[SOLVED] First Wireguard setup : no handshake

Hi.

I'm fairly new to OpenWrt but I've been blown away by the amount of flexibility it gives vs your usual router firmware. Congrats on all who contributes to this phenomenal project!

My goal is to setup wireguard on my router to access my home network while I'm away. My OpenWrt router (Archer C7) is connected to my modem (SageMCom) for internet access.

I have gone through the server setup as explained by the OpenWrt docs. I also followed this discussion (" Wireguard Handshake did not complete - 22.03.1 " And tried to apply everything mentionned in there as well.
My problem is that the handshake never completes on my android phone using the wireguard app as seen in the logs the app provides.
.. sending handshake initiation
... Handshake did not complete after 5 seconds
repeat...

Here are my settings:

Network:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	list network 'wg0'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'MAG-DHCP+DNS LAN_Kids'
	option src 'LAN_Kids'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'MAG-DHCP+DNS IOT NoTrust'
	option src 'IOT_NoTrust'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'MAG-DHCP+DNS Guest'
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

<some personnal rules for the kids interface excluded here>

config include
	option enabled '0'
	option type 'script'
	option path '/etc/firewall.user'
	option fw4_compatible '1'

config zone
	option name 'GuestZone'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'Guest'

config zone
	option name 'LAN_Kids'
	option output 'ACCEPT'
	list network 'LAN_Kids'
	option forward 'ACCEPT'
	option input 'ACCEPT'

config zone
	option name 'IOT_NoTrust'
	option output 'ACCEPT'
	list network 'IOT_NoTrust'
	option forward 'ACCEPT'
	option input 'ACCEPT'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config forwarding
	option src 'LAN_Kids'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'LAN_Kids'

config forwarding
	option dest 'IOT_NoTrust'

config forwarding
	option src 'lan'

config forwarding
	option dest 'IOT_NoTrust'

config forwarding
	option src 'lan'

config forwarding
	option src 'lan'
	option dest 'IOT_NoTrust'

config forwarding
	option src 'IOT_NoTrust'
	option dest 'lan'

config forwarding
	option src 'IOT_NoTrust'
	option dest 'wan'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'Wireguard'

Firewall:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda1:9f5c:8061::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0t 2 3'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '6t 1'
	option vid '2'
	option description 'WAN'

config interface 'Guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.20.1.1'
	option device 'br-guest'

config interface 'IOT_NoTrust'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.66.1.1'

config interface 'LAN_Kids'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.1.1'
	option device 'br-lan_kids'

config device
	option name 'wlan0-1'

config device
	option name 'wlan0'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option ports '0t 5'
	option vid '14'
	option description 'LAN_Kids #4'

config device
	option type 'bridge'
	option name 'br-lan_kids'
	list ports 'eth1.14'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option ports '0t 4'
	option vid '13'
	option description 'Guest #3'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth1.13'

config route 'lan_to_kids'
	option target '10.10.1.0'
	option netmask '255.255.255.0'
	option gateway '10.10.1.1'
	option interface 'lan'

config route
	option interface 'lan'
	option target '10.66.1.0/24'
	option gateway '10.66.1.1'

config route 'kids_to_lan_to_kids'
	option target '192.168.1.0'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option interface 'LAN_Kids'

config interface 'wg0'
	option proto 'wireguard'
	option private_key '***********************'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'
	option listen_port '51820'

config wireguard_wg0 'wgclient'
	option public_key '***************************'
	option preshared_key '***************************'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fd00:9::2/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

My setup on the phone looks like this:

=====================
INTERFACE:
=====================
Public Key:
'***************************'

Addresses
192.168.9.2/32

DNS Servers:
<my ISP internet ip>

=====================
PEER
=====================
Public Key
'***************************'

Pre-shared key:
Enabled

Allowed IPs
0.0.0.0/0, ::/0

Endpoint:
192.168.2.10:51820

Any help is much appreciated.

This is wrong, but won't affect the initial handshake process.

This is probably the source of your problem... this doesn't point to the correct address...
if you connect from your lan while on wifi (as a test only), you can use 192.168.1.1:51820 as the endpoint address. If you're connecting from the cellular network, you need to put the public IP or domain name that points to the wan address of your OpenWrt router.

Thanks for the quick reply!

By "my ISP internet IP" what I really meant was my external ip address as seen with tools such as ipleak.net. Maybe you interpreted as "the IP address of my service provider"? Sorry if I wasn't clear.

I am trying with my cellular network only (wifi turned off) as a real means of testing remote access.
I did change the endpoint to be my "public IP" addres in the wireguard app but I still get handshake timeouts.

Hi

maybe you are behind CGNAT or similar ...
please try this URL
https://api4.my-ip.io/ip
and compare with WAN interface of your router to be sure that you have "real" pub ip

But that is still not what should be under the DNS server field of your phone's WG config. Again, that won't cause a problem with the handshake, though.

But the address you have here is (theoretically) the address that should be in the endpoint field.

We do need to verify that you are not behind CG-NAT... Please take a look at your OpenWrt router's upstream network address (you'll see it in the main status page of the LuCI web interface). Let us know what the first two octects are (in bold: aaa.bbb.ccc.ddd).

The info I see in LUCI Status -> Overview under the Network / IPV4 Upstream is as follows:

IPv4 Upstream

Protocol: DHCP client
Address: 192.168.2.10/24
Gateway: 192.168.2.1
DNS 1: 192.168.2.1
DNS 2: 96.1xx.xxx.xx

@NPeca75 : The address I get with https://api4.my-ip.io/ip is indeed my public address.

So I presume the 192.168 (local address) indicates the CGNAT case? (not that I have the slightest idea what that means).

Hi, you are behind NAT, in this condition WG could not act as server

Is there a router ahead of your openwrt router? Do you control it? Can you configure port forwarding?

Yes it is a SageMCom modem/router. I believe I can do port forwarding on it.
What would be the configuration for this?

Edit:
I went ahead and added a port on the modem UDP, Internal and external port to 51820 and It passed the handshake!

I was able to connect to a LAN address using only my cellular network, so as far as I know it works.
Thank you so much for helping out, both of you!

@psherman About that DNS value in the wireguard app. What would be the appropriate value?

For the DNS server (as configured on your phone), you can set a public DNS or your own router (192.168.1.1).

Meanwhile...

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

There were various problems to my configuration that @psherman and @NPeca75 pointed out.
1- The endpoint value in the wireguard phone app should have been the public IP address of my internet connection.
2- My setup having a router-modem (SageMCom) between the internet and the OpenWrt router required to open the wireguar port (51820) on the modem for the UDP messages to go through.

Thanks again for the solution guys.

Since you mentioned that, all those static routes should be removed as they are redundant if not detrimental.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.