Help with secondary Wireguard peer connecting

BillyBlaze · February 11, 2020, 7:22pm

Hello,

I am struggling to get a peer connected to wireguard and I cannot work out why.
I have wireguard installed on Openwrt 19.07.1 and I followed this guide to get a working setup with another peer. http://chrisbuchan.co.uk/uncategorized/wireguard-setup-openwrt/

My problem peer. (Wireguard for iOS 0.0.20200127 / iOS 13.3.1) produces this error message in wireguard log "Handshake did not complete after 5 seconds, retrying (try x)"
The working peer (almost identical setup except on iOS 13.3) can connect to the vpn perfectly fine where I can access resources on my LAN externally.

I have double and triple checked my keys / key pairs and I am sure they match they match for the problem peer so I think my problem lies with the IP addresses I have chosen or my lack of understanding of the /32 netmask.
(I have also uninstalled the wireguard app and regenerated new key pairs too)

In Openwrt's Wireguard Interfaces section. The IP is set to 10.200.200.1/24
The working peer is set to Allowed IPs > 10.200.200.2/32
The problem peer is set to Allowed IPs > 10.200.200.3/32 (also tried 10.200.201.2/32)

Any help, very much appreciated.

Thanks.

psherman · February 11, 2020, 9:43pm

Did you restart your wireguard interface on the openwrt side after you added the new peer?

BillyBlaze · February 11, 2020, 10:09pm

Yes. Router has also been rebooted.

psherman · February 11, 2020, 11:54pm

Please post your entire /etc/config/network file (but redact your keys). Also, please post the remote peer wg configurations (again with redacted keys)

Are you testing both of your remote peers using the same method (i.e. cellular connection, external network, etc.)?

I know you said you have verified the keys multiple times, but make sure that the exchanged keys are the public ones, and that the public and private keys are in the right places.

BillyBlaze · February 12, 2020, 5:47pm

System is a Linksys EA6350v3 in case below it looks strange.
/etc/config/network - omitted MACs and VPN keys below

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'x/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option stp '1'
	option ipaddr '192.168.64.254'

config device 'lan_dev'
	option name 'eth0'
	option macaddr 'x'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config device 'wan_dev'
	option name 'eth1'
	option macaddr 'x'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config wireguard_wg0
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'x'
	option description 'iPhone SE'
	list allowed_ips '10.200.200.2/32'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'x'
	option listen_port '51820'
	list addresses '10.200.200.1/24'

config wireguard_wg0
	option public_key 'x'
	option description 'iPhone'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.200.200.3/32'

Problem Remote Peer: (sorry exporting the zip was painful ..)

INTERFACE
Name: Home
Publix key: x
Addresses 10.200.200.3/32
DNS servers 192.168.64.254
PEER
Public key: x
Endpoint: My WAN IP:51820
Allowed IPs 0.0.0.0/0
On demand: Off

Both peers are being tested the same, WiFi disabled and cellular 4G Enabled

Public and private keys are definitely the correct way round

psherman · February 12, 2020, 5:59pm

Everything looks good there. What is the output of wg show on the OpenWrt router?

Just to confirm, the current status is that one device will connect, but the other will not? The output of wg show should show a timestamp for the last handshake for each of the remote peers -- try connecting from each peer and see if anything changes.

BillyBlaze · February 12, 2020, 6:06pm

"Current state is that one device will connect but the other will not?" < Correct

wg show


interface: wg0
  public key: x
  private key: (hidden)
  listening port: 51820

peer: x
  endpoint: 192.168.64.139:64572
  allowed ips: 10.200.200.2/32
  latest handshake: 19 hours, 53 minutes, 2 seconds ago
  transfer: 889.90 KiB received, 10.91 MiB sent
  persistent keepalive: every 25 seconds

peer: x
  allowed ips: 10.200.200.3/32
  persistent keepalive: every 25 seconds

psherman · February 12, 2020, 6:43pm

Looks like this one is being tested from inside your network. And the last handshake was 19 hours ago -- is that right? is it still working? If you test the other phone from inside, does it still fail to connect?

BillyBlaze · February 12, 2020, 6:46pm

Yes sorry about that, tested from outside of network just now on both; Handshake doesn't complete on one :s

But you are saying the IPs and netmasks look correct to you ?

interface: wg0
  public key: x
  private key: (hidden)
  listening port: 51820

peer: x
  endpoint: WAN IP:25092
  allowed ips: 10.200.200.2/32
  latest handshake: 45 seconds ago
  transfer: 899.75 KiB received, 10.97 MiB sent
  persistent keepalive: every 25 seconds

peer: x
  allowed ips: 10.200.200.3/32
  persistent keepalive: every 25 seconds

psherman · February 12, 2020, 6:50pm

Yes, looks good to me.

Are both iPhones running the same version of iOS? Are they both using the same cellular carrier? Both up to date on the WireGuard app?

I hate to suggest this (since you said you have done this multiple times), but maybe it is worth generating new keys for the iPhone that isn't working. Double check that the details between the two iPhones are the same except for the iPhone's private and public keys (but the public key for the OpenWrt end should be the same), and then copy the public key from the iPhone > OpenWrt.

lleachii · February 12, 2020, 7:06pm

I would make a route for 10.200.200.0/24 on the WG; but the route allowed IPs setting should work too.
Do you have INPUT 51820/udp opened on your OpenWrt firewall?

BillyBlaze · February 12, 2020, 8:55pm

@psherman iPhones are on different versions of iOS by a minor version.
Working Peer iOS 13.3
Problem Peer iOS 13.3.1 (This phone has been wiped very recently and had the wireguard app reinstalled two to rule that out)
They are both using the same cellular carrier and both running the same version of the wireguard app.
Perhaps you are correct and I need to do the keys again, could I have got them wrong after two attempts?!
I made sure the public key of Openwrt end is the same and the config is the same, I have them side by side in front of me and each looks to check out. Each iPhone peer has its own generated key pair*

@lleachii I added a route and then checked in the gui - Routes which looks like this for Active IPv4 Routes;

wg0
10.200.200.0/24
wg0
10.200.200.2
wg0
10.200.200.3

output from cat /etc/config/firewall

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

psherman · February 12, 2020, 9:04pm

If I could change one thing about WG from the user side, it would be to have private and public keys distinguishable by some human-readable difference in the string. For example, maybe the private key would end in "+=" and the public key ending in "-=" or whatever. I seem to recall making mistakes as I copied/pasted keys between the two devices.

I don't think that adding the route should be necessary (I don't have any routes added for my configuration), but it theoretically won't be a problem, either. Fundamentally, though, if you are unable to connect from just one device (but all is working from the other), I think that is more likely a key issue than anything else.

BillyBlaze · February 12, 2020, 9:07pm

Ok, I'll give it a test, maybe a tomorrow job for now.

Thanks

BillyBlaze · February 12, 2020, 10:14pm

My setup is now working! I removed the static route. Deleted the problem peer from the wireguard interface. Rebooted Router. Deleted VPN from Wireguard app. Created for scratch, the difference was this time I called the Interface "Home 2" on the problem iphone instead of "Home" (which is the same as working peer). Generated the keypairs as normal and this time, I did everything on the phone so I could be sure of the copy / paste process. Rebooted router again. Both peers can now connect externally!

*I even checked the keys for about the 12th time and they definitely matched before I went through this.

Thanks for the input. I guess it was a key problem, either that or don't name the interface as "Home" on one phone and "Home" on another!

Much appreciated

system · February 22, 2020, 10:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.