Routing issues from OpenWRT and Wireguard

I've been receiving these error messages about SYN_ATK failures. I'm able to send data but I cannot receive it. I've reset my whole system from scratch over the past few days thinking it was a bug with proxmox or my router but neither one of those fixed the issue.

I ran this command on my vps/vpn (conntrack -L):

SYN_SENT src=10.0.4.246 dst=172.16.1.225 sport=45778 dport=80 [UNREPLIED] src=172.16.1.225 dst=10.0.4.246 sport=80 dport=45778 mark=0 use=1

SYN_SENT src=<my IP address> dst=<wireguard IP address> sport=60572 dport=443 [UNREPLIED] src=10.0.4.246 dst=<my IP address> sport=443 dport=60572 mark=0 use=1

SYN_SENT src=<my IP address> dst=<wireguard IP address> sport=63762 dport=25565 [UNREPLIED] src=172.16.1.225 dst=<my IP address> sport=25565 dport=63762 mark=0 use=1

Wireguard IPTable Rules:

PreUp = sysctl -w net.ipv4.conf.all.forwarding=1
PostUp = iptables -A INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.246:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.0.4.246:443
PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 25565 -j DNAT --to-destination 172.16.1.225:25565
PostUp = iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.246:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.0.4.246:443
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 25565 -j DNAT --to-destination 172.16.1.225:25565
PostDown = iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT

I'm not sure what I'm missing. I have all the correct ports port forwarded and I receive pings on my vps/vpn:

/etc/wireguard# nc -zv 172.16.1.225 25565
Connection to 172.16.1.225 25565 port [tcp/*] succeeded!

/etc/wireguard# nc -zv 172.16.1.225 80
Connection to 172.16.1.225 80 port [tcp/http] succeeded!

/etc/wireguard# nc -zv 172.16.1.225 443
Connection to 172.16.1.225 443 port [tcp/https] succeeded!

At this point, I'm thinking it's an openwrt routing issue somewhere in my router but I'm unsure. Hopefully I can receive some tips on how I can fix this.

Router Pictures:

image1083×448 23.1 KB

image1009×448 15.8 KB

image987×419 15.4 KB

Thank you!
This just recently broke after a few restarts and I've been very confused why this happened.

Where are these from?

And instead of screenshots from your router, please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
ip ro
ip ru

Let's also see the output of the following:

ubus call system board

Wireguard IPTable Rules:

These rules are sitting on my VPN/VPS. I have my wireguard VPN setup to push all internal Ip addresses to my VPS and then it's supposed to port forward them externally using those rules. I'm wondering if my VPS blocked me for some reason; I doubt it though.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd19:893c:9ae4::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.16.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ip4table '1'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'eth0'

config interface 'vpnlan'
        option device 'br-lan-vpn'
        option proto 'static'
        list ipaddr '10.0.4.1/24'
        option ip4table '2'

config device
        option type 'bridge'
        option name 'br-lan-vpn'
        option bridge_empty '1'
        list ports 'eth4'
        list ports 'wg1'

config interface 'wg1'
        option proto 'wireguard'
        option ip4table '3'
        option private_key '<OMIT>
        list addresses '10.10.20.0/24'

config wireguard_wg1
        option description 'Pull'
        option endpoint_host '<wireguard IP address>'
        option endpoint_port '51821'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option public_key '<OMIT>'
        option private_key '<OMIT>'
        option preshared_key '<OMIT>'
        list allowed_ips '0.0.0.0/0'

config rule 'vpnlan_wg1'
        option in 'vpnlan'
        option lookup '3'
        option priority '30000'

config route
        option interface 'wg1'
        option target '0.0.0.0/0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '25565'
        option dest_port '25565'
        option dest_ip '172.16.1.225'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '443'
        option dest_ip '172.16.1.196'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '80'
        option dest_ip '172.16.1.196'
        option dest_port '80'

config zone
        option name 'vpnlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vpnlan'
        list network 'wg1'

config forwarding 'vpnlan_lan'
        option src 'vpnlan'
        option dest 'lan'

config forwarding
        option src 'lan'

config forwarding
        option src 'lan'
        option dest 'vpnlan'

