Problem with wireguard peer handshake

montgomeryb · September 20, 2020, 8:20pm

I have been having issues with getting wireguard configured correctly on my Luci 19.07 installation.
I have a wireguard server set up on a raspberry pi. I can connect without issues from android or windows. After some time I was able to get it to connect but then I had issues with firewall connections / settings. I finally ended up with lan -> wg0 and getting all traffic routed through wireguard, which is not what I actually wanted. So, I reset the firewall back to lan->wan.

I was looking at vpn-bypass and added that, but then I noticed that the wireguard interface was not connected. I have been trying without success to get that to reconnect. I used the same credentials to create another connection on my laptop and it connects fine.

I haven't found much in the way of help debugging.

I've tried assigning in the firewall to zone both unspecified and the wan but neither make a difference.
I don't remember making any changes to the firewall rules for the wan zone at all.

My first goal is to get openwrt to connect to the peer. If I can keep this stable, then I can look at trying to route the specific subnets through the vpn.

ulmwind · September 20, 2020, 8:26pm

What OS is on RPi?

krazeh · September 20, 2020, 8:39pm

Have you opened a port for wireguard in the firewall?

montgomeryb · September 20, 2020, 9:22pm

The raspberry 'server' is running debian buster

montgomeryb · September 20, 2020, 9:35pm

Thanks, I hadn't. I did set up a udp port in the interface definition and I have added that to the firewall under the 'traffic rules' tab. That doesn't seem to have made any difference though.

vgaetera · September 20, 2020, 9:50pm

Make sure you have added client's public key to the peer section on the server side and vice versa.

ulmwind · September 20, 2020, 9:54pm

What are log messages on RPi, and OpenWRT-router, specific for WireGuard?

montgomeryb · September 21, 2020, 1:44am

I really can't find anything in them. At least the logfiles I can find. Seems very bizarre.

# logread -e wg
Sun Sep 20 21:42:21 2020 daemon.notice netifd: Interface 'wg0' is setting up now
Sun Sep 20 21:42:21 2020 daemon.notice netifd: Interface 'wg0' is now up
Sun Sep 20 21:42:21 2020 daemon.notice netifd: Network device 'wg0' link is up
root@OpenWrt:/etc/config#

:~# journalctl -u wg-quick@wg0.service
-- Logs begin at Thu 2020-09-17 06:12:06 BST, end at Mon 2020-09-21 02:39:34 BST
Sep 17 06:12:19 water.tpon.com systemd[1]: Starting WireGuard via wg-quick(8) fo
Sep 17 06:12:20 water.tpon.com wg-quick[588]: [#] ip link add wg0 type wireguard
Sep 17 06:12:20 water.tpon.com wg-quick[588]: [#] wg setconf wg0 /dev/fd/63
Sep 17 06:12:20 water.tpon.com wg-quick[588]: [#] ip -4 address add 192.168.5.1/
Sep 17 06:12:20 water.tpon.com wg-quick[588]: [#] ip link set mtu 1420 up dev wg
Sep 17 06:12:20 water.tpon.com wg-quick[588]: [#] iptables -A FORWARD -i wg0 -j
Sep 17 06:12:20 water.tpon.com systemd[1]: Started WireGuard via wg-quick(8) for

ulmwind · September 21, 2020, 7:28am

Can you ping IP of another peer?

vgaetera · September 21, 2020, 7:40am

ulmwind · September 21, 2020, 8:32am

I can only repeat, that for Wireguard PBR rules can't use port numbers due to UDP protocol.

vgaetera · September 21, 2020, 8:57am

The linked method does not involve port numbers or protocols.

montgomeryb · September 28, 2020, 12:44am

I deleted the interface and started again from scratch, pretty much using https://danrl.com/blog/2017/luci-proto-wireguard/ as the template. I'm now able to handshake , however I can't pass any network traffic.
I've tried assigning the wireguard interface to a new firewall zone. I've tried with and without the route allowed ip's checked off. I've tried with the lan forwarding to the wireguard zone.
If I connect my windows client to the server with the same configuration it works as expected, so it leads me to believe it's something with the firewall on the openwrt side. Is traffic getting out but not back (eg when I try to ping or do an nslookup)?

vgaetera · September 28, 2020, 1:46am

# Server
tcpdump -n -i any udp port 56914

# Client
ifup wg0; sleep 10; wg show

# Server
wg show

montgomeryb · September 28, 2020, 2:59am

Thanks, not too familiar (yet) with tcpdump, but here's the output.
Replaced 71.25.56.158.56913 > 192.168.0.253.56914 with x.x.x.158.56913 > x.x.x.253.56914 to save space.

