【n00b】Trouble with WireGuard (maybe DDNS? MAP-E?)

tl;dr

I can't get my OpenWrt One router's Wireguard tunnel to connect to any external device. I've followed the documentation on this site as well as egc112's guide several times over to the best of my abilities, but still nada. Below I've attached redacted config info as per egc, but I can attach more (or redact less) if anyone can give me guidance.

Context

Hello, sorry, this FUTO wiki got me hooked on the idea of a homelab, and I tried following the guide with a bunch of different hardware and software without having a deep appreciation of the learning curve that would entail.

I'm in Japan, which requires a MAP-E configuration on OpenWrt for reasons.

My goal with WireGuard is just to be able to connect to my home network while not at home, mostly to use Immich. I don't need any other VPN services like accessing servers in other countries and what have you. The FUTO guide recommended setting up a DDNS through freedns, which I did. I'm happy to change to a different DDNS if that's recommended for configuration's sake, especially if there's a reliable free service like the one I'm using now.

The Situation

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.47",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "OpenWrt One",
	"board_name": "openwrt,one",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r31114-b2f814fed4",
		"target": "mediatek/filogic",
		"description": "OpenWrt SNAPSHOT r31114-b2f814fed4",
		"builddate": "1758322481"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix 'fd4b:1798:c21d::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option sourcefilter '0'

config interface 'wan6mape'
	option proto 'map'
	option maptype 'map-e'
	option peeraddr '(redacted)'
	option ipaddr '(redacted)'
	option ip4prefixlen '15'
	option ip6prefix '(redacted)'
	option ip6prefixlen '31'
	option ealen '25'
	option psidlen '8'
	option offset '4'
	option tunlink 'wan6'
	option legacymap '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '(redacted)'
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_wg0
	option public_key 'V(redacted)='
	option private_key '(redacted)'
	option description 'nothing'
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.2/32'

config wireguard_wg0
	option public_key 'Q(redacted)='
	option private_key '(redacted)'
	option description 'laptop'
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '10.0.0.3/32'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '6'
	option htmode 'HE40'
	option num_global_macaddr '7'
	option country 'JP'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '(redacted)'
	option encryption 'psk2'
	option key '(redacted)'
	option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '48'
	option htmode 'HE160'
	option num_global_macaddr '7'
	option country 'JP'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid '(redacted)'
	option encryption 'sae'
	option key '(redacted)'
	option ocv '0'
	option wpa_disable_eapol_key_retries '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	option masq6 '1'
	list masq_src '(should be redacted?)'
	list network 'wan'
	list network 'wan6'
	list network 'wan6mape'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wgserver'

config zone
	option name 'WireguardVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'WireguardVPN'
	option dest 'lan'

config forwarding
	option src 'WireguardVPN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'WireguardVPN'

config rule
	option src 'wan'
	option name 'WireGuard-incoming'
	list proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'

root@OpenWrt:~# wg show
interface: wg0
  public key: G(redacted)=
  private key: (hidden)
  listening port: 51820

peer: V(redacted)=
  allowed ips: 10.0.0.2/32
  persistent keepalive: every 25 seconds

peer: Q(redacted)=
  allowed ips: 10.0.0.3/32
  persistent keepalive: every 25 seconds

よろしくお願いいたします🙇‍♂️

I'm not concretely familiar* with MAP-E, but as far as I understand, MAP-E is also a form of CGNAT. That means to the outside world you're on a shared IPv4 address, so you generally can't accept incoming IPv4 connections.

*) my line with Asahi-net is IPoE and, lucky for me, also PPPoE -- I get to choose between all the worst options

any specific reason for running a snapshot (not that stable will make any difference in this case) ?

(Here's a spoonful of the WireGuard log, just in case it's useful.)

2025-09-29 19:51:28.689923: [NET] peer(pubkey) - Sending handshake initiation
2025-09-29 19:51:28.691443: [NET] peer(pubkey) - Failed to send handshake initiation: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:28.925357: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:29.535638: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:29.926787: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:30.036898: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:30.527025: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:30.533082: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:30.842030: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:30.927412: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.074891: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.342491: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.515065: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.534524: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.558518: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.617061: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:31.929250: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.492749: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.515057: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.535215: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.618478: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.673426: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.842831: [NET] peer(pubkey) - Retrying handshake because we stopped hearing back after 15 seconds
2025-09-29 19:51:32.843288: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.928964: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:32.969483: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.094756: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.141920: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.516899: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.535780: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.541713: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.619834: [NET] peer(pubkey) - Failed to send data packet: write udp4 0.0.0.0:51820->(hostIP):51820: sendto: no route to host
2025-09-29 19:51:33.834071: [NET] peer(pubkey) - Handshake did not complete after 5 seconds, retrying (try 2)

No reason other than inexperience, I thought I was running stable😅

Ahh, I may have read something about this somewhere over the last few weeks, probably around 2am.

But thank you for the hint! Have you passed on WireGuard then for that reason? If you use a VPN to connect to your home router, would you mind pointing me that way?

I didn't have to. With IPoE I would be in the same boat as you, but since I can still use PPPoE (and out here in the Kansai suburbs it is just as fast as the IPv4-in-IPv6 options) I can still do it the way you tried to. That's why I can't help you with the (existing, but significantly more complicated) methods to work around the CGNAT problem.
ごめんね～

Drat. Thanks for the explanation though, it's saving me a ton of time. I might just have to hunt down a PPPoE provider😆

But for now I'm gonna check out CGNAT fixes--thanks again!

Takimataさん, can I ask a followup question? I played around the last few weeks, ended up landing on Tailscale. It seems perfect for my use-case (and so far it works!), but I'm wondering if there was any reason people didn't bring it up in this thread specifically. Do you happen to know if there's anything I should be aware of security-wise, using Tailscale with IPoE or MAP-E?

I would assume most long-time users and lurkers here do not prefer a 3rd party tool for this use case.

If you have a public IPv4 or IPv6 address setting up your own WireGuard server is simple and does not involve a commercial third party so that is usually preferred.

From my notes about WireGuard WireGuard Server Setup Guide:

If you are behind CGNAT, so do not have a public IPv4 address and do not have a public IPv6 (check with: ifstatus wan6) or using IPv6 is not applicable then you have to involve a commercial third party to get a public IP address.

This can be a VPN provider which supports port forwarding (e.g. ProtonVPN), or you can rent a Virtal Private Server ( I have an Oracle VPS which can be had for free, see at the bottom of this guide), or use things like Netbird, Zerotier, Cloudflared, Tailscale or ngrok and there are more, I have setup Netbird on several OpenWRT and Windows and Linux clients and it works well, see my notes about setting up Netbird on OpenWRT.

Thank you! A few weeks ago I spent two or three nights working through your WireGuard guide, but in the end I realized Japan's IPoE system was CG-NAT. I didn't notice the Netbird note at the time, but this seems perfect for me.

I'm going to give it a try now--apologies if I trip over my shoelaces and come back asking for help.

As long as you stumble forward it's still going forward

I'm learning a ton thanks to you guys.

Those third parties like Netbird, Tailscale etc. all advertise you will be up in 5 minutes but it takes some more study and work, take your time

…and they do have an incentive to pull you into a paid tier.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.