Puzzling Wireguard client problem

I have recently installed OpenWRT on a WRX36 and setting everything up. I have installed Wireguard server and configured. I have created a peer for Android and one for Windows 10 laptop with recent updates.

On Android, everything works as expected using the official Wireguard client. From a public wifi I enable WG, and I have full access to my network and the internet using the tunnel.

On Windows, using the same settings (just a different peer client), when using the official Windows client (0.5.3, latest even if it's from 2021) I cannot browse the internet or intranet, but I can ping the intranet IP addresses. Using Wiresock or TunnlTo clients and the exact same configuration, everything works as expected (I did say it's puzzling, didn't I ). The client configuration was exported from the Luci UI, and as I said works in the non-official clients, so I don't think that there's anything there. The non official clients use winsocks, though, not the virtual lan

One thing I noticed, when using the official client ipconfig results in

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.99.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : ::
                                       0.0.0.0

so it looks like instead of the default DNS I entered (192.168.1.1 in my case), it uses the entry from allowable addresses.

How can I troubleshoot this? I mean, I could use the non-official clients, but I'd rather use that one for security reasons.

Configuration follows. I tried both wglaptop and windows as clients for Windows, no difference *you can find both in network)

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '(removed)'


config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan4:t*'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan2:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '102'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'iot'
	option device 'br-lan.101'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'camera'
	option device 'br-lan.102'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '(removed)'
	option listen_port '51820'
	list addresses '192.168.99.1/24'

config wireguard_vpn 'wgclient'
	option public_key '(removed)'
	option preshared_key '(removed)'
	list allowed_ips '192.168.99.2/32'
	option route_allowed_ips '1'
	option private_key '(removed)'
	option description 'Android'

config wireguard_vpn 'windows'
	option description 'Windows'
	option public_key '(removed)'
	option private_key '(removed)'
	list allowed_ips '192.168.99.3/32'
	option route_allowed_ips '1'

config wireguard_vpn 'wglaptop'
	option description 'wglaptop'
	option public_key '(removed)'
	option private_key '(removed)'
	option route_allowed_ips '1'
	list allowed_ips '192.168.99.4/32'

firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config zone
	option name 'camera'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'camera'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'IoT_DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IoT_DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-IoT-mDNS'
	list proto 'udp'
	option src 'iot'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'Camera_DHCP'
	list proto 'udp'
	option src 'camera'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Camera_DNS'
	option src 'camera'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow-camera-mDNS'
	list proto 'udp'
	option src 'camera'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'

config forwarding
	option src 'iot'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'lan'
	option dest 'camera'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option serversfile '/var/run/adblock-fast/dnsmasq.servers'
	option logfacility '/tmp/log/dnsmasq.log'
	option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '20'
	option limit '149'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'iot'
	option interface 'iot'
	option start '20'
	option limit '149'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'camera'
	option interface 'camera'
	option start '20'
	option limit '149'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'Besder_WiFi'
	list mac '(removed)'
	option ip '192.168.20.161'
	option leasetime '12h'

Let's see the windows WG config.

Well, it's really just what the peer "generate" functionality provided, simply copied over. And those work just fine with Wiresock and TunnlTo.

wglaptop

[Interface]
PrivateKey = (removed)
Address = 192.168.99.4/32
# ListenPort not defined
DNS = 192.168.1.1

[Peer]
PublicKey = (removed)
# PresharedKey not used
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = (FQDN):51820
# PersistentKeepAlive not defined

windows

[Interface]
PrivateKey = (removed)
Address = 192.168.99.3/32
DNS = 192.168.1.1

[Peer]
PublicKey = (removed)
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = (FQDN):51820

I can guess at three possible culprits... I don't use windows, so I can't verify this.

All of this would affect the Windows WG configuration, not the OpenWrt side:

1. It is possible the official WG app doesn't like the /32 in the interface address. Try /24.
2. It could be the IPv6 allowed IPs that's causing the problem. Edit that such that you only have 0.0.0.0/0
3. The WG app doesn't properly install the 0.0.0.0/0 route into the Windows routing table (I can't say why or what to do to fix it, just that it may be the reason for the issue).

Maybe others will have some more thoughts.

I tried everything I could think of for 1 and 2, nothing works. I can't say I tried the right magic incantation, just that nothing I tried seemed to make a difference.