# tcpdump -n -i any udp port 56914
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
03:45:22.433350 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 148
03:45:22.437787 IP x.x.x.253.56914 > x.x.x.158.56913: UDP, length 92
03:45:22.570874 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 32
03:45:22.571652 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:22.571927 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:22.778881 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 816
03:45:22.833575 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:22.905574 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:23.334540 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:23.377239 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 816
03:45:23.437630 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:23.476014 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:23.509575 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:23.761006 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:23.960825 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:23.999120 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:24.194778 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:24.210203 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:24.437073 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:24.573896 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:24.578779 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 816
03:45:24.618830 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:24.663685 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:24.668196 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:24.668321 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:24.933155 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:24.933473 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:24.957886 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:24.958001 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:24.964660 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:24.966762 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:24.966986 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:25.063381 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.162388 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 640
03:45:25.393453 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:25.429467 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:25.463361 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 640
03:45:25.564140 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:25.566360 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:25.568955 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:25.586624 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:25.838232 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 672
03:45:25.955024 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:25.957024 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.959345 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.959415 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:25.959438 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.961662 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.961720 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.963996 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.964068 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:25.966060 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:25.966125 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:26.062869 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 640
03:45:26.085206 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:26.293995 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:26.386145 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:26.397293 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:26.440035 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:26.469197 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 480
03:45:26.475869 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:26.509558 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:26.520721 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:26.572402 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:26.747644 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:26.761083 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:26.763533 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:26.767713 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:26.770107 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:26.956454 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:26.977149 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 816
03:45:26.985703 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.039580 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:27.194545 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.219194 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:27.264276 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 608
03:45:27.434910 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.724413 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.836891 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:27.839036 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.839121 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.841262 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.841332 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.904179 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.958066 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.960390 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.960511 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:27.960541 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.962628 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.962718 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.964967 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.965048 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:27.965075 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.965096 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.967054 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.967129 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.969341 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:27.969440 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.969463 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.971721 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.971801 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.971839 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:27.973784 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:27.973873 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:28.005115 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:28.088435 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 656
03:45:28.099668 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:28.133107 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:28.133203 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:28.148898 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:28.196024 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:28.301648 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:28.353320 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:28.380137 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:28.387172 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 656
03:45:28.400458 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:28.465697 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 608
03:45:28.553646 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:28.573969 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:28.895102 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:28.984829 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:28.989350 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 656
03:45:29.011827 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 160
03:45:29.061246 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 384
03:45:29.101444 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:29.133209 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:29.153397 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 496
03:45:29.164404 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:29.166659 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:29.171099 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:29.285579 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:29.303670 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:29.312933 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 224
03:45:29.355340 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:29.364351 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 176
03:45:29.368772 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:29.395902 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:29.409253 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:29.505783 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:29.505867 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:29.505888 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:29.620169 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:29.665353 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 640
03:45:29.714667 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:29.833873 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 672
03:45:29.885284 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:29.912279 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 224
03:45:29.948106 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:29.966172 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 176
03:45:29.970857 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:29.995399 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.029066 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.101074 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.170533 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 256
03:45:30.175131 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.184164 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:30.190776 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 656
03:45:30.248933 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.303137 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.376948 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.424280 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:30.453329 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:30.478349 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 480
03:45:30.511741 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:30.514102 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:30.514184 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.516337 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.516416 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.516437 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.518468 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:30.520869 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.520935 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.520954 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.523160 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.538830 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:30.541405 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.541470 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.541490 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.541511 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.543424 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:30.543491 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.545530 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.545602 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.545625 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.572457 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.590844 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.601636 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:30.790324 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.815046 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:30.823958 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.839710 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:30.893555 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:30.990169 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:30.996892 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.086694 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.102609 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.111548 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 256
03:45:31.133914 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.167587 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 176
03:45:31.192304 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.302268 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.306844 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 176
03:45:31.327072 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.358552 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.374112 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.392209 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.549308 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.549387 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.549407 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.551567 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.551633 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.553838 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.553901 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.553991 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.556013 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.556078 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:31.592013 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.778606 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 816
