Trouble handshaking IPv4 tunnel with Wireguard to bypass CGNAT

Hello everyone,

I've been using WireGuard on my Edge Router X (replacing my modem) for several months now and I'm very happy with it. Thanks again to all the contributors for this great project!

Recently my French operator switched me to CGNAT.

So I took a VPS from a hosting company with a dedicated public IPv4 and more than enough bandwidth (1Gbps up and down).

I've configured a WireGuard server on my VPS and I'm able to connect all my devices (phone, MacBook pro, etc.).

My long-term goal is to use this VPS for NAT and redirect the traffic arriving on it to my K8S cluster at home.

I've started configuring the WireGuard client on OpenWRT (identical to the configurations for my other devices) but obviously no handshake is happening (I checked the private/public keys).

After several hours of debugging and consulting this forum I still haven't managed to solve the problem.

Would some kind soul be willing to help me?

Thank you very much,
Louis

(sorry lot of config pollution due to my VLANs)

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd42:703f:24b1::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.10.1/24'
	option ip6assign '64'
	list ip6class 'local'
	list ip6class 'wan6'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	option vendorid '(hidden)'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option clientid '(hidden)'
	option vendorclass '(hidden)'
	option defaultreqopts '0'
	option reqopts '23 25 26'
	option noclientfqdn '1'
	option noacceptreconfig '1'
	option peerdns '0'

config device
	option name 'eth0'
	option macaddr '(hidden)'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '42'
	option name 'mtb'

config interface 'mtb'
	option proto 'static'
	option device 'mtb'
	option ipaddr '10.42.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	list ip6class 'wan6'
	list ip6class 'local'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option name 'main'

config interface 'main'
	option proto 'static'
	option device 'main'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	list ip6class 'local'
	list ip6class 'wan6'
	option ip6assign '64'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config interface 'gateway'
	option proto 'wireguard'
	option private_key '(hidden)'
	list addresses '10.50.1.42/32'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config wireguard_gateway
	option description 'Gateway'
	option public_key '(hidden)'
	option endpoint_host '(hidden)'
	list allowed_ips '10.50.1.42/32'
	option route_allowed_ips '1'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'mtb'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mtb'

config forwarding
	option src 'lan'
	option dest 'mtb'

config forwarding
	option src 'mtb'
	option dest 'wan'

config zone
	option name 'main'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'main'

config forwarding
	option src 'main'
	option dest 'lan'

config forwarding
	option src 'main'
	option dest 'mtb'

config forwarding
	option src 'main'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'main'

config zone
	option name 'gateway'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'gateway'

config forwarding
	option src 'gateway'
	option dest 'mtb'

config forwarding
	option src 'mtb'
	option dest 'gateway'

config forwarding
	option src 'gateway'
	option dest 'wan'

config forwarding
	option src 'gateway'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'gateway'

config rule
	option name 'Gateway'
	list proto 'udp'
	option src 'gateway'
	option dest 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

wg show (OpenWRT, client-side)

interface: gateway
  public key: (hidden)
  private key: (hidden)
  listening port: 35296

peer: (hidden)
  endpoint: 212.227.27.128:51820
  allowed ips: 10.50.1.42/32

wg show (VPS, server-side)

interface: gateway
  public key: (hidden)
  private key: (hidden)
  listening port: 51820

peer: (hidden)
  allowed ips: 10.50.1.42/32, 10.42.0.0/16

The configuration needs to be optimized, but let's focus on wireguard.

In allowed_ips you must specify the remote hosts/networks that should be routed through the wireguard interface.

https://techoverflow.net/2021/07/09/what-does-wireguard-allowedips-actually-do/

However, this is unlikely to cause the handshake to fail.

Run tcpdump on the VPS to check if there is two-way communication.

tcpdump -ni any udp port 51820

Hi pavelgl,

Thanks for the explanation of allowed_ips, so I've removed the line on the client side because I don't want to route traffic from the router to the VPS.

No packets captured on the VPS side when I launch the Wireguard interface on OpenWRT, yet it works perfectly when I connect with another device as a client.

I can therefore deduce that no packets are leaving the router towards the VPS.

Do you have any idea what could be blocking this?

PS: You mention potential config optimisations, if ever, I'm curious.

One thing that should be optimized is that third-party DNS needs only be configured in the wan section, not on every LAN.

Also the VPN tunnel should hold a /24 so that it inherently installs a route to the VPN server and all other VPN clients.

I thought that was the objective, to route all (v4) Internet use through the VPS so that it isn't double NAT. The allowed IPs should be 0.0.0.0/0.

If you have good IPv6 you might consider running the ISP connection as V6 only and setting up a NAT64 in the VPS to handle legacy v4 traffic.