I'm inclined to think #3 is the cause, but I (still) don't understand enough about Windows routing to figure that one out... more reading, I guess, and more learning

One other thought if the Windows PC itself is already on the same 192.168.99.0 subnet you might not have proper routing.

thanks, but no, the IP on the public wifi is different.

Can someone using Wireguard Windows client please chare the result of their "route print" here? mine are below, can anyone spot potential problems? There seems to be a route between my Wireguard address (192.168.99.3) and 0.0.0.0. I tried looking at routes with the TunnlTo and WiresockUI clients, but they seem to work at a different layer and the tunne doesn't show as an adapter

On my router wifi (everything works)

C:\WINDOWS\system32>route print
===========================================================================
Interface List
 10...00 ff 8e 55 cc 39 ......TAP-Windows Adapter V9 for OpenVPN Connect
 69...........................WireSock Virtual Adapter
 49...00 15 5d 89 a5 ce ......Hyper-V Virtual Ethernet Adapter
 22...........................OpenVPN Data Channel Offload
 15...aa 64 f1 be 4b 14 ......Microsoft Wi-Fi Direct Virtual Adapter #2
  5...a8 64 f1 be 4b 14 ......Intel(R) Wi-Fi 6 AX201 160MHz
 14...a8 64 f1 be 4b 18 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.113     35
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      169.254.0.0      255.255.0.0      192.168.1.6    192.168.1.113     36
     172.28.176.0    255.255.240.0         On-link      172.28.176.1    271
     172.28.176.1  255.255.255.255         On-link      172.28.176.1    271
   172.28.191.255  255.255.255.255         On-link      172.28.176.1    271
      192.168.1.0    255.255.255.0         On-link     192.168.1.113    291
    192.168.1.113  255.255.255.255         On-link     192.168.1.113    291
    192.168.1.255  255.255.255.255         On-link     192.168.1.113    291
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.113    291
        224.0.0.0        240.0.0.0         On-link      172.28.176.1    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link     192.168.1.113    291
  255.255.255.255  255.255.255.255         On-link      172.28.176.1    271
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      169.254.0.0      255.255.0.0     172.25.208.1       1
      169.254.0.0      255.255.0.0      192.168.1.6       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  5    291 ::/0                     fe80::4eab:f8ff:fe47:cdde
  1    331 ::1/128                  On-link
  5    291 2601:602:a000:75bf::/64  On-link
  5    291 2601:602:a000:75bf::699/128
                                    On-link
  5    291 2601:602:a000:75bf:44cd:7fff:18ed:6727/128
                                    On-link
  5    291 2601:602:a000:75bf:f5ef:a8aa:432:3468/128
                                    On-link
  5    291 fd78:3416:2b52::/48      fe80::4eab:f8ff:fe47:cdde
  5    291 fd78:3416:2b52::/64      On-link
  5    291 fd78:3416:2b52::699/128  On-link
  5    291 fd78:3416:2b52:0:44cd:7fff:18ed:6727/128
                                    On-link
  5    291 fd78:3416:2b52:0:cea0:3ca1:a02d:1d19/128
                                    On-link
  5    291 fe80::/64                On-link
 49    271 fe80::/64                On-link
 49    271 fe80::2055:8120:55cd:fddb/128
                                    On-link
  5    291 fe80::56de:6c1d:c2d:c067/128
                                    On-link
  1    331 ff00::/8                 On-link
  5    291 ff00::/8                 On-link
 49    271 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