03:45:31.793978 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.843494 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:31.953565 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.960277 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.960344 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.962696 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.962758 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.962779 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.964928 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.964990 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.967140 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.967221 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.967242 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.969263 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.969321 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.971605 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.971668 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.971705 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.973732 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.973788 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.973807 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:31.973857 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.975972 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:31.993904 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:31.998633 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.014221 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 160
03:45:32.065901 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 640
03:45:32.103961 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.104392 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 1452
03:45:32.160288 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 496
03:45:32.195970 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.301531 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.312937 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 256
03:45:32.328598 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:32.373386 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.400361 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.404925 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.449770 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:32.490099 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:32.521777 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:32.573204 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:32.591444 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 656
03:45:32.595812 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.636546 IP x.x.x.253.56914 > x.x.x.158.56913: UDP, length 32
03:45:32.654219 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.703957 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 1452
03:45:32.775635 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:32.797918 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.824858 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.836002 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.838305 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:32.838371 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:32.838391 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:32.840645 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:32.840729 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:32.910073 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.997613 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:32.997687 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.078519 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.103325 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.134748 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.172893 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.199808 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.303190 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.316645 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:33.399579 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.487300 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:33.514167 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 256
03:45:33.541050 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:33.541124 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.541148 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.543789 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.543859 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.545664 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:33.545719 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.545739 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.545761 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.547886 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.547949 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:33.548105 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.550175 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.550267 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.550305 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.552416 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:33.552505 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.552527 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.554639 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.554714 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:33.565914 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 176
03:45:33.599556 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.617508 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:33.709566 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.763491 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:33.799769 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.813023 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.830996 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 672
03:45:33.835416 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:33.905678 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 1452
03:45:33.963827 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 192
03:45:33.968169 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 192
03:45:33.970393 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 192
03:45:33.997298 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.001696 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.105024 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.201615 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.219639 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:34.273523 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:34.302628 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.334450 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 688
03:45:34.334520 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:34.367886 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.403791 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.565393 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.572186 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:34.574385 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:34.603604 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.796897 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.803565 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.823709 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.837072 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:34.837255 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 688
03:45:34.998798 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:35.003274 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:35.104416 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:35.135961 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:35.182968 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.183059 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.205341 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:35.277265 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:35.304239 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:35.416594 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.434776 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:35.659054 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:35.715084 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:35.782567 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.782645 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.834407 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 688
03:45:35.836435 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:35.915138 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 256
03:45:35.962223 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:35.962305 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.962326 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.962350 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.964296 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.986902 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:35.989216 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.989281 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.989302 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.989364 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:35.998115 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.105853 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.173299 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 384
03:45:36.173372 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 448
03:45:36.173461 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 496
03:45:36.195887 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 592
03:45:36.303613 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.306505 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 1452
03:45:36.355154 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.364188 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.573030 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:36.658370 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:36.824470 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.838093 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.867316 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 640
03:45:36.909942 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:36.981757 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.983914 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.986407 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:36.986513 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.986535 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.986557 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.988576 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:36.999652 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:37.105272 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:37.208653 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 384
03:45:37.228779 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.280395 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.302814 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:37.390654 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 656
03:45:37.523450 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:37.540894 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.543280 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.543355 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.543376 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.543400 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.545429 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.545496 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.545514 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.547669 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.547740 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.547763 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.550072 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.550146 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.550166 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.550188 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.552154 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.552223 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.552242 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.554374 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.554443 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 96
03:45:37.819479 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 144
03:45:37.837497 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 688
03:45:37.837614 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:37.841987 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:37.842062 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:37.842084 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:37.842106 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:37.844069 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 112
03:45:37.999037 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:38.230360 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:38.288636 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 128
03:45:38.361707 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 80
03:45:38.367361 IP x.x.x.158.56913 > x.x.x.253.56914: UDP, length 176
^C
431 packets captured
433 packets received by filter
0 packets dropped by kernel
root@water:~#
^C
431 packets captured
433 packets received by filter
0 packets dropped by kernel
root@water:~#

