Hi, I'm facing a problem with the WireGuard client. I'm trying to connect to a tunnel using the interface in OpenWrt but I don't get handshake. I can confirm the tunnel works because it does connect in the WireGuard client in Windows. I followed several guides (This is the last one I tried: https://www.ivpn.net/setup/router/openwrt-wireguard/) but cannot make it to work in OpenWrt. The router i'm using is the ER-X from Ubiquiti and the wan connection is PPPoE. What should I do? Thanks.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
And also please show us the remote peer’s config.
This is the output of the commands from the ER-X:
ubus call system board
{
"kernel": "5.15.150",
"hostname": "NAGISA",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Ubiquiti EdgeRouter X",
"board_name": "ubnt,edgerouter-x",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23809-234f1a2efa",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
}
}
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd37:0c3c:6f75::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
option igmp_snooping '1'
config device
option type '8021q'
option ifname 'eth0'
option vid '6'
option name 'eth0.6'
config device
option type '8021q'
option ifname 'eth0'
option vid '2'
option name 'eth0.2'
config interface 'wan'
option proto 'pppoe'
option device 'eth0.6'
option username 'adslppp@telefonicanetpa'
option password 'adslppp'
option ipv6 'auto'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'iptv'
option proto 'static'
option device 'eth0.2'
option ipaddr '10.83.x.x'
option netmask '255.192.0.0'
option gateway '10.83.x.x'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'eth4'
config interface 'vlan20'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.177.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth1:t'
list ports 'eth2:t'
list ports 'eth3:t'
list ports 'eth4:t'
config interface 'lan'
option proto 'static'
option device 'br-lan.1'
option ipaddr '192.168.77.1'
option netmask '255.255.255.0'
config interface 'wg_twentyfive'
option proto 'wireguard'
option private_key 'KJkUXkiV7pp1gUGvI7zGXHdquhe0nghUkdxxxxxxxxxx'
list dns '1.1.1.1'
list dns '1.0.0.1'
option defaultroute '0'
list addresses '192.168.225.2/32'
config wireguard_wg_twentyfive
option description 'twentyfive'
option public_key 'bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx'
option preshared_key 'VludBNCuuxgMVyEFBe568DzCDEuSfDS7K9xxxxxxxxxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'x.duckdns.org'
option endpoint_port '51820'
option persistent_keepalive '25'
cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'vlan20'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan20'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iptv'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list network 'iptv'
config forwarding
option src 'lan'
option dest 'iptv'
config forwarding
option src 'iptv'
option dest 'lan'
config forwarding
option src 'vlan20'
option dest 'wan'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'http'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_ip '192.168.77.210'
option dest_port '80'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'https'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.77.210'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'qBittorrent-DSM'
option src 'wan'
option src_dport '34534'
option dest_ip '192.168.77.215'
option dest_port '34534'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WireGuard-VPN'
list proto 'udp'
option src 'wan'
option src_dport '57775'
option dest_ip '192.168.77.222'
option dest_port '57775'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-IMAP-I'
list proto 'tcp'
option src 'wan'
option src_dport '143'
option dest_ip '192.168.77.218'
option dest_port '143'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-IMAP-II'
list proto 'tcp'
option src 'wan'
option src_dport '993'
option dest_ip '192.168.77.218'
option dest_port '993'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-POP3-I'
list proto 'tcp'
option src 'wan'
option src_dport '110'
option dest_ip '192.168.77.218'
option dest_port '110'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-POP3-II'
list proto 'tcp'
option src 'wan'
option src_dport '995'
option dest_ip '192.168.77.218'
option dest_port '995'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-SMTP-I'
option src 'wan'
option src_dport '25'
option dest_ip '192.168.77.218'
option dest_port '25'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-SMTP-II'
list proto 'tcp'
option src 'wan'
option src_dport '587'
option dest_ip '192.168.77.218'
option dest_port '587'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Posteio-Mail-Sieve'
list proto 'tcp'
option src 'wan'
option src_dport '4190'
option dest_ip '192.168.77.218'
option dest_port '4190'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
list network 'wg_twentyfive'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
A couple notes:
- The firewall rule "WireGuard-VPN" is for other WireGuard server in my network, nothing to do with this configuration.
- I don't have the option "Use default gateway" checked in the WireGuard interface as I plan to use Policy Routing.
