Instagram failure to connect over Wireguard

Installing and Using OpenWrt Network and Wireless Configuration
1

The Instagram app (iOS) fails to receive/send data when connected to my OpenWrt router's wireguard interface. Following the advice from this post, setting a MTU value of 1200 in the iOS Wireguard's profile fixes the issue. This got me wondering if my wireguard interface is not correctly configured or is this just a buggy instagram app?

What happens on the iPhone without the setting of 1200:

  • The app does not receive updates (animated spinning wheel only)
  • Eventually, the app times out and displays an idiot light message similar to "something went wrong"

Router configs:

/etc/config/network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:692b:58dc::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.6'
	option type '8021q'
	option ifname 'br-lan'
	option vid '6'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask '255.255.255.192'
	option gateway 'xxx'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn'
	option device 'br-lan.6'
	option proto 'static'
	option ipaddr '10.9.4.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option auto '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '10.200.200.200/24'
	option private_key 'xxx'
...
/etc/config/firewall 
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'lxc'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lxc'

config zone
	option name 'wg0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option mtu_fix '1'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'homeoffice'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'homeoffice'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wg1'

config zone
	option name 'vpn'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	list network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'homeoffice'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'lxc'

config forwarding
	option src 'lxc'
	option dest 'wan'

config forwarding
	option src 'wg0'
	option dest 'iot'

config forwarding
	option src 'wg0'
	option dest 'wan'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'homeoffice'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'allow-wireguard'
	option proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '51820'
	option family 'ipv4'

config rule
	option src 'lan'
	option target 'REJECT'
	option name 'deny wan access to managed switch'
	option dest 'wan'
	list proto 'all'
	list src_ip '10.9.8.100'

config rule
	option src 'lan'
	option target 'REJECT'
	option name 'deny wan access to managed GbE switch'
	option dest 'wan'
	list proto 'all'
	list src_ip '10.9.8.200'

config rule
	option src 'wg0'
	option target 'ACCEPT'
	option name 'wg dhcp and dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'guest'
	option target 'ACCEPT'
	option name 'guest dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'homeoffice'
	option target 'ACCEPT'
	option name 'homeoffice dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'
	option family 'ipv4'

config rule
	option src 'vpn'
	option target 'ACCEPT'
	option name 'vpn dhcp dns'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53 67 68'

config rule
	option src 'iot'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '67 68 123'
	option name 'iot dhcp and ntpd'
	option family 'ipv4'

config rule
	option src 'wg0'
	option dest 'iot'
	option dest_port '80 554 9000'
	option target 'ACCEPT'
	option name 'wg camera access'

config rule
	list proto 'udp'
	option src 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns lxc to input'

config rule
	list proto 'udp'
	option src 'guest'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns guest to lxc'

config rule
	list proto 'udp'
	option src 'wg0'
	option dest 'lxc'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'pi-hole-dns guest to wg'

config rule
	option dest_port '5353'
	option target 'ACCEPT'
	option src 'guest'
	list proto 'udp'
	option name 'multicast dns for appletv, works with avahi'
	list src_ip '10.9.7.180'
	list src_ip '10.9.7.181'
	list src_ip '10.9.7.182'

config rule
	option name 'printer from work zone'
	option src 'homeoffice'
	option dest '*'
	list dest_ip '10.9.8.250'
	option dest_port '631'
	option target 'ACCEPT'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'lan'
	option src_dport '53'
	option dest_ip '10.0.4.250'
	option dest 'lxc'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'Intercept-DNS'
	option src 'guest'
	option src_dport '53'
	option dest 'lxc'
	option dest_ip '10.0.4.250'
	option dest_port '53'

config include
	option enabled '1'
	option type 'script'
	option path '/etc/snort/snort-table.sh'
	option fw4_compatible '1'

config rule
	option src 'guest'
	list src_ip '10.9.7.200'
	option dest 'lan'
	list dest_ip '10.9.8.108'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'
2

Are you encapsulating one wg into another?

3

No, pretty standard setup.

4

mtu fix works on 24.10+ y/n ?¿

5

Yes, snapshot

1 Like
6

Your config is very generic by all means.
Try to disable snort for test, though unlikely to change anything, nfqueue is kind of intependent from traffic.

7

Tried without snort running/no diff. I am OK with the config modification. Just seems odd to need it.

8

Another try, leave config as you had and try to bisect around ethtool -k/-K offloads.

9

meta l4proto udp ct status replied timeout is too short for typical http3 needs
At leaast this prevents youtube and gmaps freezing.

net.netfilter.nf_conntrack_udp_timeout = 300

side effect conntrack fills extensively for ntp dns

10

Hope it helps (in less than 2 years time)

11

I'll give it a try in a few days. Vacay now.