Wireguard configuration for road warrior peers doesn't handshake

Installing and Using OpenWrt
1

Hello there!

I'm currently trying to deploy Wireguard for my mobile devices using the first script detailed in this article of the wiki while running OpenWrt SNAPSHOT r18086-cb18b62206 from wulfy23's custom Raspberry Pi 4 build of OpenWRT, version 3.5.139-21 (kernel Linux OpenWRT-RPi 5.10.79 #0 SMP Sun Nov 14 13:29:47 2021 aarch64 GNU/Linux), and so far it seems deployment was a success, but handshake and actual usage remain a point of conflict.

I am able to probe using netcat the assigned port for the connection from a LAN device and my designated DDNS domain, and I'm able to successfully receive activity on the router's end using tcpdump:

Router's side

tcpdump -ni br-lan port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
02:09:41.987360 IP 192.168.1.252.58492 > 192.168.1.1.51820: UDP, length 1
02:09:41.987364 IP 192.168.1.252.58492 > 192.168.1.1.51820: UDP, length 1

Client's side

netcat -uvz wire.domain.me 51820

But still, even after exporting my configuration from the created folder /etc/wireguard/networks/lan/peers/1_lan_ToastyPenTen/1_lan_ToastyPenTen.conf using qrencode like so:

qrencode -t ANSIUTF8 < /etc/wireguard/networks/lan/peers/1_lan_ToastyPenTen/1_lan_ToastyPenTen.conf`

I am unable to initiate a handshake from my Android device from outside the LAN.

I'll attach my firewall config, the output of the script and the peer configurations just to be sure:

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan_6'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpnzone'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn_usa'
        list network 'vpn_uk'
        list network 'vpn_spa'

config forwarding
        option src 'lan'
        option dest 'vpnzone'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config rule
        option name 'AllowNGINXPMAdmin'
        option src_port '81'
        option dest 'lan'
        option dest_port '81'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_port '80'
        option dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-SSL'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_port '443'
        option dest_ip '172.18.0.2'

config redirect 'adblock_docker53'
        option name 'Adblock DNS (docker, 53)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_docker853'
        option name 'Adblock DNS (docker, 853)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_docker5353'
        option name 'Adblock DNS (docker, 5353)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_wan853'
        option name 'Adblock DNS (wan, 853)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_wan5353'
        option name 'Adblock DNS (wan, 5353)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect
        option target 'DNAT'
        option name 'RProxy-Admin'
        option src 'lan'
        option src_dport '81'
        option dest 'lan'
        option dest_port '81'
        option dest_ip '172.18.0.2'

config rule
        option name 'RClone-GUI'
        option src 'lan'
        option src_port '5572'
        option dest 'lan'
        option dest_port '5572'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'HomeAssistant'
        option src 'lan'
        option src_port '8123'
        option dest 'lan'
        option dest_port '8123'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule
        option name 'Tautulli'
        option src 'lan'
        option src_port '8181'
        option dest 'lan'
        list dest_ip '172.18.0.5'
        option dest_port '8181'
        option target 'ACCEPT'

config rule
        option name 'PiHole-Admin'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config nat
        option name 'PiHole-DNAT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'lan'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option target 'SNAT'
        option snat_ip '192.168.1.1'
        option snat_port '82'

config rule
        option name 'Transmission-GUI'
        option src 'lan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'
        option src_port '9091'
        option dest_port '9091'

config redirect 'adblock_vpnzone53'
        option name 'Adblock DNS (vpnzone, 53)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_vpnzone853'
        option name 'Adblock DNS (vpnzone, 853)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_vpnzone5353'
        option name 'Adblock DNS (vpnzone, 5353)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        option name 'NGINXPM-DB'
        option src 'lan'
        list src_ip '172.18.0.2'
        option src_port '3306'
        option dest 'lan'
        list dest_ip '172.18.0.3'
        option dest_port '3306'
        option target 'ACCEPT'

config rule
        option name 'Adguard-Admin'
        option src 'wan'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        list dest_ip '172.18.0.6'
        list dest_ip '2001:3984:3989::6'

