No wireguard handshake

I have wireguard installed on openwrt 21.02.1 which I am running a server with a single peer, using these instructions (https://openwrt.org/docs/guide-user/services/vpn/wireguard/server) however my single client (android mobile on 4G) shows tx but 0 rx packets. wg shows no indication of any handshake.

> wg show all

  interface: vpn
  public key: RZYEt/Vh9AuIfg5i1A3HSoEG+eIK+yJRIjGGoTDmT14=
  private key: (hidden)
  listening port: 45356

peer: 83ZtWqyTR/TGQiMGCdL/h+xI2AxT4GQV8bu8eJSTJHU=
  allowed ips: 192.168.9.2/32

and

> wg show all latest-handshakes

vpn	83ZtWqyTR/TGQiMGCdL/h+xI2AxT4GQV8bu8eJSTJHU=	0

I know with some confidence the inbound packets are getting through, because if I move wireguard server to a different port then nc -l -u <wan IP> -p 45356 shows the packets arriving. tcpdump also shows the packets arriving but no responses from wireguard

My config is:

> opkg list-installed "*wireguard*"

kmod-wireguard - 5.4.154-1
luci-app-wireguard - git-20.244.42172-21563a2
luci-proto-wireguard - git-21.243.21928-71fe35c
wireguard-tools - 1.0.20210223-2
> lsmod | grep wireguard

curve25519_neon        24576  1 wireguard
ip6_udp_tunnel         12288  1 wireguard
libblake2s             12288  1 wireguard
libchacha20poly1305    12288  1 wireguard
libcurve25519_generic   20480  2 wireguard,curve25519_neon
udp_tunnel             12288  1 wireguard
wireguard              57344  0

/etc/conf/network contains:

	option proto 'wireguard'
	option private_key '<snip>'
	option listen_port '45356'
	list addresses '192.168.9.1/24'
	option mtu '1420'

config wireguard_vpn 'wgclient'
	option public_key '83ZtWqyTR/TGQiMGCdL/h+xI2AxT4GQV8bu8eJSTJHU='
	list allowed_ips '192.168.9.2/32'
	option route_allowed_ips '1'

/etc/conf/firewall contains

config rule
	option name 'Allow Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest_port '45356'
	option target 'ACCEPT'

and

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'home'
        list network 'vpn'

The openwrt box is running 4 networks (home, guest, iot and admin) of which the first three are Ethernet trunked to an identical openwrt box. Internet is via a pppoe connection. I have rebooted multiple times, rerun the entire process including the key generation and still can't see any handshake initiated.

Clearly the lack of debug info doesn't help (Wireguard debug log info?) and I've so far not built my own kernel to try and debug out of the system.

If I do try and ping the peer I get:

> ping 192.168.9.2

PING 192.168.9.2 (192.168.9.2): 56 data bytes
ping: sendto: Destination address required

Any thoughts on what I have done wrong or how I can diagnose it much aprpeciated.

Do you have a proper public IP on your PPPoE WAN? Is the OpenWrt router handling the PPPoE connection, or is there another router (or non-bridged modem) upstream?

Is your remote peer connecting through the internet, or is it local (i.e. wired or wifi on one of the LANs)?

Let's see your complete /etc/config/network and /etc/config/firewall files (redacted as necessary) as well as your remote peer's config.

Most likely it is a key misconfiguration. How did you transfer the keys to the android client?

3 Likes

By email. Would I not see an attempted handshake?

You're right, it was the keys. regenerated the peer (android) private key on the device and updated the public key on openwrt and it worked. Thank you

2 Likes

Thanks for the questions, but now resolved.

No, WG is not verbose and will not respond if the keys are not matching. So if there is one way packet flow I usually suspect the keys first.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.