Issue with Wireguard

anon31899521 · August 5, 2021, 4:09pm

Hi everyone,

So I'm here to ask some help about Wireguard. I have no connection, no handshake, no packet with it. I use Wireguard as a client and my VPN provider is Mullvad and my router is a Linksys WRT3200ACM.

I looking for some tips on the internet and I found this : https://bugs.openwrt.org/index.php?do=details&task_id=3653 So I tried to roll back to 19.07.4 but it doesn't work.

When I do a tcpdump, I have only one packet to the server but I never received the answer.

For the installation guide I use this one : https://mullvad.net/it/help/running-wireguard-router/ I have done all the steps a lot of time but it doesn't work.

Thanks for your help !

iplaywithtoys · August 5, 2021, 4:56pm

What are the contents of the relevant configuration files? Note: be sure to redact any sensitive information such as private keys and credentials.

anon31899521 · August 5, 2021, 5:38pm

Hi ! Here is the /etc/network file :

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option force_link '1'
        list addresses '10.0.0.0/32'

config wireguard_wg0
        option public_key 'REDACTED'
        option description 'wireguard_wg0'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'Endpoint Server'
        option endpoint_port '51820'

The /etc/firewall file :

config zone
        option network 'wg0'
        option name 'WGZONE'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option dest 'WGZONE'
        option src 'lan'

Thanks for your help !

krazeh · August 5, 2021, 5:55pm

You probably need to open the port in your firewall. Try adding:

config rule
        option name 'WG'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

anon31899521 · August 5, 2021, 6:16pm

Thank you for your comment but it doesn't work. I think the root cause is not the firewall :

I tried accept source any destination any with UDP no response from the remote server
I tried accept source any destination any for UDP/TCP no response from the remote server
I tried to sert the same port (51820) for the client with your rules : no working.

The tcpdump result :

20:09:01.752727 IP 192.168.1.42.60833 > 193.0.0.0.51820: UDP, length 148
20:09:07.512726 IP 192.168.1.42.60833 > 193.0.0.0.51820: UDP, length 148
20:09:13.272723 IP 192.168.1.42.60833 > 193.0.0.0.51820: UDP, length 148
20:09:19.032728 IP 192.168.1.42.60833 > 193.0.0.0.51820: UDP, length 148
20:09:24.053175 IP 192.168.1.42.60833 > 193.0.0.0.51820: UDP, length 148
20:09:29.272722 IP 192.168.1.42.60833 > 193.0.0.0.51820: UDP, length 148

So I don't think is the firewall

iplaywithtoys · August 5, 2021, 6:24pm

Are you absolutely sure that's correct? That instruction tells the router to configure its own WireGuard interface with the IP address 10.0.0.0. Normally 10.0.0.0 is usually a subnet address, not an interface address. The boolean logic and binary arithmetic behind IP addressing and subnetting mean that 10.0.0.0 can be an IP address, but it's extremely unusual for it to be used that way.

I'm not a Mullvad customer, so I'm not familiar with its documentation, but that particular directive looks very unusual to me.

anon31899521 · August 5, 2021, 7:02pm

The 10.0.0.0/32 is just to mask the real IP. Of course the real one is a standard IP address. Sorry about that !