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_dport '51820'
        option dest 'lan'
        option dest_port '51820'
        option name 'Wireguard'
        option dest_ip '192.168.1.1'

config rule 'wg'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        option name 'Allow-WireGuard-lan'
        list proto 'tcp'
        list proto 'udp'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

Peer Configuration

Address = 10.0.5.2/32
PrivateKey = REDACTED # Peer's private key
DNS = 10.0.5.1

[Peer]
PublicKey = REDACTED # Server's public key
PresharedKey = REDACTED # Peer's pre-shared key
PersistentKeepalive = 25
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = wire.domain.me:51820

Script's output

======================================
|     Automated WireGuard Script     |
|        Named Peers with IDs        |
======================================
Defining variables... Done
Creating directories and pre-defining permissions on those directories... Done
Removing pre-existing WireGuard interface... Done
Generating WireGuard server keys for 'lan' network... Done
Rename firewall.@zone[0] to lan and firewall.@zone[1] to wan... Done
Creating WireGuard interface for 'lan' network... Done
Adding firewall rule for 'lan' network... Done
Removing pre-existing peers... Done

======================================
|     Automated WireGuard Script     |
|        Named Peers with IDs        |
======================================
Defining variables... Done
Creating directories and pre-defining permissions on those directories... Done
Removing pre-existing WireGuard interface... Done
Generating WireGuard server keys for 'lan' network... Done
Rename firewall.@zone[0] to lan and firewall.@zone[1] to wan... Done
Creating WireGuard interface for 'lan' network... Done
Adding firewall rule for 'lan' network... Done
Removing pre-existing peers... Done


Creating directory for peer '1_lan_ToastyPenTen'... Done
Generating peer keys for '1_lan_ToastyPenTen'... Done
Generating peer PSK for '1_lan_ToastyPenTen'... Done
Adding '1_lan_ToastyPenTen' to WireGuard server... Done
Creating config for '1_lan_ToastyPenTen'... Done

Creating directory for peer '2_lan_ToastyUFO'... Done
Generating peer keys for '2_lan_ToastyUFO'... Done
Generating peer PSK for '2_lan_ToastyUFO'... Done
Adding '2_lan_ToastyUFO' to WireGuard server... Done
Creating config for '2_lan_ToastyUFO'... Done

Creating directory for peer '3_lan_MotoOneLiz'... Done
Generating peer keys for '3_lan_MotoOneLiz'... Done
Generating peer PSK for '3_lan_MotoOneLiz'... Done
Adding '3_lan_MotoOneLiz' to WireGuard server... Done
Creating config for '3_lan_MotoOneLiz'... Done

Creating directory for peer '4_lan_LizPC'... Done
Generating peer keys for '4_lan_LizPC'... Done
Generating peer PSK for '4_lan_LizPC'... Done
Adding '4_lan_LizPC' to WireGuard server... Done
Creating config for '4_lan_LizPC'... Done

Creating directory for peer '5_lan_MotoOneCelia'... Done
Generating peer keys for '5_lan_MotoOneCelia'... Done
Generating peer PSK for '5_lan_MotoOneCelia'... Done
Adding '5_lan_MotoOneCelia' to WireGuard server... Done
Creating config for '5_lan_MotoOneCelia'... Done

Commiting changes... uci: Parse error (invalid character in name field) at line 38, byte 36
Done

Restarting WireGuard interface... Done

Restarting firewall... Done

So I'd like to ask for help in how to fix this (If I missed anything just say the word and I'll add it).
Thanks in advance!

2

Do you have a vpn tunnel already running on that router that is sending all of your traffic through another vpn (like a commercial vpn service or similar)? If so, that is likely the reason you cannot get a handshake.

If not they, are you positive you have a public ip address on the wan of your openwrt router?

