Can't connect to wireguard server from peer

I previously set up wireguard on an openwrt router but as a "client" connecting to a "server", i.e. router was behind firewall with no port opened, server had a public ip address, and this worked fine.
I decided to try and do this the other way round with the router as server having a public ip address and the client being behind a firewall.
I set it up in exactly the same way with the addition of adding a port forward on the router from wan 51820 to lan 51820. No other networking settings have been changed. I set them both up using luci but here's the configuration:

Server (router) config:

interface:
ip addresses: 10.8.0.1/24
listen port: 51820
zone: lan/wg0

peer:
allowed ips: 10.8.0.2/32
route allows ips: yes
endpoint: <not set>

Client config:

[Interface]
Address = 10.8.0.2/24
PrivateKey = <redacted>

[Peer]
PublicKey = <redacted>
AllowedIPs = 10.8.0.0/24
Endpoint = <router url>:51820
PersistentKeepalive = 25

Client shows:

endpoint: <router ip>:51820
allowed ips: 10.8.0.0/24
transfer: 0 B received, 197.43 KiB sent
persistent keepalive: every 25 seconds

Server shows peer as:

Endpoint: <client ip>:49088
Allowed IPs:
  • 10.8.0.2/32
Persistent Keepalive: 25s
Latest Handshake: Never
Data Received: 215 KiB
Data Transmitted: 236 KiB

So they are sort of seeing each other but not completing a handshake and obviously I can't ping or ssh.
I know I'm missing something because when I previously set up the public "server", I had to add some iptables rules and it didn't work until I'd done this. But I'm not entirely sure how to do this on openwrt or in luci.

What's your port forward rule?

If the wireguard server is running on the router itself (not on another machine on the LAN), you would open the port not forward it.

config rule
    option name 'Allow-Wireguard'
    option src 'wan'
    option dest_port '51820'
    option proto 'udp'
    option target 'ACCEPT'

Also the wan interface must have a true public IP (no carrier NAT) and the ISP has to allow incoming connections.

1 Like

I tried adding the following traffic rule but it still isn't working:

Try connecting from outside, then check:

iptables-save -c | grep -e 51820
[0:0] -A zone_wan_input -p udp -m udp --sport 51820 -m comment --comment "!fw3: wg" -j ACCEPT

It should be --dport 51820

image

1 Like
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: wg" -j ACCEPT

Still not working unfortunately. Tailscale is working so I might just use that.

Did you disable the port forwarding rule first?

Yes I did...

Is your OpenWrt wireguard "server" directly connected to the internet, or is it behind another router/firewall?

What is the IP address on your OpenWrt WAN? (just post the bold part: aaa.bbb.ccc.ddd)

It's directly connected as far as I know with normal broadband: 80.44.
A port scan to that address shows 22, 80, 443 etc as open and I can ssh in. For some reason 51820 is completely closed.

Yes, this is good -- this is a normal publicly routable IP.

This is by design -- even when everything is working, wireguard will never respond to a port scan. Wireguard uses UDP which doesn't need to send ack packets (TCP does), partially for this reason. Beyond that, Wireguard only responds when it receives traffic that is cryptographically correct (i.e. the appropriate public and private keys match), otherwise the traffic is simply ignored and nothing is sent back.

Let's take a look at your latest config files in their complete form (aside from private details that should be redacted):

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

and also please provide your 'client' side peer config.

Thanks for taking the time to look into this, here's the config:

/etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd6c:433b:15fb::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'redacted'

config interface 'wan'
	option proto 'pppoe'
	option ipv6 '1'
	option device 'dsl0.101'
	option username 'redacted'
	option password 'redacted'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'redacted'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 6t'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'redacted'
	list addresses '10.8.0.1/24'
	option listen_port '51820'

config wireguard_wg0
	option description 'thinkpad'
	option public_key 'THINkJ15gTeTLeOfaYoasfzk5727GZiZacF3E2/rBwk='
	list allowed_ips '10.8.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option dest_port '51820'

client /etc/wireguard/wg0.conf

[Interface]
Address = 10.8.0.2/24
PrivateKey = redacted

[Peer]
PublicKey = roUT/M0fw2GH5+pZkVl1VHByyvezmfrpBBRLmNmQdng=
AllowedIPs = 10.8.0.0/24
Endpoint = 80.44.redacted.redacted:51820
PersistentKeepalive = 25

Your ‘client’ is only going to use the tunnel for the 10.8.0.0/24 network. If. You want to be able to reach devices on the ‘server’ LAN, the allowed ips on the ‘client’ side should be 192.168.1.0/24. If your intent is to send all traffic through the tunnel, that allowed ips field should be 0.0.0.0/0.

1 Like

That still doesn't work. I don't want to reach devices on the server Lan, or route any traffic, I just want to be able to reach the openwrt router itself.

Run the following commands and check for activity from the client side.

iptables -I INPUT 1 -m udp -p udp --dport 51820 -m limit --limit 5/sec -j LOG --log-prefix "wg_input "
logread -e wg_input -f

Press ctrl+c to exit when you're finished and restart the firewall to stop the logging.
If there is no any activity, call your ISP.