This is the peer configuration file from the WireGuard Server (which is another OpenWrt router, ASUS TUF Gaming AX4200, also in a PPPoE connection, the configuration it's working since the Windows WireGuard client does the handshake and connects without any problem, if you want me to show you anything from this router tell me):
[Interface]
PrivateKey = KJkUXkiV7pp1gUGvI7zGXHdquhe0nghUkdxxxxxxxxxx
Address = 192.168.225.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx
PresharedKey = VludBNCuuxgMVyEFBe568DzCDEuSfDS7K9xxxxxxxxxx
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = x.duckdns.org:51820
Hi, thanks for the answer, but this is to create an WireGuard server, in my case I'm trying to connect to a WireGuard server from my router (WireGuard client).
Every peer that is simultaneously connected to the same server must have a unique Private Key. The key pair is how the service identifies peers to route traffic to them.
Can OpenWrt properly resolve your server's name x.duckdns.org
?
Yes, I know, I’m not keeping the windows client connected. I only used it to verify that the config file worked.
Yes, it resolves to the correct IP. I can see it in the “Status > WireGuard” but it doesn’t do the handshake
Can you confirm that the intent of this interface is to be used as a server (i.e. listening for inbound connections)?
Hi, no, the intent is to use it as client, to connect to a WireGuard Server and use it to route LAN hosts to use that connection for internet
Ok....
What is the output of wg show
?
option defaultroute is not applicable in a wireguard interface (route_allowed_ips with /0 allowed_ip triggers the default route installation, if you want it). I don't know if that will break anything though but you really should take that line out. Other than that the configuration looks correct.
I think that persistent_keepalive
will cause an immediate handshake even though nothing has been routed into the tunnel. Otherwise Wireguard will not handshake until a packet has been submitted into the tunnel. If you define the tunnel IP as 192.168.225.2/24 (assuming the server end is 192.168.225.1) then you can try to ping the server's tunnel IP through the tunnel.
interface: wg_twentyfive
public key: P7UvbuqQxXIKrMqHzwgI9NSMLVnT4jZbYXxxxxxxxxxx
private key: (hidden)
listening port: 43219
peer: bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx
preshared key: (hidden)
endpoint: 83.34.x.x:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 1.30 KiB sent
persistent keepalive: every 25 seconds
Aside from what @mk24 mentioned (specifically, remove the default route line), I'm not seeing anything that would prevent the handshake.
I would recommend removing these lines:
Then restart the wiregaurd interface and see if that fixes the issue.
How do I take it out? I did everything with the GUI.
I tried with "Use default gateway" to send all the traffic through the VPN and I lost internet access in all the LAN
This should be checked.
In the same section (Network > Interfaces > [edit Wireguard interface] > Advanced settings
), you'll see the DNS servers which should also be removed.
That is expected if the tunnel doesn't come up or if you don't have the firewall configuration to allow egress via the tunnel. Make sure that the laptop's WG interface has been disabled before starting/restarting your router's WG interface.
Once you've made the changes and restarted the interface, let's see the output of wg show
again.
I removed the corresponding lines in: /etc/config/network and still nothing. The wg show command returns the same as before. I don't know what is happening. Also I remember that the wireguard package in EdgeOS had problems with offloading, I don't know if this affects OpenWrt
Let's see the latest network config file as well as wg show
Also, please double check that your laptop's wg interface is indeed disabled.
interface: wg0
public key: P7UvbuqQxXIKrMqHzwgI9NSMLVnT4jZbYXxxxxxxxxxx
private key: (hidden)
listening port: 41584
peer: bvtP3goO6/Rgqesq74glHcHYYxyoO7tiWSxxxxxxxxxx
preshared key: (hidden)
endpoint: 83.34.x.x:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 12.29 KiB sent
persistent keepalive: every 25 seconds
- I changed the interface name to discard if that was the problem
Yes, it's disabled. But a curious thing happens now. In the PC that's in the LAN the handshake now doesn't work (I don't know if it has something to do that it's configured in the router), but in my phone in 4G network I tried it (the same profile) and it worked. So there is no doubt that the profile works
Is it at all possible that your ISP blocks wireguard and/or that the remote WG endpoint is not allowing connections from your IP?
No, my ISP doesn't block WireGuard since I have a server in my network (the rule I pointed out before) and I can connect from outside without any problem. I don't think the remote endpoint is blocking my IP since it works in the PC when the interface in the router is disabled (same public IP). I'm out of ideas.
Just to point it out, I tried other WireGuard tunnels that I have from different locations that do work on my computer, but neither of them works in the router, so it's a problem in the router itself