1 Like
3

I do have three VPNs running in the background for VPN-PBR, though they are not the default gateway for any traffic in the network. Both the DDNS address and my public IP return the same result when using dig, so I'm pretty sure I'm getting a public IP from my ISP that returns the same result when I try to connect to it instead.

4

Remove the redirect rule. If it still doesn't work, start tcpdump on the wan port.

2 Likes
5

these are also worth paying attention to also...

you could add set -x next time you run that script or run

ucivalidate.sh

to try to pin down where the syntax glitch is... could be totally unrelated...

2 Likes
6

Just to clarify -- when you said "my public IP" -- were you getting this from the IPv4 Upstream (i.e. WAN) interface of the OpenWrt router?

Lets see your compete network and firewall files as they stand now (/etc/config/network, /etc/config/firewall).

Unrelated to your main issue, you have a bunch of stuff that is unnecessary, wrong, or ineffective in your firewall. Just a few examples:

The above does nothing since it is attempting to operate on the same network (unless you are using bridge firewall, but bridge firewall only works when the OpenWrt bridge has direct access to filter access -- if there is a switch between the two devices (including the one built-into the router), this won't work).

And then this one:

has zero effect since your lan zone already allows input to the router. (assuming 192.168.1.1 is the router's IP)

There are many other things I'd fix on this firewall, but that is unrelated to wireguard functionality.

7

Rule removed, but checking either eth0 or pppoe_wan then probing with netcat produces no results. Attempting to probe while checking br-lan as before produces same results.

8

Turns out it was an issue with nut_server's configuration, for some reason if these lines are present on the config file:

	config override 'override_battery_charge_low' 20
	config override 'override_battery_charge_warning' 40

ucivalidate.sh returns
/etc/config/nut_server: uci: Parse error (too many arguments) at line 38, byte 50
Removing them leads to a clean output, though I'm not sure where I missed the correct syntax given the wiki's line reads exactly as mine.

So it turned out unrelated, but still an odd sight.

Glad to see you, btw. :blush:

1 Like
9

Yes, that's right.

Sure

/etc/config/network

config interface 'vpn_usa'
        option proto 'none'
        option device 'ovpnc0'

config interface 'vpn_uk'
        option proto 'none'
        option device 'ovpnc1'

config interface 'vpn_spa'
        option proto 'none'
        option device 'ovpnc2'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd04:52a5:a38a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'

config wireguard_wg_lan
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option description '1_lan_ToastyPenTen'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option description '2_lan_ToastyUFO'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option description '3_lan_MotoOneLiz'
        list allowed_ips '10.0.5.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option description '4_lan_LizPC'
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'REDACTED'
        option preshared_key 'REDACTED'
        option description '5_lan_MotoOneCelia'
        list allowed_ips '10.0.5.6/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan_6'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpnzone'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn_usa'
        list network 'vpn_uk'
        list network 'vpn_spa'

config forwarding
        option src 'lan'
        option dest 'vpnzone'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config rule
        option name 'AllowNGINXPMAdmin'
        option src_port '81'
        option dest 'lan'
        option dest_port '81'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_port '80'
        option dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-SSL'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_port '443'
        option dest_ip '172.18.0.2'

config redirect 'adblock_docker53'
        option name 'Adblock DNS (docker, 53)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_docker853'
        option name 'Adblock DNS (docker, 853)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_docker5353'
        option name 'Adblock DNS (docker, 5353)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_wan853'
        option name 'Adblock DNS (wan, 853)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_wan5353'
        option name 'Adblock DNS (wan, 5353)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect
        option target 'DNAT'
        option name 'RProxy-Admin'
        option src 'lan'
        option src_dport '81'
        option dest 'lan'
        option dest_port '81'
        option dest_ip '172.18.0.2'

