[Solved] Wireguard not opening websites

Hi all

It's been a while I'm trying to switch to wireguard from openvpn.
I'm using wireguard on Android and Windows with my private server and everything works perfectly well.

However, using openwrt 18 (and before that on Lede 17 snapshot) on Raspberry pi, I've noticed that once I connect to wireguard certain websites (such as Twitter and Deezer) open extreeeemly slowly, and 90% of the time fail to load at all.

I tried every option on DNS, but it seems my issues are not related to that. Pings to these servers have very high packet losses as well.

Please note: switching protocol to openvpn on very same server, dns and network config solves the issues immediately

Also, If I connect with wireguard on my Android or Windows directly (again using very same wireguard server and config) everything works smoothly

I really just can't figure out what I'm exactly doing wrong. (or maybe it's just a bug on wireguard module?)

Any help will be highly appreciated

Thanks

Where are you experiencing the issue, then???

What do you mean by the phrase "connecting directly?"

I'm trying to say that my wireguard server or config work fine when connecting from other devices.

The problem occurs when I connect to wireguard on openwrt. (I tried both luci wireguard proto web interface and also manual "wg" through ssh. Both result to the same issue)

  • What is that "same issue???
  • Are you saying that the OpenWrt device is the server, or that it's just another client in this setup?
  • If it is a client, where is the server?
  • Please show the commands and/or /etc/config/network file in your OpenWrt

Well you obviously haven't read the issue description at all.

Server: some private centos server having openvpn and wireguard servers installed on.
Openwrt, Android or Windows: clients having wireguard and openvpn clients installed on them for tunneling to server
Problem: Only (and only) when connecting openwrt to server with wireguard (openwrt is wireguard client) some websites don't load correctly and connections to them seem unstable. I can confirm that server is ok is since I don't see the problem when connecting to server by other means or devices

Openwrt wireguard config:

config interface 'Wireguard'
	option dns '8.8.8.8'
	option metric '1'
	option proto 'wireguard'
	list addresses '10.3.0.231'
	option delegate '0'
	option private_key 'some key'
	option mtu '1420'
	option auto '1'

config wireguard_Wireguard
	option public_key 'some other key'
	option route_allowed_ips '1'
	option endpoint_port '11235'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'myhost.dns.name'

Have you created a firewall zone for this connection?

Yes: I've created a zone called VPN and put both openvpn and wireguard in the same zone.

If I enable openvpn it correctly routes all the traffic through the tunnel.
If I enable wireguard, it also correctly routes all the traffic for "most websites", but for only "some" (twitter.com, deezer.com, etc) websites fail to load completely (or even at all). For the websites that don't have this problem, traffic routes through wireguard tunnel smoothly

/etc/config/firewall:
(notes: Cable: connection to internet - Wifi: Internal Lan - VPN: openvpn (VPN) and wireguard)

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'Wifi'
        option network 'Wifi'

config zone
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option name 'Cable'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option network 'Cable'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'Cable'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'Cable'

config rule
        option name 'Allow-IGMP'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'Cable'

config rule
        option name 'Allow-DHCPv6'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Cable'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Cable'

config rule
        option name 'Allow-ICMPv6-Input'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Cable'

config rule
        option name 'Allow-ICMPv6-Forward'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option src 'Cable'

config rule
        option name 'Allow-IPSec-ESP'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'Wifi'
        option src 'Cable'

config rule
        option name 'Allow-ISAKMP'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'Wifi'
        option src 'Cable'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'Cable'
        option src 'Wifi'

config forwarding
        option dest 'Wifi'
        option src 'Cable'

config zone
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'VPN'
        option masq '1'
        option network 'VPN Wireguard Ws Wireguardd'

config forwarding
        option dest 'Cable'
        option src 'VPN'

config forwarding
        option dest 'Wifi'
        option src 'VPN'

config forwarding
        option dest 'VPN'
        option src 'Wifi'

config include 'shadowsocks_libev'
        option type 'script'
        option path '/usr/share/shadowsocks-libev/firewall.include'
        option reload '1'

config zone
        option name 'root'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network ' '

this is my setup:

solved by enabling MSS clamping in firewall

2 Likes

If you're using Wireguard, then you should ask the VPN provider.


I did read; but glad you got it working on your own, though.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.