Wiregard server no handshake

Hi there ,
I am trying to configure a wiregard server.

After trying hard I am still not having any hand shake between both ends
I Check all my Keys 3-4 times and still don't understand.

peer1861×867 35.8 KB

peer21857×683 25 KB

Client828×1461 119 KB

This is my
/etc/config/

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2d:bb6b:de13::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '16:91:82:2d:67:43'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '147.253.135.222'
        option netmask '255.255.255.252'
        option gateway '147.253.135.221'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'Guest'
        option proto 'static'
        list dns '4.2.2.2'
        list dns '8.8.8.8'
        option device 'wlan1'
        list ipaddr '192.168.2.1/24'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'SERVER-Private Key'
        option listen_port '51820'
        list addresses '192.168.1.30/24'

config wireguard_wg0 'wgclient'
        option description 'julien'\''s iphone'
        list allowed_ips '192.168.1.31/32'
        option public_key 'IphonePrivateKEY'
        option route_allowed_ips '1'

/etc/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'
        option masq '1'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Guest DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Guest DHCP'
        list proto 'udp'
        option src 'guest'
        option target 'ACCEPT'
        option dest_port '67-68'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'Guest'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

The logs on the server are not showing any activity and the log on the iphone:

2021-11-22 10:19:24.775157: [APP] App version: 1.0.15 (26)
2021-11-22 14:53:49.968930: [APP] startActivation: Entering (tunnel: office)
2021-11-22 14:53:49.977124: [APP] startActivation: Starting tunnel
2021-11-22 14:53:49.978334: [APP] startActivation: Success
2021-11-22 14:53:50.007026: [APP] Tunnel 'office' connection status changed to 'connecting'
2021-11-22 14:53:50.764729: [NET] App version: 1.0.15 (26)
2021-11-22 14:53:50.765116: [NET] Starting tunnel from the app
2021-11-22 14:53:51.386452: [NET] DNS64: mapped MYIPFIXE to itself.
2021-11-22 14:53:51.387416: [NET] Attaching to interface
2021-11-22 14:53:51.388365: [NET] Routine: decryption worker 5 - started
2021-11-22 14:53:51.388390: [NET] Routine: handshake worker 3 - started
2021-11-22 14:53:51.388473: [NET] UAPI: Updating private key
2021-11-22 14:53:51.388504: [NET] Routine: decryption worker 6 - started
2021-11-22 14:53:51.388507: [NET] Routine: encryption worker 4 - started
2021-11-22 14:53:51.388556: [NET] Routine: handshake worker 5 - started
2021-11-22 14:53:51.388595: [NET] Routine: encryption worker 1 - started
2021-11-22 14:53:51.388593: [NET] Routine: encryption worker 2 - started
2021-11-22 14:53:51.388610: [NET] Routine: decryption worker 2 - started
2021-11-22 14:53:51.388613: [NET] Routine: handshake worker 1 - started
2021-11-22 14:53:51.388629: [NET] Routine: encryption worker 6 - started
2021-11-22 14:53:51.388637: [NET] Routine: event worker - started
2021-11-22 14:53:51.388696: [NET] Routine: handshake worker 2 - started
2021-11-22 14:53:51.388692: [NET] Routine: decryption worker 1 - started
2021-11-22 14:53:51.388716: [NET] Routine: handshake worker 6 - started
2021-11-22 14:53:51.388810: [NET] Routine: TUN reader - started
2021-11-22 14:53:51.388810: [NET] Routine: encryption worker 3 - started
2021-11-22 14:53:51.388812: [NET] Routine: decryption worker 4 - started
2021-11-22 14:53:51.388835: [NET] Routine: handshake worker 4 - started
2021-11-22 14:53:51.388835: [NET] Routine: decryption worker 3 - started
2021-11-22 14:53:51.388878: [NET] Routine: encryption worker 5 - started
2021-11-22 14:53:51.389274: [NET] UAPI: Removing all peers
2021-11-22 14:53:51.389635: [NET] peer(//3o…lzkw) - UAPI: Created
2021-11-22 14:53:51.390134: [NET] peer(//3o…lzkw) - UAPI: Updating endpoint
2021-11-22 14:53:51.390323: [NET] peer(//3o…lzkw) - UAPI: Updating persistent keepalive interval
2021-11-22 14:53:51.390368: [NET] peer(//3o…lzkw) - UAPI: Removing all allowedips
2021-11-22 14:53:51.390533: [NET] peer(//3o…lzkw) - UAPI: Adding allowedip
2021-11-22 14:53:51.390638: [NET] peer(//3o…lzkw) - UAPI: Adding allowedip
2021-11-22 14:53:51.391105: [NET] UDP bind has been updated
2021-11-22 14:53:51.391152: [NET] peer(//3o…lzkw) - Starting
2021-11-22 14:53:51.391220: [NET] Routine: receive incoming v6 - started
2021-11-22 14:53:51.391221: [NET] Routine: receive incoming v4 - started
2021-11-22 14:53:51.391509: [NET] peer(//3o…lzkw) - Sending keepalive packet
2021-11-22 14:53:51.391509: [NET] peer(//3o…lzkw) - Routine: sequential sender - started
2021-11-22 14:53:51.391595: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:53:51.391798: [NET] peer(//3o…lzkw) - Routine: sequential receiver - started
2021-11-22 14:53:51.392497: [NET] Interface state was Down, requested Up, now Up
2021-11-22 14:53:51.392551: [NET] Device started
2021-11-22 14:53:51.392759: [NET] Tunnel interface is utun2
2021-11-22 14:53:51.393616: [NET] Network change detected with satisfied route and interface order [en0, pdp_ip0]
2021-11-22 14:53:51.393865: [NET] DNS64: mapped MYFIXEIP to itself.
2021-11-22 14:53:51.393928: [NET] peer(//3o…lzkw) - UAPI: Updating endpoint
2021-11-22 14:53:51.394218: [NET] Routine: receive incoming v4 - stopped
2021-11-22 14:53:51.394269: [NET] Network change detected with satisfied route and interface order [en0, utun2, pdp_ip0]
2021-11-22 14:53:51.394273: [NET] Routine: receive incoming v6 - stopped
2021-11-22 14:53:51.394603: [APP] Tunnel 'office' connection status changed to 'connected'
2021-11-22 14:53:51.394614: [NET] UDP bind has been updated
2021-11-22 14:53:51.394637: [NET] Routine: receive incoming v4 - started
2021-11-22 14:53:51.394654: [NET] Routine: receive incoming v6 - started
2021-11-22 14:53:51.394783: [NET] DNS64: mapped MYFIXEIP to itself.
2021-11-22 14:53:51.395007: [NET] peer(//3o…lzkw) - UAPI: Updating endpoint
2021-11-22 14:53:51.395140: [NET] Routine: receive incoming v4 - stopped
2021-11-22 14:53:51.395164: [NET] Routine: receive incoming v6 - stopped
2021-11-22 14:53:51.395332: [NET] UDP bind has been updated
2021-11-22 14:53:51.395452: [NET] Routine: receive incoming v4 - started
2021-11-22 14:53:51.395492: [NET] Routine: receive incoming v6 - started
2021-11-22 14:53:51.851426: [NET] Network change detected with satisfied route and interface order [utun2, en0, pdp_ip0]
2021-11-22 14:53:51.851910: [NET] DNS64: mapped MYFIXEIP to itself.
2021-11-22 14:53:51.852075: [NET] peer(//3o…lzkw) - UAPI: Updating endpoint
2021-11-22 14:53:51.852406: [NET] Routine: receive incoming v4 - stopped
2021-11-22 14:53:51.852461: [NET] Routine: receive incoming v6 - stopped
2021-11-22 14:53:51.852783: [NET] UDP bind has been updated
2021-11-22 14:53:51.852824: [NET] Routine: receive incoming v4 - started
2021-11-22 14:53:51.852851: [NET] Routine: receive incoming v6 - started
2021-11-22 14:53:54.978388: [APP] Status update notification timeout for tunnel 'office'. Tunnel status is now 'connected'.
2021-11-22 14:53:56.666966: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:53:56.667320: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:01.836556: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:54:01.836860: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:07.125656: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:54:07.125950: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:12.309232: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:54:12.309405: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:17.566826: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:54:17.567124: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:22.899017: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:54:22.899335: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:27.981697: [NET] peer(//3o…lzkw) - Handshake did not complete after 5 seconds, retrying (try 2)
2021-11-22 14:54:27.982010: [NET] peer(//3o…lzkw) - Sending handshake initiation
2021-11-22 14:54:28.796246: [APP] startDeactivation: Tunnel: office
2021-11-22 14:54:28.805015: [APP] Tunnel 'office' connection status changed to 'disconnecting'
2021-11-22 14:54:29.069185: [NET] Network change detected with unsatisfied route and interface order [utun2, en0, pdp_ip0]
2021-11-22 14:54:29.069472: [NET] Connectivity offline, pausing backend.
2021-11-22 14:54:29.070129: [NET] Device closing
2021-11-22 14:54:29.070344: [NET] Routine: TUN reader - stopped
2021-11-22 14:54:29.070517: [NET] Routine: event worker - stopped
2021-11-22 14:54:29.070741: [NET] Routine: receive incoming v4 - stopped
2021-11-22 14:54:29.070824: [NET] Routine: receive incoming v6 - stopped
2021-11-22 14:54:29.071404: [NET] peer(//3o…lzkw) - Stopping
2021-11-22 14:54:29.071557: [NET] peer(//3o…lzkw) - Routine: sequential sender - stopped
2021-11-22 14:54:29.071589: [NET] peer(//3o…lzkw) - Routine: sequential receiver - stopped

