No Wireguard handshake with Wireguard "client" and "server" on cellular

Mike_C · July 30, 2023, 4:12am

Hi All. I had a very happy network running for months on end without any problem. A recent power outage has resulted in me needing to rebuild my router. I did a fresh install and then configured everything manually using backup files as reference. I've been searching the forum and Reddit for any hints that may put me out of my misery, but I can't seem to find anything that works.

My original working config is as follows:

OpenWRT router with Wireguard VPN peer to Mullvad - all devices on LAN are routed through the VPN with the exception of some smart TVs that are routed via WAN with Policy Based Routing.
Wireguard "server" peer running on OpenWRT that provides remote access to my LAN and internet (with ad blocking) when I'm out on my Pixel phone.
This was all working happily until the rebuild and now nothing I do works. I can get a handshake if my phone is connected to my WiFi, on cellular, or other Wi-Fi, it won't work.

I can see packets arriving and being sent on my VPN interface on OpenWRT, but no handshake when attempting to connect via cellular network.

I have manually generated keys repeatedly and re-configured configurations. I tried using the automated config scripts too. All end up with the same result - can only handshake on my Wi-Fi. Unfortunately I don't have a networking background so all of my attempts have been trial and error without being 100% certain of the outcome of some of the commands.

Wireguard client on the Pixel is set to connect to my WAN static IP address.

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:ab:cd::/48'

config device
	option name 'eth2'
	option macaddr 'redacted'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'
	option ipv6 '0'
	option delegate '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth0'

config device
	option name 'eth1'
	option macaddr 'redacted'

config device
	option name 'eth0'
	option macaddr 'redacted'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.0.0.254'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '10.0.0.254'
	list dns '127.0.0.1'
	option ipv6 'off'
	option delegate '0'
	option force_link '0'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'redacted'
	list addresses 'redacted/32'
	list addresses 'redacted/128'

config wireguard_WG0
	option description ' au-per-wg-301 '
	option public_key 'hQXsNk/9R2We0pzP1S9J3oNErEu2CyENlwTdmDUYFhg='
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'au-per-wg-301.relays.mullvad.net'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'redacted'
	option listen_port '991'
	list addresses '192.168.9.1/24'

config wireguard_vpn 'wgclient'
	option public_key 'redacted'
	option preshared_key 'redacted'
	option description 'Pixel'
	option persistent_keepalive '25'
	list allowed_ips '192.168.9.2/32'
	option route_allowed_ips '1'

config route
	option interface 'vpn'
	option target '192.168.9.2/32'
	option gateway '192.168.9.1'

Wireguard OpenWRT Config

interface: WG0
  public key: redacted
  private key: (hidden)
  listening port: 26162

peer: redacted
  endpoint: redacted:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 45 seconds ago
  transfer: 66.31 GiB received, 4.91 GiB sent
  persistent keepalive: every 25 seconds

interface: vpn
  public key: redacted
  private key: (hidden)
  listening port: 991

peer: redacted
  preshared key: (hidden)
  endpoint: redacted1951
  allowed ips: 192.168.9.2/32
  transfer: 3.61 KiB received, 2.01 MiB sent
  persistent keepalive: every 25 seconds

Wireguard Pixel Config

[Interface]
Address = 192.168.9.2/32
DNS = 10.0.0.254
PrivateKey = redacted

[Peer]
AllowedIPs = 0.0.0.0/0, 10.0.0.0/24
Endpoint = my_public_static_ip:991
PreSharedKey = redacted
PublicKey = redacted

/etc/config/pbr

config pbr 'config'
	option verbosity '2'
	option strict_enforcement '1'
	option resolver_set 'none'
	option ipv6_enabled '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option enabled '1'
	option webui_show_ignore_target '1'
	list ignored_interface 'vpn'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '1'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '1'

config policy
	option name 'Bypass VPN'
	option interface 'wan'
	option src_addr '10.0.0.65/27'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option fullcone '1'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option fullcone4 '1'
	option fullcone6 '1'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'

config zone
	option name 'wgzone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WG0'

config forwarding
	option src 'lan'
	option dest 'wgzone'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config nat
	option name 'dns_masq'
	list proto 'tcp'
	list proto 'udp'
	option src 'lan'
	option dest_ip '10.0.0.254'
	option dest_port '53'
	option target 'MASQUERADE'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HASS App via WAN'
	option src 'wan'
	option src_dport '54962'
	option dest_ip '10.0.0.85'
	option dest_port '8123'

config rule
	option name 'Incoming Wireguard'
	list proto 'udp'
	option dest_port '991'
	option target 'ACCEPT'
	option src 'wan'

Thanks for any tips and / or guidance.

egc · July 30, 2023, 5:59am

As a quick test can you connect to your router when you stop the mullvad client?

Mike_C · July 30, 2023, 7:12am

Yeah. If I turn off the wg interface I can access the router.

psherman · July 30, 2023, 7:15am

You probably need to use policy based routing to ensure that egress packets for your ‘server’ use the wan instead of your commercial vpn.

Mike_C · July 30, 2023, 7:21am

Thanks mate. Added this to the PBR config:

config policy
	option name 'WG Incoming'
	option src_addr '192.168.9.2/32'
	option interface 'wan'

Saved and restarted router. No luck.

pavelgl · July 30, 2023, 7:24am

I don't think you will get it to work without changing the approach.

See:

https://github.com/openwrt/packages/issues/9538#issuecomment-1047385310

Disable the route_allowed_ips option and change the pbr policy.

config policy
	option name 'VPN excl SmartTV'
	option interface 'WG0'
	option src_addr '!10.0.0.64/27'

Add WG0 to the list of supported interfaces (just in case because of the capital letters).

Remove this, it's not necessary.

egc · July 30, 2023, 7:25am

Ok, I had the same problem running a WG client and a WG server so might be able to help

The porblem is that the WG servers traffic comes in via the WAN but as the default route is going out via the WG client (instead of the WAN) you firewall will not allow that.

So the solution (for me at least) was to make sure that traffic for the WG server goes out via the WAN.

What did not work:
It should be as simple as adding the source port of the WG server (in your case port 991) to the WAN with the PBR package:

I still have not found an explanation why that does not work, someone mentions it is something in the nftables maybe you are still using iptables and maybe it works for you

What did work for me
In the PBR GUI I added and extra user file:

I create that file in the directory with content:
ip rule add sport 52180 table pbr_wan
But in your case it should be
ip rule add sport 991 table pbr_wan

Maybe this is not the best place to add the file but it worked for me

Reboot the router and I hope it will work

Edit
To check if the rule is in operation do:
ip rule show
ip route show

Furthermore there is another method possible, Disable route allowed IPs on the WG client and make a rule in the PBR to route the clients you want via the WG client.
By not enabling route allowed IPs your default routing table (the one which is used by the server) is now going out via the WAN

Mike_C · July 30, 2023, 7:34am

Thank you egc. That did the trick. Really appreciate the quick assist on this one. Legends!

Here's a virtual beer.

system · August 9, 2023, 7:34am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.