Hi,
I'm trying to get Wireguard set but i'm obviously missing something fairly cruicial.
I've installed and setup. The service is running ok
root@OpenWrt:~# wg show
interface: Wireguard
public key: xxxxxx
private key: (hidden)
listening port: 51820
peer: xxxxxx
allowed ips: 10.8.0.2/32
persistent keepalive: every 25 seconds
I have the following firewall rules setup
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Wireguard'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config redirect
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest 'lan'
option dest_ip '10.0.1.1'
option dest_port '51820'
and the following network setup
config interface 'Wireguard'
option proto 'wireguard'
option private_key 'xxxxx'
list addresses '10.8.0.1/24'
option listen_port '51820'
config wireguard_Wireguard
option public_key 'xxxxxxx'
list allowed_ips '10.8.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_port '51820'
option description 'phone'
The problem is that I don't seem to be able to get traffic to forward into the Wireguard interface. When I attempt to connect with the client I see outbound traffic but nothing ever coming back.
I ran tcpdump against the wireguard Interface and its not capturing anything.
I ran it against the wan interface and I can see the connection attempts hitting.
Is anyone able to point me in the right direction for this?
Thanks!
Remove this:
Delete this redirect and make it a standard traffic rule instead:
Remove the endpoint port from below.
Then restart the router and try again. If it doesn’t work, please post the complete files below:
Please copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Hi,
did that and same result
cat /etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option ula_prefix 'xxxxxxx::/48'
config interface 'lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.1.1'
option device 'br-lan'
config device 'lan_dev'
option name 'eth1.1'
option macaddr 'xxxxxxxxx'
config interface 'wan'
option proto 'dhcp'
option device 'eth0.2'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xxxxxxx'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth0.2'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'Wireguard'
option proto 'wireguard'
option private_key 'xxxxxxx'
list addresses '10.8.0.1/24'
option listen_port '51820'
config wireguard_Wireguard
option public_key 'xxxxxxxx'
list allowed_ips '10.8.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
option description 'phone'
cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'Wireguard'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option name 'ALLOW-SSH-WAN'
config rule
option src '*'
option proto 'udp'
option name 'Allow-Wireguard-Inbound'
option dest_port '51820'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'lan'
option dest 'wan'
Thanks
Let’s see the config from the other peer device.
Meanwhile, not the cause of the problem, but remove this unnecessary rule.
mk24
February 24, 2023, 4:08pm
5
wg show is not reporting any handshakes. It is not running OK. Failure to handshake is either that the encrypted packets have no network link, or the keys do not match.
1 Like
trendy
February 24, 2023, 4:09pm
6
The service is not running ok. If it was running ok you should see:
peer: cTOqkuxNDZJtbA...=
preshared key: (hidden)
endpoint: XX.XX.XX.XX:51820
allowed ips: 10.0.10.7/32, fd00:bbbb:10::7/128
transfer: 2.55 MiB received, 19.71 MiB sent
persistent keepalive: every 25 seconds
Check on eth0.2 UDP port 51820 with tcpdump that there are incoming packets, or check the firewall rule hits.
running tcpdump against eth0.2 reports
16:34:08.862178 IP <client-address>.19355 > <openwrt-wan-address>.51820: UDP, length 148
16:34:13.926983 IP <client-address>.19355 > <openwrt-wan-address>.51820: UDP, length 148
16:34:18.916923 IP <client-address>.19355 > <openwrt-wan-address>.51820: UDP, length 148
Doesn't capture any return traffic.
FW stats show traffic for INPUT Chain
34 5984 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* !fw3: Allow-Wireguard-Inbound */
FW Stats for both Forward and Output chains show no traffic to the wireguard interface
0 0 zone_lan_forward all -- Wireguard * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_lan_output all -- * Wireguard 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Do you have a public ip address?
If you look at the ipv4 upstream (on the main luci status page), does it match the results from googling “what’s my ip”?
1 Like
Client is an android app with profile created by QR code that LuCI generated
Interface:
Public Key: xxxxx
Addresses: 10.8.0.2/32
Peer
Public Key: xxxxxx (matches what the wireguard status page reports)
Allowed IPs: 0.0.0.0/32
Endpoint: <OpenWRT WAN address>:51820
Persistent Keepalive: 25 Seconds
ninjasftw:
Allowed IPs: 0.0.0.0/32
This won’t work. Needs to be 0.0.0.0/0.
Your wg interface definition must have a private key. I don’t see that in what you showed. Without it, the interface will not work at all.
Yes public ip address is correct.
Matches the ip reported and I can ssh into OpenWRT from the internet ok.
Changed to 0.0.0.0/32. same result.
The Interface does have a private key sorry. It's not in the connection status page but is configured if you got to edit the profile.
Did you mean 0.0.0.0**/0**?
Does the remote peer configuration show the private and public key for the interface? (Not the peer). If so, does the public key match the public key that you have defined in the openwrt wireguard peer section?
yes sorry bad quoting its 0.0.0.0/0
The app Peer section only shows the public key but it matches the public key provided in the LuCI WireGuard Status page.
If the key is wrong would you still expect to see any traffic across the wireguard interface stats?
The public key in each peer section must match the public key (that is derived from the private key) from the other peer’s interface definition.
No, there would be no traffic shown. No handshake either.
I created a new client profile manually and made sure all the keys matched up.
client logs just report a handshake timeout
mk24
February 24, 2023, 5:29pm
17
When testing make sure the phone is on cell data to simulate being out in the field (turn off the phone WiFi). Unless you make special arrangements to "hairpin" your public IP onto the LAN, a client connected to the home wifi LAN generally will not reach the public IP.
Ok it seems to be working now.
After I created a new client profile apparently I also needed to restart the router for it.
I guess my original profile must have not had the keys match up
Thanks very much for your help!
system
Closed
March 6, 2023, 5:34pm
19
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.