Let me know what I am doing wrong.

Your wireguard network is on the same subnet as the main lan. Change one of them and test again.

Also, turn off masquerading on your lan zone.

Hi Thanks psdherman,

It works Now I have the handshake it is connecting but it is super and it didn't connect to the network for exemple to my openwrt luci GUI interface or even on internet...

I Noticed that the endpoint Ip seems wired ( outside of ip subnet....)

Sans titre891×471 26.4 KB

Any clue?

That is the apparent ip address of your phone (possibly on the cellular network).

Let’s see the configuration from wg on your phone.

So now my Lan access is working,

But I still having no connection with internet through the VPN.

IMG-1062828×1515 87.1 KB

Hop it helps....

Try removing the ipv6 part of the allowed ips on the iPhone configuration.

Edit: I also do not see a dns server specified in your phone configuration. Try using 8.8.8.8.

Thanks Putting Dns gived me all the access.

No I can try to setup my multiple Peer installation.

Thanks a lot @psherman

Ps: if somebody as an explanation (or a link) of why the VPN tunnel as to be outside my LAN subnet it is something that I don't understand,

This is because Wireguard is a routed protocol. In order for a router to function, it must have at least 2 unique networks between which traffic is routed. The reason that all networks on a router must be unique is because there cannot be any ambiguity as to which network is the source and/or destination. Imagine if someone told you to go to John’s house to pick up a package and then to deliver the package to John. Without last names or other context, you’d be unable to determine the source/destination of the package.

Hi thanks for your explanation, I didn't figured that Wireguard was a routed protocol.
now all his clear.

Thanks a lot for your help!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.