Cannot make wireguard to work on Linksys WRT3200acm

Hello,

i've been struggling to setup wireguard as a server on this router. This router sits behind a speedport (ISP) router and i've connected it to the "Internet" port. No matter what i do, i cannot get a handshake to work with my iphone. i've checked if i am sitting behind a CG-NAT but that doesn't seem the case.

I suspect something is off with the firewall. Really appreciating your support

Below is my config file:

{
	"kernel": "5.10.146",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Linksys WRT3200ACM",
	"board_name": "linksys,wrt3200acm",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.2",
		"revision": "r19803-9a599fee93",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 22.03.2 r19803-9a599fee93"
	}
}
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fc00::/7'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.8.1'

config device
	option name 'wan'
	option macaddr '62:38:e0:c1:ea:c0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'VPNGR'
	option proto 'wireguard'
	option private_key XXXX
	option listen_port '51820'
	list addresses '192.168.9.1/24'

config wireguard_VPNGR
	option preshared_key XXXX
	option public_key XXXX
	option private_key XXXX
	option persistent_keepalive '25'
	option description 'iphone'
	list allowed_ips '192.168.9.18/32'
	option route_allowed_ips '1'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'VPNGR'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

head: /etc/firewall.user: No such file or directory
# Generated by iptables-save v1.8.7 on Mon Nov 21 09:01:24 2022
*mangle
:PREROUTING ACCEPT [173683:109393859]
:INPUT ACCEPT [6297:898094]
:FORWARD ACCEPT [166436:108218445]
:OUTPUT ACCEPT [8448:2474559]
:POSTROUTING ACCEPT [172622:110233145]
COMMIT
# Completed on Mon Nov 21 09:01:24 2022
# Generated by iptables-save v1.8.7 on Mon Nov 21 09:01:24 2022
*filter
:INPUT ACCEPT [6066:881278]
:FORWARD ACCEPT [164174:107758586]
:OUTPUT ACCEPT [8448:2474559]
COMMIT
# Completed on Mon Nov 21 09:01:24 2022
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.3/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
11: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
       valid_lft forever preferred_lft forever
12: VPNGR: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global VPNGR
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan proto static src 192.168.1.3 
192.168.1.0/24 dev wan proto kernel scope link src 192.168.1.3 
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1 
192.168.9.0/24 dev VPNGR proto kernel scope link src 192.168.9.1 
192.168.9.18 dev VPNGR proto static scope link 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.1.0 dev wan table local proto kernel scope link src 192.168.1.3 
local 192.168.1.3 dev wan table local proto kernel scope host src 192.168.1.3 
broadcast 192.168.1.255 dev wan table local proto kernel scope link src 192.168.1.3 
broadcast 192.168.8.0 dev br-lan table local proto kernel scope link src 192.168.8.1 
local 192.168.8.1 dev br-lan table local proto kernel scope host src 192.168.8.1 
broadcast 192.168.8.255 dev br-lan table local proto kernel scope link src 192.168.8.1 
broadcast 192.168.9.0 dev VPNGR table local proto kernel scope link src 192.168.9.1 
local 192.168.9.1 dev VPNGR table local proto kernel scope host src 192.168.9.1 
broadcast 192.168.9.255 dev VPNGR table local proto kernel scope link src 192.168.9.1 
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default

Just to ask the obvious, but did you configure a port forwarding on the speedport to your router?

You do not have a firewall rule to accept traffic from the wan on UDP 51820.

How did you do the key exchange? Did you use the QR code method?
Let's see your iPhone's config, too.

Correct, used QR codes

The culprit has to be the speedport because i just set up a GL Flint router (has a super easy gui wireguard setup) and it's not working either.

could it be the port forwarding or something else? how can i troubleshoot that?

i used to have an openvpn working fine, but decided to switch due to performance issues.

this is the configuration on the iphone:

IMG_016066CB7CBC-11290×2796 94.2 KB

So it could be a few things...

First, prove that the WG connection works... set the endpoint to 192.168.8.1:51820 and try to connect while you are connected to the wifi from your WRT3200acm. If it handshakes successfully, your WG tunnel functions.

Then, make sure that you have a rule to accept wireguard from the wan -- I didn't see this in your previous config (unless I missed it). It will look like this:

config rule
	option name 'Allow-Wireguard-Inbound'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '51820'

Then, make sure that UDP 51820 is forwarded on your speed port to the WRT3200acm (192.168.1.3). Finally, set your endpoint host back to your public IP and use cellular to try to connect. If it doesn't handshake, you've either got CG-NAT or you have an issue with your speed port.

Thanks, i checked with the ISP, they confirmed i am not behind a CG-NAT and that no ISP firewall/filter is in place (disabled).

i will have to pause this troubleshooting until i am back to the country. I will revert.