I have a WireGuard server, it is private (not from the companies that offer this service).
The problem is that when I create the connection following this tutorial, it works perfectly. But when I restart the router, it does not reconnect.
The tutorial is:
https://www.ivpn.net/setup/router/openwrt-wireguard/
The connection is (I changed some data):
[Interface]
PrivateKey = wNa/P3Amdv4Aadalk440a66d5zjWod1VHdJ8uq4HY=
Address = 10.2.0.80/24
DNS = 192.168.92.1
[Peer]
PublicKey = ixrWCSy1Poddcxwe90waalskdjaAAB7WnqXNFfiQGjg=
PresharedKey = ckaiXOYJiVuJ7+++94aisAAERE449J3lB5Jht18w=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = vpn.vpnprivatedomain.com:3344
My hypothesis is that what happens is that the VPN is unable to recognize the "Endpoint" domain because the firewall is prohibiting it from connecting.
Thanks.
brada4
September 12, 2024, 10:25pm
2
Youbare welvome to replace keys in your infrastructure and never ever post them in a public forum.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
I suspect that this is not the reason.
More than likely, the problem is related to time. In order for VPNs to function, the time must be correct. It is likely that the clock on the local device is not sync'd with NTP after the restart at the time that WG starts. The result is that WG cannot connect and there is no route to the NTP servers via the regular wan. It becomes a chicken or egg.
The solution is to hold WG back until NTP has sync'd. This is discussed in a bunch of threads... here's one:
OpenWRT forums RIP, not sure where to post a feature request/bug for the next LEDE / Wireguard release.
Most of our consumer/entry LEDE routers do not have a battery keeping date/time. The current NTP client method in LEDE is prohibitive of correct and reliable wireguard working.
Since Wireguard is highly dependent on correct date/time, please make sure:
The NTP client is redesigned to load at the very beginning of LEDE bootup, before all else.
The NTP client is redesigned to not bug as desc…
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.150",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer C7 v5",
"board_name": "tplink,archer-c7-v5",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.3",
"revision": "r23xxx-23xxxa2efa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.3 r23xxx9-23xxxefa"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fxxx:cxxf:aaxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'xx:af:xx:xx:ea:xc'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'ivpnXX'
option proto 'wireguard'
option private_key 'wNa/P3Amxxxxxxx5w66d5zjxxxxxxx4HY='
list addresses '10.x.0.xx/24'
list dns '192.168.97.1'
option mtu '1412'
config wireguard_ivpnXX
option description 'Imported peer configuration'
option public_key 'ixrWCSyxxxxxxxcxB7WnqX7xxxxxxiQGjg='
option preshared_key 'ckaiXOxxxxxxDjGmv9QU9+mxxxxxxxx18w='
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'vpn.xxxxxxxx.com'
option endpoint_port '3478'
option route_allowed_ips '1'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'ivpn_fw'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'ivpnXX'
config forwarding
option src 'lan'
option dest 'ivpn_fw'
brada4
September 13, 2024, 4:46am
5
Please change compromised keys. And attribute AI edit changes.
As mentioned already, the time on your client might be too inaccurate, when WG is started. Either to set up actual time earlier on your router (with custom patches, which I prefere to do) OR to defere start of Wireguard. There might be another problem, though: DNS not up soon enough. Which is an unpleasant consequence of the non-deterministic starts of services after boot, being in parallel, NOT seqential. Quite often a PITA, I have to note.
For verification, replace
vpn.vpnprivatedomain.com:3344
with
real.ip.ofvpnprivatedomain.com:3344
In very worst case, i.e. when using mobile connection only, this might also fail, because network not up soon enough.
brada4
September 13, 2024, 12:37pm
8
Ones in your initial post.
Have you tried them? I changed the data. Thanks for the concern, but I never uploaded the real data.
1 Like