OpenWRT Wireguard client cannot ping server or 8.8.8.8

I had setup my openwrt RPi3 as a travel router which connects home (running a wireguard server). The server runs perfectly fine as I can connect my phone to it. However something seems to go wrong with the pi. It was working fine one year ago when I used it, but doesn't work now for some reason.
The keys seem to work as it establishes wireguard connection. Probably something is misconfigured with the firewall? Pasting screenshots and logs below. Any help appreciated.


root@OpenWrt:~# logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
udp        0      0 0.0.0.0:56800   0.0.0.0:*                                                                            -
udp        0      0 :::56800                :::*                                                                                 -
root@OpenWrt:~# pgrep -f -a wg; wg show; wg showconf vpn
2207 wg-crypt-wg0
interface: wg0
  public key: <public key>
  private key: (hidden)
  listening port: 56800

peer: <key>
  endpoint: <ip address:port>
  allowed ips: 0.0.0.0/0
  latest handshake: 45 seconds ago
  transfer: 220 B received, 17.46 KiB sent
  persistent keepalive: every 25 seconds
Unable to access interface: No such device
root@OpenWrt:~# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group defaul                                                 t qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan                                                  state UP group default qlen 1000
    link/ether b8:27:eb:8b:91:a9 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP gro                                                 up default qlen 1000
    link/ether b8:27:eb:de:c4:fc brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.16/24 brd 192.168.1.255 scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fede:c4fc/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP gro                                                 up default qlen 1000
    link/ether b8:27:eb:8b:91:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:fe8b:91a9/64 scope link
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN gro                                                 up default qlen 1000
    link/none
    inet 10.14.0.5/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default dev wg0 proto static scope link
<ip address> via 192.168.1.1 dev wlan0 proto static
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.16
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
local 10.14.0.5 dev wg0 table local proto kernel scope host src 10.14.0.5
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0                                                 .1
broadcast 192.168.1.0 dev wlan0 table local proto kernel scope link src 192.168.                                                 1.16
local 192.168.1.16 dev wlan0 table local proto kernel scope host src 192.168.1.1                                                 6
broadcast 192.168.1.255 dev wlan0 table local proto kernel scope link src 192.16                                                 8.1.16
broadcast 192.168.2.0 dev br-lan table local proto kernel scope link src 192.168                                                 .2.1
local 192.168.2.1 dev br-lan table local proto kernel scope host src 192.168.2.1                                                 
broadcast 192.168.2.255 dev br-lan table local proto kernel scope link src 192.1                                                 68.2.1
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:fe8b:91a9 dev br-lan table local proto kernel metric 0 pre                                                 f medium
local fe80::ba27:ebff:fede:c4fc dev wlan0 table local proto kernel metric 0 pref                                                  medium
ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
ff00::/8 dev wlan0 table local proto kernel metric 256 pref medium
ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
root@OpenWrt:~# uci show network; uci show firewall; crontab -l
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ipaddr='192.168.2.1'
network.wwan=interface
network.wwan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.addresses='10.14.0.5/32'
network.wg0.private_key='<private key>'
network.wg0.delegate='0'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='<public key>'
network.@wireguard_wg0[0].description='Description'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].endpoint_port='<port>'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].endpoint_host='<ip address>'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].synflood_protect='1'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan wg0'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].network='wwan'
firewall.@zone[1].masq='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
crontab: can't open 'root': No such file or directory

  • Have you tried simply generating a new key/account?
  • Does your device have updated time (i.e. can it reach the time server)?

Yes I created new keys. But keys are correct and not a problem. The wg0 interface sends and receives packets, which wouldn't if the keys were wrong.
Also if I stop the wg0 interface it can reach openwrt.org and the NTP server, and it synchronizes the time. But if I bring up back the wg0 interface then it can not reach 8.8.8.8 or openwrt.org, not even the internal wireguard server IP, which is 10.14.0.1.
Something is wrong maybe with the firewall settings?

Did you remove Policy Based Routing; or change any IP Routes or IP Rules?

There are discrepancies between the screenshots and the configuration you posted.

I don't know which one is correct, but the wireguard interface should be assigned to the wan zone.

1 Like

As far as I remember no. I'm not sure which setting exactly I should look out for this.
In the firewall menu, Port Forwards, Traffic Rules, NAT Rules and Custom Rules are all empty.
In the Routes menu, the Static IPv4 Routes is also empty.

Also I forgot to mention that my phone's wireguard client connects to the same server and works perfectly fine.

Yes sorry for the confusion, I originally had the wg0 interface to the lan zone and I moved it to the wan zone afterwards (when I took the screenshots), but I still can't connect to the internet when wg0 is enabled.