config rule
        option name 'RClone-GUI'
        option src 'lan'
        option src_port '5572'
        option dest 'lan'
        option dest_port '5572'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'HomeAssistant'
        option src 'lan'
        option src_port '8123'
        option dest 'lan'
        option dest_port '8123'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule
        option name 'Tautulli'
        option src 'lan'
        option src_port '8181'
        option dest 'lan'
        list dest_ip '172.18.0.5'
        option dest_port '8181'
        option target 'ACCEPT'

config rule
        option name 'PiHole-Admin'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config nat
        option name 'PiHole-DNAT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'lan'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option target 'SNAT'
        option snat_ip '192.168.1.1'
        option snat_port '82'

config rule
        option name 'Transmission-GUI'
        option src 'lan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'
        option src_port '9091'
        option dest_port '9091'

config redirect 'adblock_vpnzone53'
        option name 'Adblock DNS (vpnzone, 53)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_vpnzone853'
        option name 'Adblock DNS (vpnzone, 853)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_vpnzone5353'
        option name 'Adblock DNS (vpnzone, 5353)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        option name 'NGINXPM-DB'
        option src 'lan'
        list src_ip '172.18.0.2'
        option src_port '3306'
        option dest 'lan'
        list dest_ip '172.18.0.3'
        option dest_port '3306'
        option target 'ACCEPT'

config rule
        option name 'Adguard-Admin'
        option src 'wan'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        list dest_ip '172.18.0.6'
        list dest_ip '2001:3984:3989::6'

config rule 'wg'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'
        option name 'Allow-WireGuard-lan'
        list proto 'tcp'
        list proto 'udp'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

I see, as you say, there are several rules that seemingly should not be needed or don't do anything. They were mostly attempts to try and fix connections to Docker containers that for some reason would refuse the connection to themselves without them, but if there's any reading material you might've come across that I could use to clean them up, I'd be delighted to give them a read. At the moment one container in particular (Tautulli) refuses to accept any connection, so perhaps I'm still missing something that could be related to the problem I'm facing with Wireguard.

10

What do you get from the output of:
wg show

Also, have you tried disabling your other VPNs before attempting to connect via Wireguard?

Another thing to verify is that the keys are all correct. It is really easy to mess up the key exchange, although this is probably less of an issue with the script approach. However, it might be worth trying a fresh set of keys for everything;

  • make sure you have a backup of the current configuration
  • delete the entire wg interface
  • manually create a set new of key-pairs for your router
  • create the new WG interface with the private key
  • manually create a set of key-pairs for a remote peer (say a phone, for example)
  • do not use a preshared key (to start, reducing the variables here)
  • make sure that the peers have the correct public keys for each other, and if you've transferred the private key (for the phone) from one device to another, that the private key is in the right place on the phone.
  • on the phone, set the endpoint address as 192.168.1.1, and make sure you phone is connected to the main LAN - this ensures that nothing external (endpoint IP address mismatches, ISP blocking, etc.)

Then try connecting and report back.

EDIT: just because it is worth stating -- WG public and private keys are impossible to distinguish at a human level. So, it is easy to mistakenly enter the wrong key, and thus have a non-functional WG interface. Also worth pointing out -- my idea here is to really reduce the variables down to the minimum and verify that WG will indeed connect in general when everything is at the most simple state. We can then figure out what might be going on by progressively adding back each variable (such as connecting form the WAN, adding the PSK, etc.)

EDIT 2: another thing to try is omitting the IPv6 details from the WG configs entirely. Just use IPv4 addresses. And, one more thing: use a public DNS server (such as 8.8.8.8) on your remote peer (i.e. the phone).

11

wg show is a great call! Also note handshake happens "on-demand" as in when first traffic that wants to use a rule leaves the device.

BTW From my experience stuff can get saved into config and "applied" (i.e. interface created but peer might not get properly added to wg until explicit network restart happens.)

12

In the case of the "home" peer side of the equation in a road-warrior setup, the first handshake will happen when the VPN is initiated on the remote peer (such as a phone). In this case, the router sees this as an incoming connection request, so the user doesn't have to wait for an egress/PBR rule to be triggered for the handshake to occur.