On the public wifi, internet access works, no tunnel to my network

C:\WINDOWS\system32>route print
===========================================================================
Interface List
 10...00 ff 8e 55 cc 39 ......TAP-Windows Adapter V9 for OpenVPN Connect
 69...........................WireSock Virtual Adapter
 49...00 15 5d cc 6a 12 ......Hyper-V Virtual Ethernet Adapter
 22...........................OpenVPN Data Channel Offload
 15...aa 64 f1 be 4b 14 ......Microsoft Wi-Fi Direct Virtual Adapter #2
  5...a8 64 f1 be 4b 14 ......Intel(R) Wi-Fi 6 AX201 160MHz
 14...a8 64 f1 be 4b 18 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.20.20.1     172.20.20.20     50
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      172.20.20.0    255.255.255.0         On-link      172.20.20.20    306
     172.20.20.20  255.255.255.255         On-link      172.20.20.20    306
    172.20.20.255  255.255.255.255         On-link      172.20.20.20    306
     172.28.176.0    255.255.240.0         On-link      172.28.176.1    271
     172.28.176.1  255.255.255.255         On-link      172.28.176.1    271
   172.28.191.255  255.255.255.255         On-link      172.28.176.1    271
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      172.20.20.20    306
        224.0.0.0        240.0.0.0         On-link      172.28.176.1    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      172.20.20.20    306
  255.255.255.255  255.255.255.255         On-link      172.28.176.1    271
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      169.254.0.0      255.255.0.0     172.25.208.1       1
      169.254.0.0      255.255.0.0      192.168.1.6       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  5    306 ::/0                     fe80::ff:fe02:202
  1    331 ::1/128                  On-link
  5    306 2601:602:8702:c105:599d:cc93:f699:ba36/128
                                    On-link
  5    306 2601:602:8702:c105:787b:b041:4607:be8a/128
                                    On-link
  5    306 fe80::/64                On-link
 49    271 fe80::/64                On-link
  5    306 fe80::56de:6c1d:c2d:c067/128
                                    On-link
 49    271 fe80::9c4c:e9d2:1eed:e255/128
                                    On-link
  1    331 ff00::/8                 On-link
  5    306 ff00::/8                 On-link
 49    271 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

On public WiFi, after connecting with the Wireguard client

C:\WINDOWS\system32>route print
===========================================================================
Interface List
 72...........................WireGuard Tunnel
 10...00 ff 8e 55 cc 39 ......TAP-Windows Adapter V9 for OpenVPN Connect
 69...........................WireSock Virtual Adapter
 49...00 15 5d cc 6a 12 ......Hyper-V Virtual Ethernet Adapter
 22...........................OpenVPN Data Channel Offload
 15...aa 64 f1 be 4b 14 ......Microsoft Wi-Fi Direct Virtual Adapter #2
  5...a8 64 f1 be 4b 14 ......Intel(R) Wi-Fi 6 AX201 160MHz
 14...a8 64 f1 be 4b 18 ......Bluetooth Device (Personal Area Network)
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      172.20.20.1     172.20.20.20     50
          0.0.0.0          0.0.0.0         On-link      192.168.99.3      0
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      172.20.20.0    255.255.255.0         On-link      172.20.20.20    306
     172.20.20.20  255.255.255.255         On-link      172.20.20.20    306
    172.20.20.255  255.255.255.255         On-link      172.20.20.20    306
     172.28.176.0    255.255.240.0         On-link      172.28.176.1    271
     172.28.176.1  255.255.255.255         On-link      172.28.176.1    271
   172.28.191.255  255.255.255.255         On-link      172.28.176.1    271
     192.168.99.3  255.255.255.255         On-link      192.168.99.3    256
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link      172.20.20.20    306
        224.0.0.0        240.0.0.0         On-link      172.28.176.1    271
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link      172.20.20.20    306
  255.255.255.255  255.255.255.255         On-link      172.28.176.1    271
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      169.254.0.0      255.255.0.0     172.25.208.1       1
      169.254.0.0      255.255.0.0      192.168.1.6       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  5    306 ::/0                     fe80::ff:fe02:202
 72      0 ::/0                     On-link
  1    331 ::1/128                  On-link
  5    306 2601:602:8702:c105:599d:cc93:f699:ba36/128
                                    On-link
  5    306 2601:602:8702:c105:787b:b041:4607:be8a/128
                                    On-link
  5    306 fe80::/64                On-link
 49    271 fe80::/64                On-link
  5    306 fe80::56de:6c1d:c2d:c067/128
                                    On-link
 49    271 fe80::9c4c:e9d2:1eed:e255/128
                                    On-link
  1    331 ff00::/8                 On-link
  5    306 ff00::/8                 On-link
 49    271 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Solved: it was an MTU problem. The key was in finding an article that mentioned being able to ping internal addresses but not connect to them, and the suggestion was to lower MTU (reason being, an ICMP packet is smaller than the packets sent by the browser, so it can go thru without problems even if there are MTU issues)

I added MTU = 1392 to the [Interface] for the peer (*.conf file), and it all magically started to work. Actually I tried 1280 first, then used binary approach to find the highest value still working. 1392 works 1394 doesn't.

Wonder why Android and the Winsockets approach is happy with the standard MTU, but as long as it works, I'm happy

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.