[SOLVED] Wireguard not working

Hello,
I set up Wireguard on my OpenWRT and it worked for some days, but now it does not anymore.
I rebooted my Router and I had no Internet access for an hour.

I set it up as here:

I can still connect and it shows my Wireguard connection in LuCIs Wireguard-App, but only some Bytes are transmitted.

I can also not ping any IP in my local network, when connected via Wireguarde as I could before.
I already restarted the Rotuer and the Wireguard Itnerface.

What could be the Issue here?

Thanks.

Hello,
please post here the contents of

/etc/config/network
/etc/config/firewall

as well as the output of commands

ip -4 addr
ip -4 ro
ip -4 ru
1 Like
root@OpenWrt:~# cat /etc/config/network;cat /etc/config/firewall; ip -4 addr;ip -4 ro;ip -4 ru

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda0:53cd:c74f::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option dns '9.9.9.9'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option ipaddr '192.168.1.2'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option broadcast '192.168.1.255'
        option dns '9.9.9.9'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0 5t'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '1234'
        list addresses '192.168.10.1/24'
        option route_allowed_ips '1'
        option private_key 'xxx='

config wireguard_wg0
        option public_key 'xxx='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option persistent_keepalive '25'
        option description 'Android Handy'

config wireguard_wg0
        option public_key 'xxx='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option description 'Arbeit'

config wireguard_wg0
        option public_key 'xxx='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option description 'Laptop Linux'


config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5001'
        option dest_ip '192.168.2.101'
        option dest_port '5001'
        option name 'DSM_218p'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5022'
        option dest_ip '192.168.2.101'
        option dest_port '22'
        option name 'SSH_218p'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5006'
        option dest_ip '192.168.2.101'
        option dest_port '5006'
        option name 'WebDAV_218p'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_dport '1195'
        option dest_ip '192.168.2.101'
        option dest_port '1194'
        option name 'OVPN_218p'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.2.101'
        option name 'Nextcloud_218p'
        option dest_port '8080'
        option src_dport '80'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5003'
        option dest_port '5001'
        option name 'DockerDSM_218p'
        option dest_ip '192.168.2.109'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '443'
        option dest_port '443'
        option name 'HTTPS_218p'
        option dest_ip '192.168.2.101'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '5002'
        option dest_ip '192.168.2.102'
        option dest_port '5001'
        option name 'DSM_218p_VM'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '6001'
        option dest_ip '192.168.2.103'
        option dest_port '5001'
        option name 'DSM_213j'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '6022'
        option dest_ip '192.168.2.103'
        option dest_port '22'
        option name 'SSH_213j'
        option enabled '0'

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option dest_ip '192.168.2.1'
        option dest_port '22'
        option name 'SSH_OpenWRT'
        option src_dport '1122'

config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'udp'
        option src_dport '1234'
        option dest_ip '192.168.2.1'
        option dest_port '1234'
        option name 'WireGuard_OpenWRT'
        option dest 'lan'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '2200'
        option name 'ssh-test'

config rule
        option name 'Allow-OpenVPN-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1194'

config rule
        option name 'Allow-OpenVPN'
        option src 'wan'
        option dest_port '1194'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '1234'
        option name 'Allow-Wireguard-Inbound'

config zone
        option name 'wg'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wg0'
        option input 'ACCEPT'

config route
        option interface 'wg0'
        option target '192.168.10.0'
        option netmask '255.255.255.0'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'wg'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 192.168.10.1/24 brd 192.168.10.255 scope global wg0
       valid_lft forever preferred_lft forever
9: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth0.2
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0.2 proto static
192.168.1.0/24 dev eth0.2 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1
192.168.10.0/24 dev wg0 proto kernel scope link src 192.168.10.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'udp'
        option src_dport '1234'
        option dest_ip '192.168.2.1'
        option dest_port '1234'
        option name 'WireGuard_OpenWRT'
        option dest 'lan'

This is not needed, you have a rule to accept udp/1234 on WAN interface.

config zone
        option name 'wg'
        option masq '1'
        option mtu_fix '1'

Remove masq and mtu.