On openwrt:

~# ifup wg0; sleep 10; wg show
interface: wg0
  public key: 8morE+veh6pcJtFK9nm9vmY1m2fe6C5yO9AIfgaWcBE=
  private key: (hidden)
  listening port: 56913

peer: mmNRuIE4vfIORe/8u/2xuaUAAJAXIwsJXdzoBpPG5U8=
  endpoint: 82.123.137.3:56914
  allowed ips: 0.0.0.0/0, ::/0, 192.168.0.0/16
  latest handshake: 10 seconds ago
  transfer: 92 B received, 41.29 KiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~# wg show
interface: wg0
  public key: 8morE+veh6pcJtFK9nm9vmY1m2fe6C5yO9AIfgaWcBE=
  private key: (hidden)
  listening port: 56913

peer: mmNRuIE4vfIORe/8u/2xuaUAAJAXIwsJXdzoBpPG5U8=
  endpoint: 82.123.137.3:56914
  allowed ips: 0.0.0.0/0, ::/0, 192.168.0.0/16
  latest handshake: 13 seconds ago
  transfer: 124 B received, 58.09 KiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~#

wilsonyan · September 28, 2020, 3:24am

sorry if this has already been mentioned, this doesn't appear to be your problem but it may be someone else's

wireguard checks that your system time is within a certain range I am guessing so you may need to make sure that your router has an updated time

there is a "time syncronization" tab in the 'system' section that you might want to take a look at and you may need static routes if your regular gateway isn't openwrt and doesn't have the option of running the time server

vgaetera · September 28, 2020, 10:38am

The handshake looks normal.

krazeh · September 28, 2020, 11:00am

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \

trendy · September 28, 2020, 1:35pm

wireguard zone is not allowed to forward towards lan or wan, so you cannot do much. The tunnel looks established alright.

montgomeryb · September 28, 2020, 2:07pm

Thanks Krazeh. I did trim some port forward entries that were repetitive for clarity but otherwise and I think I got all the redactions.

root@OpenWrt:~# uci export network; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; \
> ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
>
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd32:b814:7069::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '10.192.168.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr 'ff:ff:ff:00:00:00'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'
        option metric '100'
        list dns '1.1.1.1'
        list dns '8.8.8.8'
        option peerdns '0'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'ff:ff:ff:ff:ff:ff'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option reqaddress 'try'
        option metric '100'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config route
        option interface 'lan'
        option target '10.192.169.0'
        option netmask '255.255.255.0'
        option gateway '10.192.168.197'

config route
        option interface 'lan'
        option target '10.192.170.0'
        option netmask '255.255.255.0'
        option gateway '10.192.168.197'

config route
        option netmask '255.255.255.0'
        option interface 'lan'
        option gateway '10.192.168.197'
        option target '10.192.171.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
        option auto '0'
        option listen_port '56913'
        list addresses ''

config wireguard_wg0
        option description 'Water'
        option persistent_keepalive '25'
        option endpoint_host 'water.tpon.com'
        option endpoint_port '56914'
        option public_key 'asNRuIE4vfIORe/8u/2xuaUAAJAXIwsJXdzoBpPG5U8='
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        list allowed_ips '192.168.5.8/16'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_ip '10.192.168.197'
        option dest_port '443'
        option name 'https'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '22'
        option dest_ip '10.192.168.197'
        option dest_port '22'
        option name 'ssh'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '4080'
        option dest_ip '10.192.168.20'
        option dest_port '4080'
        option name 'tivo-1'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '4413'
        option dest_ip '10.192.168.20'
        option dest_port '413'
        option name 'tivo-2'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '4443'
        option dest_ip '10.192.168.20'
        option dest_port '443'
        option name 'tivo-3'

config redirect
        option src 'wan'
        option name 'wireguard'
        option target 'DNAT'
        option dest 'lan'
        option dest_ip '10.192.168.197'
        option proto 'tcp udp'
        option dest_port '56914'
        option src_dport '56914'

config rule
        option dest_port '55955'
        option src 'wan'
        option name 'wireguard 55955'
        option target 'ACCEPT'
        list proto 'udp'

