I think you may have missed a step when following my wireguard guide for HH5a?
Having said that, it would not prevent handshaking though.
Remove the above entry.
You perhaps forgot to forward LAN to your WGZONE
It should look like this:
reference:
5-Wireguard client for HH5a.pdf
https://www.dropbox.com/sh/c8cqmpc6cacs5n8/AAA2f8htk1uMitBckDW8Jq88a?dl=0
Fresh install of the newest openwrt as per our conversation, here is the updated configs, there is internet until I set up wireguard, again, and then no handshake.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'VPN_ZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WG0'
config forwarding
option src 'lan'
option dest 'VPN_ZONE'
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdbe:dd7c:501a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
list dns '193.138.218.74'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '3 4 0'
config interface 'WG0'
option proto 'wireguard'
option private_key 'redacted'
list addresses '10.68.164.94/32'
option listen_port '51820'
option force_link '1'
config wireguard_WG0
option public_key 'redacted'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '193.27.13.130'
option endpoint_port '51820'
option persistent_keepalive '25'
Your config seems to look in order, except for:
Did you tick the 'Route Allowed IPs' check box in Peers section?
Unfortunately, handshaking will still occur with success, but there will be no internet access from connected devices if the check box is not ticked.
Remove the listen port from this section. This is only relevant for inbound connections (yours is outbound).
Done, and no fix unfortunately.
At the advice of bill, I also connected the box to my phones hotspot, got internet, and then still couldn't handshake wireguard.
More interestingly, I have internet with Mullvad's wireguard DNS settings on my Lan interface, until my wireguard interface is turned back on.
If I'm not mistaken, you are able to connect to Mullvad via Wireguard with your phone, correct?
Can you try/confirm the following tests with your phone:
fwiw, I think your openwrt router is actually using the DNS servers (ISP or Netgear router?) known to the WAN interface, while the wireguard interface is disabled. ie. it is ignoring the mullvad DNS servers specified in LAN interface.
I have done all of these, and can confirm I can successfully connect on my phone on all 3 tests, cellular, Nighthawk wifi, and from my openwrt wifi.
Use your phone's info and double/triple/quadruple check that you have everything correctly entered into OpenWrt. Make sure that the keys in particular are correct (public vs private) with no typos and that the IP addresses and ports are right (export/copy and paste from the phone if you can).
Remove the force link option from the interface definition. And try again.
Gave this a go and it did not handshake.
This makes no sense to me. If all the info is exactly as it is on your phone, it should connect.
Are you still on 20.02.0-RC3? If so, maybe it is worth upgrading to the official stable release.
oh... another thing -- check the time on your OpenWrt box. If the clock is wrong, handshakes won't work.
Finally, ssh into the router and post the output of wg show (redact the keys, of course)
Sherman,
I upgraded to the latest 21.02.0 yesterday in a desperate attempt to make things work.
My time is accurate and even if I resync it, no handshake occurs. No matter which way I slice this, this shit should work. I even forwarded a config to bill and he was able to connect successfully.
interface: WG0
public key: redacted
private key: (hidden)
listening port: 36769
peer: redacted
endpoint: 193.27.13.130:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 888 B sent
persistent keepalive: every 25 seconds
I'm out of ideas. It should work. I can confirm that WG is working in general on 20.02.0 -- I'm using it on my VPN endpoint (inbound) as well as my travel router (that connects to my endpoint at home). My configuration is effectively the same as yours...
config interface 'wg_Home'
option proto 'wireguard'
option private_key 'REDACTED'
list addresses '10.91.1.3/32'
option auto '0'
config wireguard_wg_Home
option public_key 'REDACTED'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'REDACTED'
option endpoint_port '8444'
option persistent_keepalive '25'
option description 'REDACTED'
Is it possible mullvad specifically hates my Router?
Or that my router has something fucked in the hardware?
No, and no... at least as far as I can tell. There really isn't any hardware specific concerns around the way that the protocol works, and I don't believe that it sends hardware or OS level identification to the remote peer (although I could be wrong).
You said that the OpenWrt WAN port is connected to the LAN of your Nighthawk, and that your modem is in bridge mode, so the WG connection should be able to go out the WAN.
Have you tried pinging 193.27.13.130 from the router?
I have the exact same issue. I have tried a lot of thing but no ones worked.
I just follow this thread to find a solution ! I can do some manipulation too.
Thanks all !
@mtsplt Quoting what you posted a month ago:
I have no connection, no handshake, no packet with it. I use Wireguard as a client and my VPN provider is Mullvad and my router is a Linksys WRT3200ACM.
So I tried to roll back to 19.07.4 but it doesn't work.
fyi, earlier today, I provided @Sniffles with a Keepsolid wireguard config to try on his GL-iNet B1300 (IPQ4028 SoC, AC1200) running 21.02.0. Sadly, he reported it was unsuccessful. Hopefully, he will provide a more detailed update later today.
I have a Linksys EA6350v3 with slightly older IPQ4018 SoC (AC1200) and both my Keepsolid and Sniffle's mullvad wireguard configs work fine for me with 21.02.0.
This issue is very bizarre.
Indeed, I could make any config work on PC or mobile phone but that same config would not handshake on my device.
I've initiated a return because I've now reset and put a new config a few dozen times. I guess I will take a look at hardware section to determine the best hardware to buy. Bill has suggested buying his Linksys mentioned above on the used market for 20-30$.
Did you at any point try connecting the OpenWRT device to the Netgear router by using LAN ports on each side? Just to rule out the firewall being an issue?
I actually did try connecting lan to lan just out of desperation. It gave me the same result. I was not aware doing so would rule out firewall issues so I also had the OpenWRT device in the DMZ of the upstream router.