It still doesn't work, when I change that :confused:

Can you ping the wg interface of openwrt?
Can you run a tcpdump on openwrt to verify that packets come and go from the wg?

No, I can not ping the IP of my Wireguard Interface when connected.

I got tcpdump running now, but it cpatured 0 packages.
When im connected via my Smartphone the wg interface says 0 bytes received in ifconfig.

Not being able to ping at least the WG interface IP is serious. I was under the impression from your first post that you can connect, but it looks like not even that is working. Did you run the tcpdump command correctly? tcpdump -i wg0 -v -n
Have you checked that your ISP modem is forwarding correctly the traffic to the Openwrt?
tcpdump -i eth0.2 -v -n udp port 1234

tcpdump -i wg0 -v -n
gives me 0 captured packages.

But the Port seems to be open:

root@OpenWrt:~# tcpdump -i eth0.2 -v -n udp port 1234
tcpdump: listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
14:36:44.657144 IP (tos 0x0, ttl 52, id 12297, offset 0, flags [none], proto UDP (17), length 176)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 148
14:36:44.679432 IP (tos 0x88, ttl 64, id 40845, offset 0, flags [none], proto UDP (17), length 120)
    192.168.1.2.1234 > 78.94.46.90.58285: UDP, length 92
14:36:44.724480 IP (tos 0x0, ttl 52, id 12300, offset 0, flags [none], proto UDP (17), length 172)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:44.855467 IP (tos 0x0, ttl 52, id 12305, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.866744 IP (tos 0x0, ttl 52, id 12307, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.914750 IP (tos 0x0, ttl 52, id 12309, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.924972 IP (tos 0x0, ttl 52, id 12315, offset 0, flags [none], proto UDP (17), length 172)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:44.945000 IP (tos 0x0, ttl 52, id 12317, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950197 IP (tos 0x0, ttl 52, id 12318, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950448 IP (tos 0x0, ttl 52, id 12319, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950544 IP (tos 0x0, ttl 52, id 12320, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950594 IP (tos 0x0, ttl 52, id 12321, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950639 IP (tos 0x0, ttl 52, id 12322, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:44.950685 IP (tos 0x0, ttl 52, id 12323, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.055484 IP (tos 0x0, ttl 52, id 12342, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.075477 IP (tos 0x0, ttl 52, id 12348, offset 0, flags [none], proto UDP (17), length 140)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 112
14:36:45.099999 IP (tos 0x0, ttl 52, id 12353, offset 0, flags [none], proto UDP (17), length 268)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 240
14:36:45.214979 IP (tos 0x0, ttl 52, id 12366, offset 0, flags [none], proto UDP (17), length 172)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:45.298770 IP (tos 0x0, ttl 52, id 12383, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.434016 IP (tos 0x0, ttl 52, id 12413, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:45.758479 IP (tos 0x0, ttl 52, id 12463, offset 0, flags [none], proto UDP (17), length 172)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:45.795984 IP (tos 0x0, ttl 52, id 12464, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.103258 IP (tos 0x0, ttl 52, id 12505, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.103448 IP (tos 0x0, ttl 52, id 12506, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.103515 IP (tos 0x0, ttl 52, id 12507, offset 0, flags [none], proto UDP (17), length 268)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 240
14:36:46.103565 IP (tos 0x0, ttl 52, id 12508, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.770013 IP (tos 0x0, ttl 52, id 12554, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.770199 IP (tos 0x0, ttl 52, id 12555, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.774499 IP (tos 0x0, ttl 52, id 12556, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.801759 IP (tos 0x0, ttl 52, id 12563, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:46.813536 IP (tos 0x0, ttl 52, id 12564, offset 0, flags [none], proto UDP (17), length 172)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 144
14:36:46.864784 IP (tos 0x0, ttl 52, id 12577, offset 0, flags [none], proto UDP (17), length 124)
    78.94.46.90.58285 > 192.168.1.2.1234: UDP, length 96
14:36:55.164112 IP (tos 0x0, ttl 64, id 41344, offset 0, flags [none], proto UDP (17), length 60)
    192.168.1.2.1234 > 78.94.46.90.58285: UDP, length 32

