's wg interface is indeed disabled.

interface: wg0
  public key: P7UvbuqQxXIKrMqHzwgI9NSMLVnT4jZbYXxxxxxxxxxx
  private key: (hidden)
  listening port: 41584

peer: bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx
  preshared key: (hidden)
  endpoint: 83.34.x.x:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 12.29 KiB sent
  persistent keepalive: every 25 seconds

  • I changed the interface name to discard if that was the problem

Yes, it's disabled. But a curious thing happens now. In the PC that's in the LAN the handshake now doesn't work (I don't know if it has something to do that it's configured in the router), but in my phone in 4G network I tried it (the same profile) and it worked. So there is no doubt that the profile works

Is it at all possible that your ISP blocks wireguard and/or that the remote WG endpoint is not allowing connections from your IP?

No, my ISP doesn't block WireGuard since I have a server in my network (the rule I pointed out before) and I can connect from outside without any problem. I don't think the remote endpoint is blocking my IP since it works in the PC when the interface in the router is disabled (same public IP). I'm out of ideas.

Just to point it out, I tried other WireGuard tunnels that I have from different locations that do work on my computer, but neither of them works in the router, so it's a problem in the router itself