13

Hoping I can help in some way having just gone through something very similar with Wireguard on the RPi Build (excellent work!). I ended up configuring, deleting and redoing everything so many times my head hurt only to find out that there are two areas I messed up - the port on FW rule and the key config on the Android Client (confusing as hell).

I ended up following this guide: https://birkhoff.me/setting-up-a-wireguard-server-on-openwrt/ which pretty much seems like the one on Openwrt (but that didn't work for me - probably my fault).

One final thing I did was to change the port (to avoid mistakes) to a simple high number, .e.g. 5000 and configure WG and the FW rules with this port. I can confirm that WG works on the Wulfy Build with WG on the router as the server and an android client connected accessing my LAN.

Good luck hope the guide works for you!

P.S happy to share redacted configs if that helps.

1 Like
14 
interface: wg_lan
  public key: A+JThFSvNU7b5xLAUdArtwCCBLi1h1QFUA3YeY2oJVA=
  private key: (hidden)
  listening port: 51820

peer: ia2iUSXj2E5oslayfGVhfYcuoLIWl/LOVpyZ6keq4Gk=
  preshared key: (hidden)
  allowed ips: 10.0.5.2/32
  persistent keepalive: every 25 seconds

peer: 02qqDZHAwFDrjfVjSNoSEK+4bQgW/tGrN5gUDsNvJxY=
  preshared key: (hidden)
  allowed ips: 10.0.5.3/32
  persistent keepalive: every 25 seconds

peer: R9wWcAKgXBvHer9RZcJyyH+g3v3U3ZopNw+iehW3nm0=
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32
  persistent keepalive: every 25 seconds

peer: 2ayZRpQOr4NOunxNnLbprKKiPqZy5Ef8O3WrPcJaVwk=
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32
  persistent keepalive: every 25 seconds

peer: 7L3RxlZjLxp5SvV7fQpzGzgKjsuX1k9YPCaq/xe3biA=
  preshared key: (hidden)
  allowed ips: 10.0.5.6/32
  persistent keepalive: every 25 seconds

Yes, so far makes no difference.

Okay, just tried recreating everything from zero as per the instructions, host receives handshake packet as per phone's "Sending Handshake initiation" and tcpdump reports as successful, but connection is not successful.

[root@OpenWRT-RPi /etc/config]# tcpdump -ni br-lan port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
22:49:28.999144 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:49:34.118923 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:49:39.118640 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:49:44.130591 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:49:49.245872 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:49:54.368221 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:49:59.375804 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:04.382271 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:09.387909 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:14.388998 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:19.404046 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:24.442627 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:29.453044 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:34.679002 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:39.727560 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:44.826994 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:50.075398 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:50:55.166994 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:51:00.251642 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
22:51:05.334453 IP 192.168.1.210.41979 > 192.168.1.1.51820: UDP, length 148
^C
20 packets captured
20 packets received by filter
0 packets dropped by kernel

After configuring anew, wg show states the following:

interface: wg0
  public key: 5P7+g958RoU4KuL880SaWRW92+d71921P9aO2Tx2QnA=
  private key: (hidden)
  listening port: 51820

So either I'm messing up the key exchange, or my router's Wireguard instance is borked somehow from what I'm able to gather.

Just to be sure, the process I followed to create the interface and peer was the following:

1. Create Wireguard interface and name it wg0 within LuCI's Network > Interfaces menu
2. Save and apply changes
3. Create new peer and name it TestPeer on the description field
4. Generate a QR code and copy over the Public key from the Peer section of the Android App to the peer field in the router
5. Leave everything else empty on the peer settings page
6. Save and apply
7. On the Android device set the IPv4 address to 10.5.0.2/32, the DNS server to 1.1.1.1 and the endpoint to 192.168.1.1:51820
Test the connection

If I did anything wrong please tell me so, I'm still a bit green on Wireguard as a concept to be frank.

Hey, thanks! I'll be sure to check out the guide, though I'd like to see where I went wrong using the setup I'm getting help troubleshooting before muddying the waters with another way to do things yet.