It seems open but you should be able to see packets in the capture of wg0 interface. I am not sure why is this happening.
One more thing I noticed, remove the static route for 192.168.10.0/24. You have the wg0 interface in that network so the route exists as directly connected (proto kernel).
Are you pinging an IP or a hostname? Make sure it is an IP v4 so to rule out IPv6.
Last but not least post the firewall configuration in case there is something missing

iptables -L -vn
iptables -t nat -L -vn
iptables -t mangle -L -vn

I tried pinging the wireguard interfaces IP and the routers IP, both don't work for some reason.
Before the reboot it has worked.

heres the iptables rules:

root@OpenWrt:~# iptables -L -vn
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  2585 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 9685  841K input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom input rule chain */
 9176  800K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
  142  5884 syn_flood  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 /* !fw3 */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 /* !fw3: Allow-OpenVPN-Inbound */
    1   176 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1234 /* !fw3: Allow-Wireguard-Inbound */
  366 33841 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  142  7176 zone_wan_input  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wg_input  all  --  wg0    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
18846 9011K forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom forwarding rule chain */
18300 8942K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
  498 65686 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
   48  2820 zone_wan_forward  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wg_forward  all  --  wg0    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  2585 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* !fw3 */
 9571 2198K output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom output rule chain */
 9326 2179K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */
   54  6174 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  191 13554 zone_wan_output  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wg_output  all  --  *      wg0     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forwarding_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain output_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain reject (4 references)
 pkts bytes target     prot opt in     out     source               destination         
  137  5584 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with tcp-reset
    5  1592 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */ reject-with icmp-port-unreachable

Chain syn_flood (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  142  5884 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
   54  6174 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  498 65686 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan forwarding rule chain */
  498 65686 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wan forwarding policy */
    0     0 zone_wg_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone lan to wg forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  366 33841 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
  366 33841 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   54  6174 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan output rule chain */
   54  6174 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  366 33841 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */

Chain zone_wan_dest_ACCEPT (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    9   592 DROP       all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            ctstate INVALID /* !fw3: Prevent NAT leakage */
  680 78648 ACCEPT     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   48  2820 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan forwarding rule chain */
   48  2820 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  142  7176 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan input rule chain */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68 /* !fw3: Allow-DHCP-Renew */
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8 /* !fw3: Allow-Ping */
    0     0 ACCEPT     2    --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Allow-IGMP */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2200 /* !fw3: ssh-test */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1194 /* !fw3: Allow-OpenVPN */
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194 /* !fw3: Allow-OpenVPN */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
  142  7176 zone_wan_src_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  191 13554 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan output rule chain */
  191 13554 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_src_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  142  7176 reject     all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wg_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wg_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 reject     all  --  *      wg0     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wg_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 forwarding_wg_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wg forwarding rule chain */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone wg to wan forwarding policy */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Zone wg to lan forwarding policy */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port forwards */
    0     0 zone_wg_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wg_input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 input_wg_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wg input rule chain */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* !fw3: Accept port redirections */
    0     0 zone_wg_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wg_output (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 output_wg_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wg output rule chain */
    0     0 zone_wg_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wg_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0            ctstate NEW,UNTRACKED /* !fw3 */
root@OpenWrt:~# iptables -t nat -L -vn
Chain PREROUTING (policy ACCEPT 536 packets, 39444 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  585 42440 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
  394 32268 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  191 10172 zone_wan_prerouting  all  --  eth0.2 *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wg_prerouting  all  --  wg0    *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT 237 packets, 21379 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 186 packets, 14970 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 86 packets, 7183 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  514 32395 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
   71  6443 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
  428 25212 zone_wan_postrouting  all  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
    0     0 zone_wg_postrouting  all  --  *      wg0     0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain postrouting_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain prerouting_wg_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   71  6443 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */
    0     0 SNAT       tcp  --  *      *       192.168.2.0/24       192.168.2.101        tcp dpt:5001 /* !fw3: DSM_218p (reflection) */ to:192.168.2.1
    0     0 SNAT       udp  --  *      *       192.168.2.0/24       192.168.2.101        udp dpt:1194 /* !fw3: OVPN_218p (reflection) */ to:192.168.2.1
    0     0 SNAT       tcp  --  *      *       192.168.2.0/24       192.168.2.101        tcp dpt:8080 /* !fw3: Nextcloud_218p (reflection) */ to:192.168.2.1
    0     0 SNAT       tcp  --  *      *       192.168.2.0/24       192.168.2.101        tcp dpt:443 /* !fw3: HTTPS_218p (reflection) */ to:192.168.2.1
    0     0 SNAT       tcp  --  *      *       192.168.2.0/24       192.168.2.102        tcp dpt:5001 /* !fw3: DSM_218p_VM (reflection) */ to:192.168.2.1
    0     0 SNAT       tcp  --  *      *       192.168.2.0/24       192.168.2.1          tcp dpt:22 /* !fw3: SSH_OpenWRT (reflection) */ to:192.168.2.1
    0     0 SNAT       udp  --  *      *       192.168.2.0/24       192.168.2.1          udp dpt:1234 /* !fw3: WireGuard_OpenWRT (reflection) */ to:192.168.2.1

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  394 32268 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */
    0     0 DNAT       tcp  --  *      *       192.168.2.0/24       192.168.1.2          tcp dpt:5001 /* !fw3: DSM_218p (reflection) */ to:192.168.2.101:5001
    0     0 DNAT       udp  --  *      *       192.168.2.0/24       192.168.1.2          udp dpt:1195 /* !fw3: OVPN_218p (reflection) */ to:192.168.2.101:1194
    0     0 DNAT       tcp  --  *      *       192.168.2.0/24       192.168.1.2          tcp dpt:80 /* !fw3: Nextcloud_218p (reflection) */ to:192.168.2.101:8080
    0     0 DNAT       tcp  --  *      *       192.168.2.0/24       192.168.1.2          tcp dpt:443 /* !fw3: HTTPS_218p (reflection) */ to:192.168.2.101:443
    0     0 DNAT       tcp  --  *      *       192.168.2.0/24       192.168.1.2          tcp dpt:5002 /* !fw3: DSM_218p_VM (reflection) */ to:192.168.2.102:5001
    0     0 DNAT       tcp  --  *      *       192.168.2.0/24       192.168.1.2          tcp dpt:1122 /* !fw3: SSH_OpenWRT (reflection) */ to:192.168.2.1:22
    0     0 DNAT       udp  --  *      *       192.168.2.0/24       192.168.1.2          udp dpt:1234 /* !fw3: WireGuard_OpenWRT (reflection) */ to:192.168.2.1:1234

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  428 25212 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
  428 25212 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  191 10172 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
   38  2280 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5001 /* !fw3: DSM_218p */ to:192.168.2.101:5001
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195 /* !fw3: OVPN_218p */ to:192.168.2.101:1194
    2    80 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: Nextcloud_218p */ to:192.168.2.101:8080
    8   460 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 /* !fw3: HTTPS_218p */ to:192.168.2.101:443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5002 /* !fw3: DSM_218p_VM */ to:192.168.2.102:5001
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1122 /* !fw3: SSH_OpenWRT */ to:192.168.2.1:22
    1   176 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1234 /* !fw3: WireGuard_OpenWRT */ to:192.168.2.1:1234

