Imported Wireguard config does not send packets

I use Xiaomi Redmi Router AX6S, LuCI openwrt-23.05. I have imported .conf file from Wireguard, the conf file is definitely working. Though the connection does not: RX/TX 0/0.

On my intermediate router I cannot capture any packets to my endpoint:

tcpdump -i br0 dst en.d.poin.t -> no packets

logread -e vpn -> empty

netstat -l -n -p | grep -e "^udp\s.*\s-$" 
udp        0      0 0.0.0.0:34278           0.0.0.0:*                           -
udp        0      0 :::34278                :::*                                -

wg show
interface: MyVPN
  public key: afafafafafaf
  private key: (hidden)
  listening port: 34278

peer: afafafafafaf
  preshared key: (hidden)
  endpoint: 194.58.68.77:30827
  allowed ips: 0.0.0.0/0, ::/0

wg showconf vpn
Unable to access interface: No such device

Importing other keys to other servers also does not work. Please suggest the solution.

Did you make any network configuration changes to use the Wireguard tunnels?

Did you insrall the wg packages?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Tried too but no luck.

Also just importing same config works on other OpenWRT devices

And yep, I have installed wg packages.

wg showconf MyVPN
[Interface]
ListenPort = 34278
PrivateKey = asdfasdfasdf

[Peer]
PublicKey = asdfasdfasdf
PresharedKey = asdfasdfasdf
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 19.5.6.7:30827

Let’s look at the configuration files I requested above.

ubus call system board
{
	"kernel": "5.15.137",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Xiaomi Redmi Router AX6S",
	"board_name": "xiaomi,redmi-router-ax6s",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mediatek/mt7622",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'asdfsadf'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'asdfasdf'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option auto '0'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'wwan'
	option proto 'dhcp'

config interface 'MyVPN'
	option proto 'wireguard'
	option private_key 'asdfasdf'
	list addresses '10.17.248.16/24'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config wireguard_MyVPN
	option description 'XiaomiRouter.conf'
	option public_key 'asdfasdf'
	option preshared_key 'asdfasdf'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host '1.5.6.7'
	option endpoint_port '30827'

cat /etc/config/firewall

# some defaults skipped
config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	list network 'MyVPN'

config zone
	option name 'MyVPNVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'MyVPN'

config forwarding
	option src 'lan'
	option dest 'MyVPNVPN'

Remove the vpn from the wan zone. A network can only be in a single firewall zone.

Set input and forward rules to reject on the vpn zone.

Did it. No packets.

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
	option name 'MyVPNVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'MyVPN'

Anyway, I assumed that just importing .conf file would work. It doesn't. What additional steps I need to make?

In WireGuard config enable Route Allowed IPs
option route_allowed_ips '1'

Also add Persistent Keep Alive 25 in the Peer section although it should work without.

If WireGuard is disabled do you have internet access?

Yep!!! This worked! Ping works and I see packet flow with tcpdump on the OpenWRT and on the intermediate router.

But how come? "Route allowed IPs" belongs to routing in the subnet, though I did not see a single packet for establishing a handshake.

But for now I don't have internet connection with WG disabled. This happens because the default route disappeared.

WireGuard is not a talkative protocol it is silent by default.

About 'Route Allowed IPs' I would enable that by default but that is just my personal opinion.
I have seen more users struggling with this (including myself when i started using OpenWRT)

I also have to set default metric for WAN interface = 1024, in Luci or

# Preserve default route
uci set network.wan.metric="1024"

This resolves all the problems for now. Thank you all!

Should we edit somehow https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras and note this?

Default route should come back if you restart the network (service network restart).

If that is not feasible you can use routes 128.0.0.0/1 and 0.0.0.0/1, instead of route 0.0.0.0/0

That part with custom metric is already linked from the VPN client page.

This option is not obvious if you are just importing conf file and get tunnel not working.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.