In any case, if things end up going south with the current instruction set, that's my next pick for where to start anew (hopefully things go smoothly, but if not I'd love to read your notes! :smiley: ).

Cheers and kudos!

15

Did you assign the wireguard interface to a firewall zone?
Can you show the latest firewall and network config files as well as the android setup so I can see the current state? (sorry to keep asking for these files -- but especially since you re-did everything, it is worth checking the current situation)

1 Like
16

Yes, forgot to mention I added it to the LAN zone (the only other adapter there is the actual LAN adapter [br-lan]).

Sure

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan_6'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpnzone'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn_usa'
        list network 'vpn_uk'
        list network 'vpn_spa'

config forwarding
        option src 'lan'
        option dest 'vpnzone'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config rule
        option name 'AllowNGINXPMAdmin'
        option src_port '81'
        option dest 'lan'
        option dest_port '81'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_port '80'
        option dest_ip '172.18.0.2'

config redirect
        option target 'DNAT'
        option name 'RProxy-SSL'
        option src 'wan'
        option src_dport '443'
        option dest 'lan'
        option dest_port '443'
        option dest_ip '172.18.0.2'

config redirect 'adblock_docker53'
        option name 'Adblock DNS (docker, 53)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_docker853'
        option name 'Adblock DNS (docker, 853)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_docker5353'
        option name 'Adblock DNS (docker, 5353)'
        option src 'docker'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_lan53'
        option name 'Adblock DNS (lan, 53)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_lan853'
        option name 'Adblock DNS (lan, 853)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_lan5353'
        option name 'Adblock DNS (lan, 5353)'
        option src 'lan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect 'adblock_wan53'
        option name 'Adblock DNS (wan, 53)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_wan853'
        option name 'Adblock DNS (wan, 853)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_wan5353'
        option name 'Adblock DNS (wan, 5353)'
        option src 'wan'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config redirect
        option target 'DNAT'
        option name 'RProxy-Admin'
        option src 'lan'
        option src_dport '81'
        option dest 'lan'
        option dest_port '81'
        option dest_ip '172.18.0.2'

config rule
        option name 'RClone-GUI'
        option src 'lan'
        option src_port '5572'
        option dest 'lan'
        option dest_port '5572'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'HomeAssistant'
        option src 'lan'
        option src_port '8123'
        option dest 'lan'
        option dest_port '8123'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule
        option name 'Tautulli'
        option src 'lan'
        option src_port '8181'
        option dest 'lan'
        list dest_ip '172.18.0.5'
        option dest_port '8181'
        option target 'ACCEPT'

config rule
        option name 'PiHole-Admin'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        option src 'lan'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'

config nat
        option name 'PiHole-DNAT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'lan'
        option dest_ip '192.168.0.2'
        option dest_port '80'
        option target 'SNAT'
        option snat_ip '192.168.1.1'
        option snat_port '82'

config rule
        option name 'Transmission-GUI'
        option src 'lan'
        option dest 'lan'
        option target 'ACCEPT'
        list dest_ip '192.168.1.1'
        list dest_ip 'fd04:52a5:a38a::1'
        option src_port '9091'
        option dest_port '9091'

config redirect 'adblock_vpnzone53'
        option name 'Adblock DNS (vpnzone, 53)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect 'adblock_vpnzone853'
        option name 'Adblock DNS (vpnzone, 853)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '853'
        option dest_port '853'
        option target 'DNAT'

config redirect 'adblock_vpnzone5353'
        option name 'Adblock DNS (vpnzone, 5353)'
        option src 'vpnzone'
        option proto 'tcp udp'
        option src_dport '5353'
        option dest_port '5353'
        option target 'DNAT'

config rule
        option name 'NGINXPM-DB'
        option src 'lan'
        list src_ip '172.18.0.2'
        option src_port '3306'
        option dest 'lan'
        list dest_ip '172.18.0.3'
        option dest_port '3306'
        option target 'ACCEPT'

config rule
        option name 'Adguard-Admin'
        option src 'wan'
        option src_port '82'
        option dest 'lan'
        option dest_port '82'
        option target 'ACCEPT'
        list dest_ip '172.18.0.6'
        list dest_ip '2001:3984:3989::6'

config rule 'wg'
        option dest_port '51820'
        option target 'ACCEPT'
        option name 'Allow-WireGuard-lan'
        list proto 'tcp'
        list proto 'udp'
        option src 'wan'