config rule
        option dest_port '56914'
        option src 'wan'
        option name 'wiregaurd water 56914'
        option target 'ACCEPT'
        list proto 'udp'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '56913'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option name 'wireguard'
        option output 'ACCEPT'
        option masq '1'
        option network 'wg0'

config forwarding
        option dest 'wan'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'wireguard'

config forwarding
        option dest 'wireguard'
        option src 'lan'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Mon Sep 28 09:50:38 2020
*nat
:PREROUTING ACCEPT [149259:18525990]
:INPUT ACCEPT [30955:2240493]
:OUTPUT ACCEPT [20059:1393992]
:POSTROUTING ACCEPT [21952:1275268]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wireguard_postrouting - [0:0]
:zone_wireguard_prerouting - [0:0]
[171794:19811166] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[145564:18292883] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[26230:1518283] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wireguard_prerouting
[129594:10046011] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[22572:1307628] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[103412:8478243] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[3604:259702] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wireguard_postrouting
[22572:1307628] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.197/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http (reflection)" -j SNAT --to-source 10.192.168.1
[619:32378] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.197/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.197/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.20/32 -p tcp -m tcp --dport 4080 -m comment --comment "!fw3: tivo-1 (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.20/32 -p udp -m udp --dport 4080 -m comment --comment "!fw3: tivo-1 (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.20/32 -p tcp -m tcp --dport 413 -m comment --comment "!fw3: tivo-2 (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.20/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: tivo-3 (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.197/32 -p tcp -m tcp --dport 56914 -m comment --comment "!fw3: wireguard (reflection)" -j SNAT --to-source 10.192.168.1
[0:0] -A zone_lan_postrouting -s 10.192.168.0/24 -d 10.192.168.197/32 -p udp -m udp --dport 56914 -m comment --comment "!fw3: wireguard (reflection)" -j SNAT --to-source 10.192.168.1
[145564:18292883] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[619:32378] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https (reflection)" -j DNAT --to-destination 10.192.168.197:443
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh (reflection)" -j DNAT --to-destination 10.192.168.197:22
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p tcp -m tcp --dport 4080 -m comment --comment "!fw3: tivo-1 (reflection)" -j DNAT --to-destination 10.192.168.20:4080
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p udp -m udp --dport 4080 -m comment --comment "!fw3: tivo-1 (reflection)" -j DNAT --to-destination 10.192.168.20:4080
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p tcp -m tcp --dport 4413 -m comment --comment "!fw3: tivo-2 (reflection)" -j DNAT --to-destination 10.192.168.20:413
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: tivo-3 (reflection)" -j DNAT --to-destination 10.192.168.20:443
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p tcp -m tcp --dport 56914 -m comment --comment "!fw3: wireguard (reflection)" -j DNAT --to-destination 10.192.168.197:56914
[0:0] -A zone_lan_prerouting -s 10.192.168.0/24 -d xx.xxx.56.158/32 -p udp -m udp --dport 56914 -m comment --comment "!fw3: wireguard (reflection)" -j DNAT --to-destination 10.192.168.197:56914
[103412:8478243] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[103412:8478243] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[26230:1518283] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[3320:140243] -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: https" -j DNAT --to-destination 10.192.168.197:443
[5051:301524] -A zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "!fw3: ssh" -j DNAT --to-destination 10.192.168.197:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 4080 -m comment --comment "!fw3: tivo-1" -j DNAT --to-destination 10.192.168.20:4080
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 4080 -m comment --comment "!fw3: tivo-1" -j DNAT --to-destination 10.192.168.20:4080
[1:40] -A zone_wan_prerouting -p tcp -m tcp --dport 4413 -m comment --comment "!fw3: tivo-2" -j DNAT --to-destination 10.192.168.20:413
[4:200] -A zone_wan_prerouting -p tcp -m tcp --dport 4443 -m comment --comment "!fw3: tivo-3" -j DNAT --to-destination 10.192.168.20:443
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 56914 -m comment --comment "!fw3: wireguard" -j DNAT --to-destination 10.192.168.197:56914
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 56914 -m comment --comment "!fw3: wireguard" -j DNAT --to-destination 10.192.168.197:56914
[3604:259702] -A zone_wireguard_postrouting -m comment --comment "!fw3" -j MASQUERADE
COMMIT
# Completed on Mon Sep 28 09:50:38 2020
# Generated by iptables-save v1.8.3 on Mon Sep 28 09:50:38 2020
*mangle
:PREROUTING ACCEPT [6058765:4546450709]
:INPUT ACCEPT [101113:8752055]
:FORWARD ACCEPT [5926549:4528870266]
:OUTPUT ACCEPT [220359:23966757]
:POSTROUTING ACCEPT [6142535:4552526557]
