Can't get Wireguard client working on Raspberry Pi - no traffic over tunnel

EdPan · November 6, 2022, 4:51pm

This is my 2nd learning project with OpenWrt. It should be a straightforward process to install & configure a Wireguard client with Luci. I've done it before on an Asus router.

To my embarassement I could not get it working on a Raspberry Pi.

The reason I want to have a wireguard client on a Pi 4B is beefier compute power. I noticed that the Asus AC51U router is laggier than a wireguard client app on an Nvidia Shield for streaming.

The Pi is connected to a USB LAN port [eth1 - WAN] to the main internet router.
And the built in LAN port [eth0 - LAN] to my PC.
WAN interface is a simple dhcp client.
LAN interface has it's own subnet [192.168.1.1] and dhcp server

Above is all standard stuff and I have an internet connection on my PC from the Pi.

The scary part comes next.
The first time I created a Wireguard VPN interface for the WG client and assigned it to the firewall zones, it worked flawlessly. The tunnel is created. And ipleak.net shows my destination IP.

However after reboot or deleting and creating the WG interface, something strange happens.
I have internet connection, the WG client interface has connection with the server, however the traffic does not flow over the tunnel. Only the keep alive pings flows over the tunnel. I've performed a reset and redo the same steps to create wan and wg interface to no avail.

Any help is appreciated.

Here below some details.

Interfaces:

Firewall zones:

Wireguard client config:

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxx'
        list addresses '10.6.0.4/24'
        option peerdns '0'
        list dns '10.6.0.1'

config wireguard_wg0
        option public_key 'xxx'
        option preshared_key 'xxx'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'xxx'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

darksky · November 6, 2022, 5:40pm

I am not expert but why have you assigned the wg0 interface to the WAN zone? In my use case, granting access to remote devices when away from home, I have my wg0 assigned to my guest zone (could be LAN as well).

EDIT: I also see differences in your config vs mine. For reference:

config interface 'wg0'
  option proto 'wireguard'
  option listen_port '51888'
  list addresses '10.1.1.200/24'
  option private_key 'xxx'

config wireguard_wg0
  option description 'me'
  list allowed_ips '10.1.1.201/32'
  option route_allowed_ips '1'
  option public_key 'xxx'
  option preshared_key 'xxx'

And in /etc/config/firewall

config rule 'wg'
  option name 'allow-wireguard'
  option proto 'udp'
  option target 'ACCEPT'
  option src 'wan'
  option dest_port '51888'

config zone
  option name 'guest'
  option input 'REJECT'
  option output 'ACCEPT'
  option forward 'REJECT'
  list network 'guest'
  list network 'wg0'

EdPan · November 7, 2022, 5:50am

i think your wg config is a server accepting incoming requests (rule ‘wg’). mine is a client initiating outgoing requests.

I reflashed a clean sd card with Openwrt and redo the steps again. I also used a protonvpn config file [with a static IP peer] which I imported into Luci. After every save & apply a reboot or a network restart. And the PC only connection is to the Pi and not any wifi connection to internet.

Same result: wg vpn interface is up, but no traffic. The firewall zones are configured as above. Both wan/vpn zones have masquerading & MSS clamping enabled.

I try to figure out what the differences are between the Pi and the Asus config [which works]:

on the Pi wan had to be created manually, due to the USB LAN port. The wan interface works
on the Asus the clients come thru Wifi and on the Pi thru LAN
both have same version 23.03.2

psherman · November 7, 2022, 5:53am

Let's see your config files:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

EdPan · November 7, 2022, 7:56am

Well surprise surprise, it's working now.
I compared the settings of Pi with Asus and 2 things makes it work I think:

always do a reboot if doing vpn changes. A network restart does not seem to work all the time
I removed in the Pi MSS clamping for zone 'vpn'

Here the requested files. I removed the sensitive contents parts:

root@OpenWrt_Wireguard:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd33:5112:a704::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'

config interface 'protonvpn'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'
        option auto '0'

config wireguard_protonvpn
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        option endpoint_host ''
        option endpoint_port '51820'
        option description 'Protonvpn'
        option route_allowed_ips '1'

config interface 'zmeer_vpn'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.6.0.6/24'
        option peerdns '0'
        list dns '10.6.0.1'

config wireguard_zmeer_vpn
        option public_key ''
        option preshared_key ''
        option endpoint_host ''
        option endpoint_port '51820'
        option description 'pkk-openwrt user'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'

root@OpenWrt_Wireguard:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        list network 'zmeer_vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

psherman · November 7, 2022, 8:11am

This interface does not appear to be assigned to a firewall zone. Otherwise everything looks fine.

EdPan · November 11, 2022, 8:51am

yeah, protonpvn was used for testing, and later disabled.

Lessons learned. To make the wireguard client interface work, I had to consider the following. Both on ordinary Asus router and Pi:

don't rely on interface stop/start, to get a proper connection. If you do want to use it, adhere to the following: stop first the vpn interface. Then restart wan. Check if you have a proper internet connection. Then restart the vpn interface

In my experience better do a reboot. The best is to switch off and on the device. It seems that a service restart of wan or network does not do the proper order of interface starts

if your vpn client is configured with PersistentKeepalive other than 0, note that if the vpn server/peer is rebooted, you will loose the vpn connection, so a restart/reboot of router is necessary.

Better to keep this setting to 0, where a connection is initiated on a on demand basis.

system · November 21, 2022, 8:52am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.