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'

I also tried changing just now the zone from WAN to LAN on the Wireguard rule; same result applies, so returned to WAN zone on the source.
Network

config interface 'vpn_usa'
        option proto 'none'
        option device 'ovpnc0'

config interface 'vpn_uk'
        option proto 'none'
        option device 'ovpnc1'

config interface 'vpn_spa'
        option proto 'none'
        option device 'ovpnc2'

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd04:52a5:a38a::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'wan'
        option proto 'pppoe'
        option device 'eth0'
        option username 'REDACTED'
        option password 'REDACTED'
        option ipv6 'auto'

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.5.5.1'
        option private_key 'REDACTED'
        option listen_port '51820'

config wireguard_wg0
        option description 'TestPeer'
        option public_key '5P7+g958RoU4KuL880SaWRW92+d71921P9aO2Tx2QnA='

Attaching Android setup as a screenshot (Device is Samsung Galaxy Note10+ Exynos SM-N975F, running Android version 11 and One UI stock. Wireguard App version is 1.020211029 )

Screenshot_20211223-002103_WireGuard
Screenshot_20211223-002103_WireGuard1296×2958 222 KB

Don't worry about it mate, thank you for the help!

17

I'm seeing a few problems, hopefully these will fix it...

  • you need a line for "allowed IPs" in the peer config from your OpenWrt side. That should match the address you have in the android field (10.0.5.2/32).
  • I don't know if it is critical, but your wg0 interface should be in the same subnet as the peer (currently 10.5.5.1 -- I'd recommend making that 10.0.5.1/24)
  • You appear to have the wrong public keys exchanged.
    • The public key in the peer config of the OpenWrt should be the public key shown in the android interface configuration (M8VDSox...)
    • The public key in the android peer config should be the public key of the OpenWrt WG config (you can get this key by typing wg show on the OpenWrt system -- look at the public key under "interface").
  • Restart the wg interface (or the entire router) after making the changes.

Try those things and report back.

1 Like
18

Okay, just made all of the required changes and was able to get a link!