Run tcpdump on the router to verify this.

opkg update; opkg install tcpdump; \
if=$(ifstatus wan | grep \"device | awk '{ print $2 }' | sed 's/[",]//g'); \
tcpdump -ni $if udp port 51820

You can remove the DNS servers from all interfaces from which they are not directly reachable. Set them to the wan interface instead.

As I can see, traffic exchange between the lan, main and mtb networks is allowed without restrictions. You don't need so many firewall zones and forwardings. Just assign all three interfaces to the lan firewall zone.

This rule is not needed and can be removed.

No results with netcat, so nothing happens

Thanks for the advices, I will clean my configuration

The aim is rather to be able to access my private network when I'm away from home and connected to the VPN.

Later, I'll set up port redirection rules on my VPS to expose HTTP from my local network, for example.

Thanks for the advice on configuration, I'll clean it up.

What's the address (whatever you have in list addresses) of the wireguard interface on the VPS?

Check with tcpdump running on VPS whether you can see any packet generated on the router using netcat:
echo 12345 | nc -u 212.227.27.128 51820
In case of failure test another UDP port.

This is called hub and spoke topology. The VPS is the hub and your house and each of your laptops, phones, etc. that you may use remotely is at the end of a spoke.

At each spoke, allowed IPs are all the tunnel IPs (10.50.1.0/24), and any remote LANs that you may access.
At the hub, the allowed ips for each spoke peer is its tunnel IP /32, and any lans that exist at the spoke.
In both places the tunnel itself (in the main configuration block) should be defined as a /24, with a unique last 8 bits for each peer.
Also of course if you have multiple LANs they can't overlap. To avoid routing problems when connecting a spoke through public wifi that may use common LAN subnets like 192.168.1.0/24, your home LAN should not be any common IP subnet.

Thanks, I hadn't thought of testing by hand.
When I write via netcat, I receive the packets on my VPS.
So the outgoing connection to the VPS is OK.

Thanks for this information, I didn't know it had a name.
I'll go and find out and make sure I have a state-of-art setup.

I'm not sure I understood your message correctly, I don't know where to apply/retrieve this list address.

If this is the case, the gateway interface on the VPS via ip a.

gateway: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.50.1.1/32 scope global gateway
       valid_lft forever preferred_lft forever

From the wireguard config

Change allowed IPs to 10.50.1.1/32

At least for your initial steps, it would probably be beneficial to simplify your unrelated configuration complexity to the minimum - ideally by experimenting with another OpenWrt router (can be old/ too slow for your intended purpose, as long as it's sufficient to run contemporary OpenWrt; resetting your current router to a flat hierarchy would also be an alternative, but much more invasive).

After several days (weeks...) I reset my router and cleaned up my configuration

When I reinstalled Wireguard and put the configuration back in place, there was still no connection. I must admit that I really don't understand why.

If anyone could help me, that would be great!

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fc42:0000:0000::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.10.1/24'
	option ip6assign '64'
	list ip6class 'local'
	list ip6class 'wan6'
	option ip6hint '10'
	option ip6ifaceid '::1'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	option vendorid '<redacted>'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option clientid '<redacted>'
	option vendorclass '<redacted>'
	option defaultreqopts '0'
	option reqopts '23 25 26'
	option noclientfqdn '1'
	option noacceptreconfig '1'
	option peerdns '0'
	list dns '2606:4700:4700::1111'
	list dns '2606:4700:4700::1001'

config device
	option name 'eth0'
	option macaddr '<redacted>'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '42'
	option name 'mtb'

config interface 'mtb'
	option proto 'static'
	option device 'mtb'
	option ip6assign '64'
	list ip6class 'wan6'
	list ip6class 'local'
	option ip6hint '1042'
	option ip6ifaceid '::1'
	list ipaddr '10.42.1.1/16'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '20'
	option name 'main'

config wireguard_gateway
	option description 'Gateway'
	option public_key '<redacted>'
	option endpoint_host '<redacted>'
	list allowed_ips '10.50.1.1/32'
	option route_allowed_ips '1'

config interface 'mtb_gateway'
	option proto 'wireguard'
	option private_key '<redacted>'
	list addresses '10.50.1.42/32'

config wireguard_mtb_gateway
	option description 'gateway'
	option public_key '<redacted>'
	list allowed_ips '10.50.1.1/32'
	option endpoint_host '<redacted>'
	option endpoint_port '51821'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'mtb'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mtb'

config forwarding
	option src 'lan'
	option dest 'mtb'

config forwarding
	option src 'mtb'
	option dest 'wan'

config zone
	option name 'mtb_gateway'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'mtb_gateway'

config forwarding
	option src 'mtb_gateway'
	option dest 'wan'