Suddenly WG Server isn't connecting anymore

Installing and Using OpenWrt Network and Wireless Configuration
1

I am just trying my so far up and running WG Server connection from my Android phone.
The interface is up and running on my Cudy WR3000s I am using the peer config without a change but I am getting the message from Wireguard log “Handshake did not complete”

Two changes I have applied:

  1. Changed my ISP from PPPoe to DHCP client means I am now using 5g mobile network
  2. Updated to 24.10.5

I this maybe something impacting my setup or WG Server functionality?

The whole setup was provided by egc, related topic is this one

Wgserver with CGNAT
2

Do you mean that the router (wg_server) is now using 5g Mobile internet?

If so changes are you do not have a public IPv4 address

See the first section of:
WireGuard Server Setup Guide

3 Likes
3

Another possibility... If you're in Russia, Boris, then there is a chance that you were blocked on purpose by Roskomnadzor.

2 Likes
4

Yes LTE is almost always CGNAT on IPv4 since there are many more customers than IP addresses. CGNAT does not allow an incoming connection to be made.

It might work to use IPv6 if the remote phone is also connected to a network that provides IPv6.

3 Likes
5

I assume unfortunately you are right :slight_smile: the IP4 address starts with 100. a CGNAT address, right?

The IP4 data within OpenWRT is like:
Protocol: DHCP client
Address: 100.121.152.5/29
Gateway: 100.121.152.6

and the same address I can find in the Zyxel 5G router which is set to IP Passthrough.
I do have a DDNS up and running but how could I use that in this case?
Presumably I need to access the DDNS server address in wireguard on my phone, or how to?
and for the DDNS setup in OpenWRT a new entry pointing to wgserver in "advanced"?

6

I assume unfortunately you are right :slight_smile: the IP4 address starts with 100. a CGNAT address, right?

The IP4 data within OpenWRT is like:
Protocol: DHCP client
Address: 100.121.152.5/29
Gateway: 100.121.152.6

and the same address I can find in the Zyxel 5G router which is set to IP Passthrough.
I do have a DDNS up and running but how could I use that in this case?
Presumably I need to access the DDNS server address in wireguard on my phone, or how to?
and for the DDNS setup in OpenWRT a new entry pointing to wgserver in "advanced"?

I didn’t’ use DDNS for wgserver so far just for WAN and for this purpose it is still working

7

You cannot use it as a cgnat address is not publicly available.

If you are lucky your provider distributes an ipv6 address which you can use.

1 Like
8

In your guide you are stating using DDNS or Netbird. Is it not possible with DDNS?

And Yes I see that I do have an IPv6 provided both visible for the Zyxel router as well as in OpenWRT. Slightly different for both. The first 4 or 5 sections are similar then different when I compare the IPv6 addresses in both routers - but I don’t know how the IPv6 logic is working.

Can I use these if this isn’t CGNAT? These addresses start like address: 2a01:599:c42:ed83:
This is Deutsche Telekom as provider

9

You can try the ipv6 address put it in your phone as endpoint, an ipv6 address needs brackets around it.

Make sure the firewall rule to allow the wg server port is not restricted to ipv4.

If you followed the server setup guide which also setup for ipv6 you should be good.

Of course a simple test from your phone is to ping the ipv6 address.
Make sure the phone is on cellular.
On my android phone I have an app called fing

10

DDNS works with dynamic IP addresses, not with CGNAT.

Those are public IP addresses, you can use them.

2 Likes
11

When I check the wgserver setting I see there completely different IP4 and IP6 addresses I assume this is still from the old setup. Do I need to change that completely?
I see there an IP4 172… and also IP6 completely different don’t ask me where I was getting these from..

When I would try to ping the IP6 address, which one to use cause I see there two IP6 addresses on OpenWRT status page one shorter and one longer.
And how to use these just in the wgserver setup? How to push the setup to use IP6 cause I see today the peer is using the IP4 172. ? When I would enter there the IP6 which format to use also with the /32 at the end or how is this working with IP6?

12

Yes that is a normal setup for a wg server.

You do not normally need to change anything on the wg server.

The only difference is the endpoint on your phone where you use the ipv6 address of wan6.

Of course your phone on cellular must be able to use ipv6.
So check on your phone if it has an ipv6 address on cellular

13

How to use the IPv6 address as endpoint on my android phone I can see in the tunnel imported the IP4 which is currently used as allowed IP in the wgserver and also there in the peer settings.
Means I would need to change wgserver to the WAN6 IP6 and also change the tunnel in wireguard app? I also see there the router IP4 DNS - to be changed as well?

WAN6 shows me two IP6 which one, the first is the shorter one

image
image377×147 11.8 KB

I am surprised to see my DDNS server address asendpoint in the peer in the tunnel on the phone.
No idea why is that there used, is this maybe setup in the wgserver setup on OWRT? Need to check where this is coming from - just checked can’t see any relation within wgserver setup - strange

14

Using DDNS you need to configure the phone peer to connect to the name that the home server registers with DDNS. The DNS entry should be only a v6 address (AAAA record) as v4 is not usable here.

Everything inside the tunnel remains the same configuration. v4 and / or v6 can be sent inside a Wireguard tunnel that is connected by v6.

1 Like
15

What v6 DNS address to be used here, the v6 from DDNS server or the wan6?
What means AAAA the first 4 keys from the IPv6 address?
and this would mean I need to set the allowed IPs within the wgserver setup to that
related v6 address, right?

16

The server registers its WAN address into ddns. A DNS lookup of the name needs to return the WAN IP, all 128 bits.

The only other change on the server is to make sure the firewall is open for the Wireguard listen_port on v6. If you did not specify family v4 it will be.

Allowed_ips are inside the tunnel and do not change though the transport method outside the tunnel changes.

1 Like
17

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.