Struggling to get wireguard server to work

Hi All,

I'm struggling to get wireguard server up and running on my router. I think I've followed the guides correctly, and I'm not sure what I'm doing wrong.

I have a public IP and I have set a public dns entry in cloudflare to vpn.my.domain.com. Using nc I can check the connection

nc -u -v -z -w2 public.ip.address 51820
Connection to public.ip.address 51820 port [udp/*] succeeded!

From my client Android device I get a continuous stream of messages that the handshake did not complete and it is retrying. I've double and triple checked the interface and peer keys on the client, and deleted/recreated several times with the QR code. I have also restarted the wireguard server interface after changes as was described in another post, although I think this is old advice from 19.07 and before. I'm sure there's just something I'm missing but I can't figure out what it is.

I'll include the relevant output requested from this similar previous question

ubus call system board; \
uci export network; uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Output
{
        "kernel": "5.15.162",
        "hostname": "Flint-2",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdfa:b90b:f824::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'br-vlan.10'

config device
        option name 'lan1'
        option macaddr '94:83:c4:a2:8f:d9'

config device
        option name 'lan2'
        option macaddr '94:83:c4:a2:8f:d9'

config device
        option name 'lan3'
        option macaddr '94:83:c4:a2:8f:d9'

config device
        option name 'lan4'
        option macaddr '94:83:c4:a2:8f:d9'

config device
        option name 'lan5'
        option macaddr '94:83:c4:a2:8f:d9'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr '94:83:c4:a2:8f:d7'

config interface 'wan'
        option device 'eth1.101'
        option proto 'pppoe'
        option username 'USERNAME'
        option password 'PASSWORD'
        option ipv6 'auto'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'home'
        option proto 'static'
        option device 'br-home'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'lab_infra'
        option proto 'static'
        option device 'br-lab-infra'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-vlan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config bridge-vlan
        option device 'br-vlan'
        option vlan '10'
        list ports 'lan1:t*'
        list ports 'lan2:t*'
        list ports 'lan3:t*'
        list ports 'lan5'

config bridge-vlan
        option device 'br-vlan'
        option vlan '100'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-vlan'
        option vlan '161'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'lan4:u*'

config device
        option name 'br-home'
        option type 'bridge'
        option macaddr '94:83:C4:A2:8F:DA'
        list ports 'br-vlan.100'

config device
        option type 'bridge'
        option name 'br-lab-infra'
        option macaddr '94:83:C4:A2:8F:DB'
        list ports 'br-vlan.161'

config interface 'wireguard'
        option proto 'wireguard'
        option private_key 'PRIVATE_KEY'
        option listen_port '51820'
        list addresses '192.168.11.1/24'

config wireguard_wireguard
        option description 'phone_test'
        option public_key 'PUB_KEY'
        option private_key 'PRIVATE_KEY'
        option preshared_key 'SHARED_KEY'
        list allowed_ips '192.168.11.30/32'
        option route_allowed_ips '1'
        option endpoint_port '51820'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/DOMAIN/'
        option domain 'DOMAIN'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '30m'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'home'
        option interface 'home'
        option start '100'
        option limit '150'
        option leasetime '1h'

config dhcp 'lab_infra'
        option interface 'lab_infra'
        option start '20'
        option limit '150'
        option leasetime '12h'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wireguard'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'home'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'br-home'
        list device 'br-home.100'
        list network 'home'

config forwarding
        option src 'home'
        option dest 'wan'

config zone
        option name 'lab'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lab_infra'

config forwarding
        option src 'lab'
        option dest 'lan'

config forwarding
        option src 'lab'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'lab'

config forwarding
        option src 'home'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'home'

config forwarding
        option src 'home'
        option dest 'lab'

config forwarding
        option src 'lab'
        option dest 'home'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option src_port '51820'
        option dest_port '51820'
        option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: br-home: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.100.1/24 brd 192.168.100.255 scope global br-home
       valid_lft forever preferred_lft forever
14: br-lab-infra: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 172.16.0.1/24 brd 172.16.0.255 scope global br-lab-infra
       valid_lft forever preferred_lft forever
16: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
       valid_lft forever preferred_lft forever
21: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet PUBLIC.IP peer PUBLIC.IP/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
339: wireguard: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 192.168.11.1/24 brd 192.168.11.255 scope global wireguard
       valid_lft forever preferred_lft forever
default via PUBLIC.IP dev pppoe-wan
PUBLIC.IP dev pppoe-wan scope link  src PUBLIC.IP
172.16.0.0/24 dev br-lab-infra scope link  src 172.16.0.1
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1
192.168.11.0/24 dev wireguard scope link  src 192.168.11.1
192.168.11.30 dev wireguard scope link
192.168.100.0/24 dev br-home scope link  src 192.168.100.1
local PUBLIC.IP dev pppoe-wan table local scope host  src PUBLIC.IP
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 172.16.0.1 dev br-lab-infra table local scope host  src 172.16.0.1
broadcast 172.16.0.255 dev br-lab-infra table local scope link  src 172.16.0.1
local 192.168.10.1 dev br-lan table local scope host  src 192.168.10.1
broadcast 192.168.10.255 dev br-lan table local scope link  src 192.168.10.1
local 192.168.11.1 dev wireguard table local scope host  src 192.168.11.1
broadcast 192.168.11.255 dev wireguard table local scope link  src 192.168.11.1
local 192.168.100.1 dev br-home table local scope host  src 192.168.100.1
broadcast 192.168.100.255 dev br-home table local scope link  src 192.168.100.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Remove list addresses '192.168.11.1/24'.

Remove option endpoint_port '51820'.

1 Like

I disagree with this...
leave the address in place.

There are problems with the bridges... it might be easiest to redo this entirely, but if you want to keep the existing DSA structures, things need to be adjusted as follows.

Delete this:

Edit the lan to use br-vlan.10:

config interface 'lan'
        option device 'br-vlan.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

Then delete these:

And edit the home and lab_infra networks to use br-vlan.100 and br-vlan.161, respectively:

config interface 'home'
        option proto 'static'
        option device 'br-vlan.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'lab_infra'
        option proto 'static'
        option device 'br-vlan.161'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'

Explicitly set port lan5 to be untagged and PVID in vlan 10 by adding :u*

config bridge-vlan
        option device 'br-vlan'
        option vlan '10'
        list ports 'lan1:t*'
        list ports 'lan2:t*'
        list ports 'lan3:t*'
        list ports 'lan5:u*'

Remove the two device lines below:

Edit your firewall rule for allowing wireguard so that it looks like this (remove the src_port):

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

After all these changes have been made (in addition to the endpoint port removal that @_bernd suggested), restart your router and test again. If that doesn't work, post the updated network and firewall files and we'll double check those and do some other troubleshooting.

2 Likes

You are totally right. Of course the router needs an address on its wg interface too. It was just to late.

1 Like

Thank you both so much for your help! It worked. Specifically doing this

  • Remove option endpoint_port '51820' from config wireguard_wireguard and update the client to match
  • Remove device br-lan
  • Set interface lan to use br-vlan.10
  • Remove device br-home and br-lab-infra
  • Set interfaces home and lab-infra to use the respective br-vlan.xxx
  • Remove the device lines from the home firewall zone
  • Remove the src_port '51820 from the firewall rule Allow-WireGuard

I'm trying to work back on the guides I followed when setting up my vlans so I can give feedback, but it was a little while ago I was doing that setup. I think it might have come from this bit of the docs. Does that look correct or should I submit an edit to that page?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.