Internet over Wireguard not working - but local addresses work

Internet traffic over Wireguard is very unstable, often to the point of not being able to load some lightweight websites. Sometimes it works, but very briefly.

It used to work reliably before, but that ended around the time I did a sysupgrade and reset and reconfigured from scratch. I've already double-checked the configuration and found nothing wrong, so I need your help with this.

Here's how I configured it.

Router configuration

/etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '55820'
	list addresses '192.168.2.1/32'
	list addresses 'fd9d:238c:b159:1::/64'
	option mtu '1300'

config wireguard_wg0 'helium'
	option public_key 'REDACTED'
	option route_allowed_ips '1'
	list allowed_ips '192.168.2.4/32'
	list allowed_ips 'fd9d:238c:b159:4::/64'

config wireguard_wg0 'lithium'
	option public_key 'REDACTED'
	option route_allowed_ips '1'
	list allowed_ips '192.168.2.3/32'
	list allowed_ips 'fd9d:238c:b159:3::/64'

config wireguard_wg0 'copper'
	option public_key 'REDACTED'
	option route_allowed_ips '1'
	list allowed_ips '192.168.2.2/32'
	list allowed_ips 'fd9d:238c:b159:2::/64'

I had to use a smaller MTU to accommodate for udp2raw (for obfuscation), but I'm not using it yet.

/etc/config/firewall (only showing what was changed from defaults)

config zone 'lan'
	option name 'lan'
	list network 'lan'
+	list network 'wg0'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
config rule 'Allow_WireGuard'
	option name 'Allow_WireGuard'
	option src 'wan'
	option proto 'udp'
	option dest_port '55820'
	option target 'ACCEPT'

Client configuration (Android phone)

Interface

  • Addresses: 192.168.2.3/32, fd9d:238c:b159:3::/64
  • Listen Port: 55820
  • DNS Servers: 8.8.8.8, 8.8.4.4, 2001:4860:4860::8888, 2001:4860:4860::8844
  • MTU: 1300

Peer

  • Endpoint: <public_ipv4>:55820
  • Allowed IPs: 0.0.0.0/0, ::/0

System info

TP-Link Archer C6 v3
OpenWrt 23.05.3

1 Like

Make the interface address a /24:

Please describe the "unreliable" symptoms you are experiencing as well as what you have done in terms of testing and troubleshooting.

Changed the interface address to 192.168.2.1/24, followed by a service network restart. The problem persists. But why 24? It's one interface, the router, address 192.168.2.1. It should be a specific address, not a subnet, as far as I know.

The client (Android phone), when connected to Wireguard, is able to talk to local addresses (from allowed IPs: 192.168.1.0/24 and IPv6 ULAs) without issues. Connecting to devices in my home LAN through Wireguard is working perfectly.

What isn't working is internet traffic through Wireguard. Webpages don't load. I said it's "unreliable", because that's what it seemed to be. Sometimes pages would load only once -- maybe it was browser cache. Today I have been unable to load any webpage through Wireguard, so it's probably best to say that it doesn't work at all.

The interface address typically has a subnet that is inclusive of the peer addresses. Much like the interface address of your lan. It is a singular IP address with a subnet size that includes the other hosts that will exist on the network.

You could try removing the Ipv6 elements from your phone's config -- see if it works when it is just IPv4.

1 Like

I removed the ipv6 Google DNS servers (only 2001:4860:4860::8888 and 2001:4860:4860::8844), and that fixed it. Thanks for the help.

It's strange, though. I never had a problem with these DNS servers until now.

But they're not really needed, as I don't have a stable ipv6 prefix to allocate for Wireguard peers. For now, I'm limited to using ULAs and link-local addresses here.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.