[58131:3174940] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[63092:3513312] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Mon Sep 28 09:50:38 2020
# Generated by iptables-save v1.8.3 on Mon Sep 28 09:50:38 2020
*filter
:INPUT ACCEPT [85:3100]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wireguard_dest_ACCEPT - [0:0]
:zone_wireguard_dest_REJECT - [0:0]
:zone_wireguard_forward - [0:0]
:zone_wireguard_input - [0:0]
:zone_wireguard_output - [0:0]
:zone_wireguard_src_ACCEPT - [0:0]
[606:58390] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[100509:8693745] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[52397:5056585] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3551:152760] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[40603:3215402] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[7509:421758] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wireguard_input
[5926550:4528870318] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[5786248:4511932617] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[117602:15627687] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[22700:1310014] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wireguard_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[606:58390] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[217883:23766784] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[138732:18367081] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[65:20200] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[24265:1671723] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[54821:3707780] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wireguard_output
[6584:343811] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[227:36551] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[3551:152760] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[65:20200] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[117602:15627687] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[117602:15627687] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[6037:570962] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wireguard forwarding policy" -j zone_wireguard_dest_ACCEPT
[634:33118] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[40603:3215402] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[40603:3215402] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[65:20200] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[65:20200] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[40518:3212302] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1950:144356] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[133880:16584092] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[22700:1310014] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[22700:1310014] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[7509:421758] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[392:30380] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[306:11016] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 55955 -m comment --comment "!fw3: wireguard 55955" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 56914 -m comment --comment "!fw3: wiregaurd water 56914" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 56913 -m comment --comment "!fw3: Allow-WireGuard" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[6811:380362] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[24265:1671723] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[24265:1671723] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[6811:380362] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
[549:23295] -A zone_wireguard_dest_ACCEPT -o wg0 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[59675:4222329] -A zone_wireguard_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wireguard_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wireguard_forward -m comment --comment "!fw3: Zone wireguard to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wireguard_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wireguard_forward -m comment --comment "!fw3" -j zone_wireguard_dest_REJECT
[0:0] -A zone_wireguard_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wireguard_input -m comment --comment "!fw3" -j zone_wireguard_src_ACCEPT
[54821:3707780] -A zone_wireguard_output -m comment --comment "!fw3" -j zone_wireguard_dest_ACCEPT
[0:0] -A zone_wireguard_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Mon Sep 28 09:50:38 2020
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.192.168.1/24 brd 10.192.168.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet xx.xxx.56.158/24 brd xx.xxx.56.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via xx.xxx.56.1 dev eth0.2  src xx.xxx.56.158  metric 100
10.192.168.0/24 dev br-lan scope link  src 10.192.168.1
10.192.169.0/24 via 10.192.168.197 dev br-lan
10.192.170.0/24 via 10.192.168.197 dev br-lan
10.192.171.0/24 via 10.192.168.197 dev br-lan
xx.xxx.56.0/24 dev eth0.2 scope link  metric 100
xx.xx.137.3 via xx.xxx.56.1 dev eth0.2  metric 100
xx.xx.240.187 via xx.xxx.56.1 dev eth0.2  metric 100
broadcast 10.192.168.0 dev br-lan table local scope link  src 10.192.168.1
local 10.192.168.1 dev br-lan table local scope host  src 10.192.168.1
broadcast 10.192.168.255 dev br-lan table local scope link  src 10.192.168.1
broadcast xx.xxx.56.0 dev eth0.2 table local scope link  src xx.xxx.56.158
local xx.xxx.56.158 dev eth0.2 table local scope host  src xx.xxx.56.158
broadcast xx.xxx.56.255 dev eth0.2 table local scope link  src xx.xxx.56.158
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@OpenWrt:~#