[SOLVED] Cloudflare wireguard no handshake

vendy0 · July 17, 2022, 11:26am

Problem solved.

editing the zerotrust configuration to use wgcf endpoint IP, now I get warp plus status.

162.159.193.1:0 to engage.cloudflareclient.com:2408

Main

First time setting up wireguard,

Openwrt = OpenWrt 22.03.0-rc5 r19523-bfd070e7fa
Device = Ubiquiti EdgeRouter X

Configuration =

Using Cloudflare zero trust account

Warp+ client on windows is okay
Warp+ client on emulated android device is okay

Using Cloudflare basic account configuration generated by wgcf script from github

Wireguard client on windows is okay

Using Cloudflare zero trust account configuration extracted from android device

Warp+ client on android device is okay
Wireguard client on windows is not okay, no handshake
Wireguard client on openwrt is not okay, no handshake

Wireguard config from /etc/config/network

config interface 'cloudflare'
        option proto 'wireguard'
        option private_key 'removed'
        option peerdns '0'
        list addresses '172.16.0.2'
        list dns '1.1.1.1'

config wireguard_cloudflare
        option description 'cloudflare'
        option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '162.159.193.1'
        option persistent_keepalive '25'
        option endpoint_port '4500'

Route Allowed IPs is disabled at the moment of typing, otherwise I get no internet from ISP.

Is this a firewall problem? I tried changing endpoint_port(2408,1701,500), route allowed IP's (0/1). IPv6 isn't supplied by ISP

lleachii · July 17, 2022, 11:52am

I was gonna ask if this works...so I have no advice...

I've tried so many generation scripts that claim to work.

Also, is ZeroTrust the same product as Warp(+)?

Did you try to generate from a paid Warp+ account?

To all: it should be noted that CloudFlare notes that their product is Wireguard-based.

vendy0 · July 17, 2022, 11:57am

wgcf free account works on wireguard windows client, I assume it will work on openwrt wireguard client aswell

ZeroTrust is warp teams, did not research the differences between warp+ and zerotrust, but zerotrust is higher tier service so they might be similiar.

I followed these sources openwrt wireguard cloudflare and the included source in video

I will remove the links if they are against forum rules

lleachii · July 17, 2022, 11:58am

Did you try the key and IP issued from that client?
If it works, I would use the code/links/API in that software

I understand there's a propitiatory API that makes this work, people are merely "hacking" it and releasing their code - so it changes over time by CloudFlare.

vendy0 · July 17, 2022, 12:04pm

Yes, I tried mixing the key's and IP's between wgcf and code extracted from android emulator.

Does not work, maybe problem in peer ip address or interface private key, however it is puzzling, why official clients connect just fine

wgcf free account tested on wireguard windows client

lleachii · July 17, 2022, 12:12pm

That config file is all you need.

Did you try pinging from the router command line an IP with the SRC 172.16.0.2?
Did you actually setup any VPN setup/routing/rules for devices/network after installing Wireguard, config, etc.?

vendy0 · July 17, 2022, 12:24pm

These are the differences between zerotrust extracted config and wgcf config

As seen from the wireguard client, no RX packets, same happens on openwrt wireguard

Pinging the requested IP address from router:

 OpenWrt 22.03.0-rc5, r19523-bfd070e7fa
 -----------------------------------------------------
root@EdgeRouter-X:~# ping 162.159.193.1
PING 162.159.193.1 (162.159.193.1): 56 data bytes
64 bytes from 162.159.193.1: seq=0 ttl=248 time=5.279 ms
64 bytes from 162.159.193.1: seq=1 ttl=248 time=4.334 ms
64 bytes from 162.159.193.1: seq=2 ttl=248 time=5.484 ms
64 bytes from 162.159.193.1: seq=3 ttl=248 time=4.436 ms
64 bytes from 162.159.193.1: seq=4 ttl=248 time=4.367 ms
64 bytes from 162.159.193.1: seq=5 ttl=248 time=7.282 ms
64 bytes from 162.159.193.1: seq=6 ttl=248 time=6.022 ms
64 bytes from 162.159.193.1: seq=7 ttl=248 time=4.440 ms
64 bytes from 162.159.193.1: seq=8 ttl=248 time=7.499 ms
64 bytes from 162.159.193.1: seq=9 ttl=248 time=5.842 ms
64 bytes from 162.159.193.1: seq=10 ttl=248 time=4.354 ms
^C
--- 162.159.193.1 ping statistics ---
11 packets transmitted, 11 packets received, 0% packet loss
round-trip min/avg/max = 4.334/5.394/7.499 ms
root@EdgeRouter-X:~# ping 172.16.0.2
PING 172.16.0.2 (172.16.0.2): 56 data bytes
64 bytes from 172.16.0.2: seq=0 ttl=64 time=0.501 ms
64 bytes from 172.16.0.2: seq=1 ttl=64 time=0.331 ms
64 bytes from 172.16.0.2: seq=2 ttl=64 time=0.321 ms
64 bytes from 172.16.0.2: seq=3 ttl=64 time=0.343 ms
64 bytes from 172.16.0.2: seq=4 ttl=64 time=0.328 ms
64 bytes from 172.16.0.2: seq=5 ttl=64 time=0.351 ms
64 bytes from 172.16.0.2: seq=6 ttl=64 time=0.326 ms
64 bytes from 172.16.0.2: seq=7 ttl=64 time=0.348 ms
^C
--- 172.16.0.2 ping statistics ---
8 packets transmitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 0.321/0.356/0.501 ms
root@EdgeRouter-X:~#

Did you actually setup any VPN setup/routing/rules for devices/network after installing Wireguard, config, etc.?

I did not do anything else that was not in the tutorial I linked before, might that be the problem?
Still don't understand why wgcf credentials work just fine, zerotrust do not.

vendy0 · July 17, 2022, 12:42pm

It was indeed one more possibility that I did not try before:

editing the zerotrust configuration to use wgcf endpoint IP, now I get warp plus status.

162.159.193.1:0 to engage.cloudflareclient.com:2408

Problem solved.

lleachii · July 17, 2022, 12:45pm

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

LaokBejarok · July 25, 2022, 1:18pm

Hi, I have the same problem here. Even changing the endpoint to engage.cloudflareclient.com:2408 is not working. But wireguard client on android working well with the config. But not openwrt and windows client. Any helps?

vendy0 · July 25, 2022, 1:38pm

In that case check the following:

Interface public key is not the same as peer public key.

Try changing the port from 2048 to the alternative ports specified in guide.

Make sure you copy full credentials, including the symbol "=" at the end.

If these do not help, log out from warp teams account using android emulator and start from beggining, new credentials will be generated.

I would try these steps:

Use wgcf, generate the free account, use the credentials on wireguard windows client to check if it connects and you have internet. If this works, continue to warp teams.

Set up warp teams, use android emulator to gather credentials, fill them in wireguard windows client, however for endpoint use wgcf endpoint. If it connects, transfer this to openwrt config.

Also, whenever making changes to openwrt wireguard config, what helped me was

Restarting wireguard interface
Going to services and restart network and firewall

Without these it took some time for openwrt wireguard client to proccess the information

LaokBejarok · July 25, 2022, 1:48pm

Thanks a lot. I'll try to get it working

tmomas · August 4, 2022, 1:48pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.