[Solved] OpenWRT 21.02.3 Wireguard hanshake wont finish properly

Hi,
im Using OpenWRT 21.02.3 r16554 on an Xiaomi Mi Router 4A Gigabit Edition with wireguard-tools version 1.0.20210223-2.

My intention is to use it as an Access-Point routing all traffic through my WireGuard VPN Tunnel in the Netherlands.

My Problem now is, that i seem to have a misconfiguration or other kind of routing problem.

I installed a freshly Debian 11 Instance with WireGuard (which i have done before in the past).
I can connect to this WireGuard server with my Macbook, also with my Windows Computer and also with my Android phone, and the tunnel handshake works and get completed.
I can browse the internet through that tunnel without any issues.

But if i place the settings within OpenWrt i get TX data but absolute no RX data, so the Handshake fail to work.- On the WireGuard Server in the Linux VM, i see that the server is receiving data from the OpenWrt client and is also sending handshake information and try to accomplish a connection.
But it seems OpenWrt won't receive the RX data.

So far so good, and understandable if there is a routing problem or a misconfiguration.
But now i tested it with my Anonymizer VPN credentials from mullvad.net - I Only exchanged the private key, the Public key, the list addresses and the endpoint_host/port all other information stayed the same! - and with that credentials it worked just fine!

But if i switch back to my own WireGuard server (which is working with the same credentials on windows, macos, android etc, OpenWrt again not receive any RX data.

Please help me :smiley:

Configs:

Configuration with my own wireguard server: (not working but working with same credentials on other device)

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd66:de80:850e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option private_key 'KMhWxxxxxxxxxxxxxxxxxxxxxxxx1xNL9HE8='
	list addresses '10.252.1.2/32'

config wireguard_wg0
	option description 'senku'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port '51820'
	option persistent_keepalive '15'
	option route_allowed_ips '1'
	option public_key 'a2VxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxABEI='
	option endpoint_host '104.xxx.xxx.160'

Configuration with my mullvad wireguard credentials: (working)

root@OpenWrt:/etc/config# cat network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd66:de80:850e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option private_key 'iGzquxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx4FFo='
	list addresses '10.65.0.35/32'

config wireguard_wg0
	option description 'mullvad'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port '51820'
	option persistent_keepalive '15'
	option route_allowed_ips '1'
	option public_key '08lMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxWCrVg='
	option endpoint_host '92.xxx.xxx.165'

Firewall Configuration:

root@OpenWrt:/etc/config# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wg0'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'vpn'

Is the OpenWrt device acting as the 'server' peer or 'client' peer in this situation?
Let's see the configuration from the other side.

OpenWRT Device should act as Client.

Configuration of Wireguard Instance on Debian 11:

nade@senku:/etc/wireguard# cat wg0.conf

[Interface]
Address = 10.252.1.0/24
ListenPort = 51820
PrivateKey = qNxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx69nc=
MTU = 1450
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# ID:           ccxxxxxxxxxxxxxxxxxx70
# Name:         xiaomi
# Created at:   2022-08-28 13:47:28.923813175 +0000 UTC
# Update at:    2022-08-28 13:47:28.923813175 +0000 UTC
[Peer]
PublicKey = Nzjj6RxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxHg/7Gk=
PresharedKey = lUbuxxxxxxxxxxxxxxxxxxxxxxxxxxxWqM=
AllowedIPs = 10.252.1.2/32

this address is wrong. It should be 10.252.1.1/24

You have a preshared key on the Debian side, but you don't have the PSK on the OpenWrt side, so it makes sense that the handshake doesn't happen.

Thanks!
OpenWRT said presharedkey is only optional, that why i thought it is and didnt set it up.

Although i tested it also with the presharedkey without success earlier.

I now changed the
"Address = 10.252.1.0/24" to "Address = 10.252.1.1/24"
And setup the presharedkey and got a successfull handshake!

So its working now fine!
Thanks!

Also i still do not understand, why the connection worked fine on my Windows machine, mac and android phone, with the old "Address = 10.252.1.0/24" setting.

Regards

Windows may be more tolerant of an incorrect address. With a /24, the .0 address refers to the network, and it is invalid as a host address. Openwrt probably wasn’t happy getting packets from this (invalid) address

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

The PSK is optional in general, but if it is present on one peer, it must also be on the other. Otherwise you will not get a handshake.

1 Like

got it! thanks :slight_smile:

Also thanks for the pretty Fast Help and solution!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.