VPN handshake but no connection?

OlafSzmidt · March 7, 2021, 5:54pm

Hey guys.

I'm trying to set up a dumb AP with VPN capabilities on my RPI4. I use an external router (or during travel it will be a ethernet from wall cable in a hotel). The LAN interface is set up with a gateway to my router's IP - internet works fine over SSH. LAN is on 192.168.1.1

I made a second static address bridge interface for VPN users on 192.168.99.1 with force link enabled and a firewall zone called "vpnusers" for this iface. DHCP is enabled with options - 6,10.64.0.1 as this is the internal wireguard DNS server provided by mullvad.

Another interface, WGINTERFACE, private key set, IP address set to the wireguard interface, force link and a single peer. Allowed IPs set to 0.0.0.0/0. Firewall zone called "vpntunnel".

Wireless attached to the static interface.

wg show shows a handshake. No logread errors - but no connection when I'm connected.

root@rpi-dca632f961 /26# wg show
interface: WGINTERFACE
  public key: yxMlV2AC2W+ObT1Xf+GK/s9tP3qee8uaR/r+09H1tlI=
  private key: (hidden)
  listening port: 47603

peer: uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI=
  endpoint: 81.92.206.2:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 56 seconds ago
  transfer: 1.84 KiB received, 2.13 KiB sent

root@rpi-dca632f961 /26# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd75:fddf:4d3d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'

config interface 'vpniface'
        option proto 'static'
        option type 'bridge'
        option ipaddr '192.168.99.1'
        option ifname 'eth0'

config interface 'WGINTERFACE'
        option proto 'wireguard'
        option private_key 'hidden'
        list addresses '10.71.240.227/32'
        option force_link '1'

config wireguard_WGINTERFACE
        option description 'mullvad gb29'
        option public_key 'uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI='
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'gb29-wireguard.mullvad.net'
        option endpoint_port '51820'

config zone
        option name 'vpnusers'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'vpniface'

config zone
        option name 'vpntunnel'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option network 'WGINTERFACE'
        option mtu_fix '1'

config forwarding
        option src 'vpnusers'
        option dest 'vpntunnel'

config forwarding
        option src 'lan'
        option dest 'wan'

OlafSzmidt · March 7, 2021, 7:28pm

I finally fixed it! The netmask was set on the static address interface to /32. I changed it to /24 and it worked.

Why was this the case?

iplaywithtoys · March 7, 2021, 7:35pm

Because the subnet mask is used in routing (i.e. "where do I send this?") calculations.

system · March 17, 2021, 7:36pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.