ip ru

root@OpenWrt:~# ip ru
0:      from all lookup local
10000:  from 10.0.4.1 lookup 2
10000:  from 10.10.20.0 lookup 3
10000:  from 172.16.1.1 lookup 1
20000:  from all to 10.0.4.1/24 lookup 2
20000:  from all to 10.10.20.0/24 lookup 3
20000:  from all to 172.16.1.1/24 lookup 1
30000:  from all iif br-lan-vpn lookup 3
32766:  from all lookup main
32767:  from all lookup default
90008:  from all iif lo lookup 1
90009:  from all iif lo lookup 2
90011:  from all iif lo lookup 3

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "AMD Ryzen 7 5825U with Radeon Graphics",
        "model": "QEMU Standard PC (i440FX + PIIX, 1996)",
        "board_name": "qemu-standard-pc-i440fx-piix-1996",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "x86/64",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

[Interface]
Address = 10.10.20.1/24
ListenPort = 51821
PrivateKey = <OMIT>

PreUp = sysctl -w net.ipv4.conf.all.forwarding=1
PostUp = iptables -A INPUT -p udp --dport 51821 -j ACCEPT
PostUp = iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostUp = iptables -A FORWARD -i ens3 -o wg0 -j ACCEPT
PostUp = iptables -A FORWARD -i wg0 -o ens3 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.246:80
PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.0.4.246:443
PostUp = iptables -t nat -A PREROUTING -i ens3 -p tcp --dport 25565 -j DNAT --to-destination 172.16.1.225:25565
PostUp = iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT

PostDown = iptables -D INPUT -p udp --dport 51821 -j ACCEPT
PostDown = iptables -D INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
PostDown = iptables -D FORWARD -i ens3 -o wg0 -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -o ens3 -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.246:80
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 443 -j DNAT --to-destination 10.0.4.246:443
PostDown = iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 25565 -j DNAT --to-destination 172.16.1.225:25565
PostDown = iptables -D FORWARD -m conntrack --ctstate DNAT -j ACCEPT


### Client vpnlan
[Peer]
PublicKey = <OMIT>
PresharedKey = <OMIT>
AllowedIPs = 10.0.4.0/24,10.10.20.0/24,172.16.1.0/24

### Client phone
[Peer]
PublicKey = <OMIT>
PresharedKey = <OMIT>
AllowedIPs = 10.10.20.2/32

VPS with Wireguard Ping Test:

root@racknerd-40ea50:/etc/wireguard# ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=64 time=15.1 ms
64 bytes from 172.16.1.1: icmp_seq=2 ttl=64 time=15.5 ms
^Z
[2]+  Stopped                 ping 172.16.1.1
root@racknerd-40ea50:/etc/wireguard# ping 10.0.4.1
PING 10.0.4.1 (10.0.4.1) 56(84) bytes of data.
64 bytes from 10.0.4.1: icmp_seq=1 ttl=64 time=14.9 ms
64 bytes from 10.0.4.1: icmp_seq=2 ttl=64 time=15.4 ms
^Z
[3]+  Stopped                 ping 10.0.4.1
root@racknerd-40ea50:/etc/wireguard# ping 172.16.1.225
PING 172.16.1.225 (172.16.1.225) 56(84) bytes of data.
64 bytes from 172.16.1.225: icmp_seq=1 ttl=63 time=17.3 ms
64 bytes from 172.16.1.225: icmp_seq=2 ttl=63 time=15.5 ms
^Z
[4]+  Stopped                 ping 172.16.1.225
root@racknerd-40ea50:/etc/wireguard#

This setup used to work but It does not anymore. I just get the UNREPLIED response from above. Very frustrating

Would trying a different VPS provider potentially fix the issue?

Solution:

PostUp = iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 443 -d 10.0.4.246 -j SNAT --to-source 10.10.20.1
PostUp = iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 25565 -d 172.16.1.225 -j SNAT --to-source 10.10.20.1

PostDown = iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 443 -d 10.0.4.246 -j SNAT --to-source 10.10.20.1
PostDown = iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 25565 -d 172.16.1.225 -j SNAT --to-source 10.10.20.1

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.