Chain zone_wg_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 postrouting_wg_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wg postrouting rule chain */

Chain zone_wg_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 prerouting_wg_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wg prerouting rule chain */
root@OpenWrt:~# iptables -t mangle -L -vn
Chain PREROUTING (policy ACCEPT 29896 packets, 10M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 9963 packets, 862K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 19919 packets, 9576K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  163  9652 TCPMSS     tcp  --  *      eth0.2  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 /* !fw3: Zone wan MTU fixing */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 9809 packets, 2256K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 29774 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination         
root@OpenWrt:~#

The wg input has zero hits. Means nothing arrived to the wg0 interface.

I told you that the port forward of WG is not needed, because you have a rule to accept the traffic inbound, but it is still there and it has a hit.

    0     0 DNAT       tcp  --  *      *       192.168.2.0/24       192.168.1.2          tcp dpt:1122 /* !fw3: SSH_OpenWRT (reflection) */ to:192.168.2.1:22
    0     0 DNAT       udp  --  *      *       192.168.2.0/24       192.168.1.2          udp dpt:1234 /* !fw3: WireGuard_OpenWRT (reflection) */ to:192.168.2.1:1234:
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1122 /* !fw3: SSH_OpenWRT */ to:192.168.2.1:22
    1   176 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1234 /* !fw3: WireGuard_OpenWRT */ to:192.168.2.1:1234 

If you don't do what we ask here, we cannot help you, because we have faith that you do what is asked and we rule out a potential cause of the problems, while it is still there.

1 Like

sorry, I guess I forgot to remove the port forward.

But it's still not working now that ive removed it and restarted the firewall..

  • Do the far-end peer connections have keep-alives?
  • Are you certain that the network on the far end permits connections initiated on 1234/udp (i.e. commercial or hotel network)?

Yes, I jsut connected with my mobile Phone via LTE and I can see it as being connected in my Wireguard Interface on Luci:

Endpoint: X.X.X.X:2372
Allowed IPs:
• (none)
Persistent Keepalive: 25s
Latest Handshake: Thu, 14 Feb 2019 17:56:43 GMT (18s ago)
Data Received: 2 KiB
Data Transmitted: 2 KiB

I tried connecting via mobile phone and from work.
There should be no blocked ports for udp 1234 from those networks, as it has already worked two weeks ago from those devices.

Is it normal, that it says allowed IPs none here?

:open_mouth:

This is likely why you have no traffic - you have no allowed IPs specified for use on the tunnel.

That isn't normal.

But I have set
::/0
and
0.0.0.0/0
set as allowed IPs for the Peers in the Luci Interface for the Wireguard interface.
I guess I will have to edit the config directly.
Which file or command is that again?

Instead of 0.0.0.0/0

For IPv4, try:

  • 0.0.0.0/1
    and
  • 128.0.0.0/1

You didn't set that route on multiple peers, did you???
Such a route would be invalid (without a metric likely).

See: https://www.wireguard.com/#cryptokey-routing

It's in /etc/config.network - the same file you posted above.

Okay, and I have to set those IPs to the IPs my Peers will get (192.168.10.2/32, 192.168.10.3/32 and 192.168.10.4/32)on the wireguard interface or should I just use 0.0.0.0/1, 0.0.0.0/2, 0.0.0.0/3 ?

Or can I use the whole subnet for all like 192.168.10.1/24 ?

Like is that to allow the internal IPs of each Peer or is it to configure the Public IPs my Peer can conenct from?

Currently 0.0.0.0/0 is set for all peers for some reason.

Yes, I honestly think you should only use:

  • the subnet if you're routing to a network, or
  • an individual IP for a single peer (/32 in IPv4 and /128 in IPv6)

Only use 0.0.0.0/0 for a peer that's actually a VPN provider for your Internet connection.

That (/2 and /3) is invalid for your purposes. If you are not familiar with subnets, see this guide:

1 Like