Cant get traffic to forward to wireguard interface

Hi,
I'm trying to get Wireguard set but i'm obviously missing something fairly cruicial.

I've installed and setup. The service is running ok

root@OpenWrt:~# wg show
interface: Wireguard
  public key: xxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxx
  allowed ips: 10.8.0.2/32
  persistent keepalive: every 25 seconds

I have the following firewall rules setup

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'Wireguard'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest 'lan'
	option dest_ip '10.0.1.1'
	option dest_port '51820'

and the following network setup

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key 'xxxxx'
	list addresses '10.8.0.1/24'
	option listen_port '51820'

config wireguard_Wireguard
	option public_key 'xxxxxxx'
	list allowed_ips '10.8.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option endpoint_port '51820'
	option description 'phone'

The problem is that I don't seem to be able to get traffic to forward into the Wireguard interface. When I attempt to connect with the client I see outbound traffic but nothing ever coming back.
I ran tcpdump against the wireguard Interface and its not capturing anything.
I ran it against the wan interface and I can see the connection attempts hitting.

Is anyone able to point me in the right direction for this?
Thanks!

Remove this:

Delete this redirect and make it a standard traffic rule instead:

Remove the endpoint port from below.

Then restart the router and try again. If it doesn’t work, please post the complete files below:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Hi,
did that and same result

cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'xxxxxxx::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '10.0.1.1'
	option device 'br-lan'

config device 'lan_dev'
	option name 'eth1.1'
	option macaddr 'xxxxxxxxx'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0.2'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xxxxxxx'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth0.2'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key 'xxxxxxx'
	list addresses '10.8.0.1/24'
	option listen_port '51820'

config wireguard_Wireguard
	option public_key 'xxxxxxxx'
	list allowed_ips '10.8.0.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'phone'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'Wireguard'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option name 'ALLOW-SSH-WAN'

config rule
	option src '*'
	option proto 'udp'
	option name 'Allow-Wireguard-Inbound'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option dest 'wan'

Thanks

Let’s see the config from the other peer device.

Meanwhile, not the cause of the problem, but remove this unnecessary rule.

wg show is not reporting any handshakes. It is not running OK. Failure to handshake is either that the encrypted packets have no network link, or the keys do not match.

1 Like

The service is not running ok. If it was running ok you should see:

peer: cTOqkuxNDZJtbA...=
  preshared key: (hidden)
  endpoint: XX.XX.XX.XX:51820
  allowed ips: 10.0.10.7/32, fd00:bbbb:10::7/128
  transfer: 2.55 MiB received, 19.71 MiB sent
  persistent keepalive: every 25 seconds

Check on eth0.2 UDP port 51820 with tcpdump that there are incoming packets, or check the firewall rule hits.

running tcpdump against eth0.2 reports

16:34:08.862178 IP <client-address>.19355 > <openwrt-wan-address>.51820: UDP, length 148
16:34:13.926983 IP <client-address>.19355 > <openwrt-wan-address>.51820: UDP, length 148
16:34:18.916923 IP <client-address>.19355 > <openwrt-wan-address>.51820: UDP, length 148

Doesn't capture any return traffic.

FW stats show traffic for INPUT Chain
34 5984 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51820 /* !fw3: Allow-Wireguard-Inbound */

FW Stats for both Forward and Output chains show no traffic to the wireguard interface
0 0 zone_lan_forward all -- Wireguard * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

0 0 zone_lan_output all -- * Wireguard 0.0.0.0/0 0.0.0.0/0 /* !fw3 */

Do you have a public ip address?

If you look at the ipv4 upstream (on the main luci status page), does it match the results from googling “what’s my ip”?

1 Like

Client is an android app with profile created by QR code that LuCI generated

Interface:

Public Key: xxxxx 
Addresses: 10.8.0.2/32

Peer

Public Key: xxxxxx (matches what the wireguard status page reports)
Allowed IPs: 0.0.0.0/32
Endpoint: <OpenWRT WAN address>:51820
Persistent Keepalive: 25 Seconds

This won’t work. Needs to be 0.0.0.0/0.

Your wg interface definition must have a private key. I don’t see that in what you showed. Without it, the interface will not work at all.

Yes public ip address is correct.
Matches the ip reported and I can ssh into OpenWRT from the internet ok.

Changed to 0.0.0.0/32. same result.

The Interface does have a private key sorry. It's not in the connection status page but is configured if you got to edit the profile.

Did you mean 0.0.0.0**/0**?

Does the remote peer configuration show the private and public key for the interface? (Not the peer). If so, does the public key match the public key that you have defined in the openwrt wireguard peer section?

yes sorry bad quoting its 0.0.0.0/0

The app Peer section only shows the public key but it matches the public key provided in the LuCI WireGuard Status page.

If the key is wrong would you still expect to see any traffic across the wireguard interface stats?

The public key in each peer section must match the public key (that is derived from the private key) from the other peer’s interface definition.

No, there would be no traffic shown. No handshake either.

I created a new client profile manually and made sure all the keys matched up.

client logs just report a handshake timeout

When testing make sure the phone is on cell data to simulate being out in the field (turn off the phone WiFi). Unless you make special arrangements to "hairpin" your public IP onto the LAN, a client connected to the home wifi LAN generally will not reach the public IP.

Ok it seems to be working now.

After I created a new client profile apparently I also needed to restart the router for it.

I guess my original profile must have not had the keys match up

Thanks very much for your help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.