Would you mind reposting the config files -- both to make sure we're now looking at the latest and also this time in a different format (to me the format below will be much more readable than the UCI dump).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'

config interface 'wwan'
        option proto 'dhcp'

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.14.0.5/32'
        option private_key '****'
        option delegate '0'
        option auto '0'

config wireguard_wg0
        option public_key '****'
        option description 'abcd'
        option persistent_keepalive '25'
        option endpoint_port 'xxxxx'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '*****'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wg0 wwan'
        option masq '1'

config forwarding
        option dest 'wan'
        option src 'lan'

What version of OpenWrt are you using?

ubus call system board

I ask because this syntax is outdated:

If you're using something recent, the bridge must be defined as a device outside the network interface definition, and "ifname" is no longer used.

and what is the output of this:

wg show

This will tell us if you're getting a handshake.

Set the IP on the wg0 interface to 10.14.0.5/24 then see if you can ping 10.14.0.1 through the tunnel. Though for forwarding to the Internet it will still work with /32 since the tunnel is point to point you can throw packets into it without first resolving a "gateway" to receive them.

Try a traceroute to some numeric IP like 8.8.8.8 see if it is reaching home or getting lost there. If using a numeric IP goes all the way to the destination (Google) then there is a DNS problem not a routing problem.

root@OpenWrt:~# ubus call system board
{
        "kernel": "4.14.221",
        "hostname": "OpenWrt",
        "model": "Raspberry Pi 3 Model B Rev 1.2",
        "board_name": "raspberrypi,3-model-b",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "brcm2708/bcm2710",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}

root@OpenWrt:~# wg show
interface: wg0
  public key: ****
  private key: (hidden)
  listening port: 60958

peer: ****
  endpoint: x.x.x.x/xxx
  allowed ips: 0.0.0.0/0
  latest handshake: 28 seconds ago
  transfer: 188 B received, 52.44 KiB sent
  persistent keepalive: every 25 seconds

As far as I can tell the handshake happens normally. Its weird I can still not ping the server IP though.

I changed it to /24 but didn't make any difference, and I still can't ping 10.14.0.1.
I can't ping/traceroute 8.8.8.8 either so it is not a DNS issue...

You should seriously consider upgrading your OpenWrt version since your current installation is deprecated and unsupported (the 19.07 series went up to 19.07.10, but is has been EOL for several months). The latest is 22.03.2 (as of this writing), and it would be a good idea to upgrade so that you're running the latest, most secure, and properly supported version of OpenWrt.

Your handshake is indeed showing that you have a proper connection.

How are you running the ping tests? Are you doing it from OpenWrt itself (via an ssh session), or from a computer behind OpenWrt?

1 Like

I will upgrade if it turns out that this setup is unusable for some reason, but I will rather skip the hassle since I only need it for a couple of weeks per year when I am traveling.

I am trying pinging both 10.14.0.1 and 8.8.8.8 from within an ssh session in the pi itself.

Keep in mind that your current version does have security vulnerabilities, and it is also unsupported and EOL. You should seriously upgrade -- it's not hard and doesn't take long. We can help with best-effort, but no promises here.

Have you verified that the tunnel is working in terms of the far-side peer routing? Do you control the other peer? If you use the same config on your phone or computer (don't forget to stop the WG interface on the Pi), can you achieve the expected operation?

Regarding upgrade, one additional hurdle is that I don't have a SD<->micro SD adapter handy so I can't flash a new openwrt image easily :frowning:

Yes when I use my phone and activate wireguard, I can log to my router normally and when I go to the wireguard tab I see both the phone client and the RPi client connected.

Finally, remove these two lines from your wg0 interface config.

See if that fixes it. If not, set the wg0 network into a new firewall zone and allow forwarding to that zone from lan.

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wwan'
        option masq '1'

config zone
        option name 'wg'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wg0'
        option masq '1'

config forwarding
        option dest 'wg'
        option src 'lan'

finally, is the wwan network trusted in this particular environment? You normally the wan zone is set to output = accept, input and forward = reject. If the upstream network is not trusted, your current config presents a very significant risk.

Unfortunately it didn't fix (rebooted after making the change)

I also made the firewall changes you suggested (although the network is entirely controlled by me) - still cannot ping 10.14.0.1 or 8.8.8.8 :frowning:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option forward 'ACCEPT'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option network 'wg0 wwan'
        option masq '1'
        option input 'REJECT'
        option forward 'REJECT'

config forwarding
        option dest 'wan'
        option src 'lan'

what about putting wg0 into its own firewall zone?