[root@OpenWRT-RPi /etc/config]# tcpdump -ni br-lan port 51820
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
00:41:00.794941 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 148
00:41:00.796163 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 92
00:41:00.809153 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 32
00:41:00.860596 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:00.861486 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 144
00:41:00.862299 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:00.867821 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:00.890893 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:00.890895 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:00.918188 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:00.918189 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:00.927255 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:00.930508 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:00.933248 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:00.933519 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 608
00:41:00.936722 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 160
00:41:00.944537 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:00.954717 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 160
00:41:00.993738 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 80
00:41:00.999735 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 304
00:41:01.006147 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:01.008966 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.010214 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 144
00:41:01.014064 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.032460 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.073264 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 80
00:41:01.073924 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.086532 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 368
00:41:01.132604 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.132606 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.132606 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.132607 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.136929 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.147500 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 80
00:41:01.170937 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:01.180004 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 496
00:41:01.183512 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 128
00:41:01.196516 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.200127 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.216585 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:01.237678 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.238654 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.251149 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:01.253093 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:01.257062 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.258647 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:01.258684 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:01.258692 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 896
00:41:01.266872 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.266874 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.266877 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.286119 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.298937 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.336995 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.348959 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.350292 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.355037 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.355982 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.355985 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 144
00:41:01.384369 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.388963 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:01.389010 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 320
00:41:01.389017 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 160
00:41:01.393610 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 608
00:41:01.393613 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:01.396091 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.396092 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 320
00:41:01.396719 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:01.402751 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.403472 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 160
00:41:01.410576 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.433628 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.433676 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.433928 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 272
00:41:01.440387 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.440949 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.445734 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.450792 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 256
00:41:01.457662 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 80
00:41:01.459094 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.459425 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 624
00:41:01.472851 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.491365 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.492099 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.493293 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 288
00:41:01.497332 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.500618 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 160
00:41:01.530298 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 160
00:41:01.534282 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 112
00:41:01.536605 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.538825 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.539537 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 144
00:41:01.539785 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 176
00:41:01.539788 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 352
00:41:01.540144 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.544956 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 112
00:41:01.548478 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.559131 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 352
00:41:01.566792 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.570246 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.578081 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 624
00:41:01.584037 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:01.585048 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:01.586682 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 304
00:41:01.587596 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.596281 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 256
00:41:01.598688 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 80
00:41:01.605648 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.629250 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.646195 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.650178 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.655210 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 288
00:41:01.674353 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 144
00:41:01.693207 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:01.693318 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:01.693331 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:01.693338 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 832
00:41:01.698922 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.698924 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.698924 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.699532 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.721959 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:01.729296 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:01.733232 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.765218 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.765219 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.771211 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 144
00:41:01.782712 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 1312
00:41:01.782716 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 1312
00:41:01.782718 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 128
00:41:01.800861 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.822817 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:01.861713 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:01.940578 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:01.947047 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:01.963193 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:01.973770 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.075977 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.080811 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.085507 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 336
00:41:02.184971 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.185770 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 320
00:41:02.185809 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.191189 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.193617 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.202667 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.291816 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.305790 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.313331 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.315463 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 608
00:41:02.354969 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 752
00:41:02.359423 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:02.414703 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.416624 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:02.416743 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:02.416758 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1216
00:41:02.420096 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.421689 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.421691 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.438650 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 176
00:41:02.542557 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.542696 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:02.542711 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:02.548417 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 560
00:41:02.548419 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.630028 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:02.649281 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.653374 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:02.653425 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.653432 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 112
00:41:02.653438 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.657728 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.658240 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:02.658241 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.661029 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.661031 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:02.757149 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.757200 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.890032 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.892290 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.893649 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 208
00:41:02.895793 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.896196 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.897412 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:02.899088 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.901406 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.903313 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.903314 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:02.903416 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.903552 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:02.905390 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.906908 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.907480 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.908625 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:02.910450 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.918564 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 240
00:41:02.922661 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.925841 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 144
00:41:02.928367 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 240
00:41:02.932430 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.933718 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 144
00:41:02.960016 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.966959 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 752
00:41:02.968965 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.970963 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 304
00:41:02.971732 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 544
00:41:02.972317 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 448
00:41:02.972352 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.975376 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.976923 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 752
00:41:02.978681 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:02.979012 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.980988 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 496
00:41:02.983670 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 432
00:41:02.983887 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 288
00:41:02.984464 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 864
00:41:02.987793 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.987794 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:02.989790 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:02.989822 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:02.994409 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:02.994411 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:02.998300 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:03.001202 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 496
00:41:03.007375 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.009799 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:03.009848 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.014191 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:03.014194 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:03.111390 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1248
00:41:03.116872 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.120547 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 192
00:41:03.123633 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.124667 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 144
00:41:03.129287 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 720
00:41:03.138746 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 288
00:41:03.139693 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1056
00:41:03.139981 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 448
00:41:03.145801 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.148387 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:03.153945 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 496
00:41:03.160317 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.169359 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:03.170332 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.173989 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:03.173990 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:03.210406 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.214458 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.219294 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.223605 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 256
00:41:03.227052 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.292404 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1248
00:41:03.468026 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.470416 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 192
00:41:03.473473 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.474668 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 144
00:41:03.485094 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 240
00:41:03.518764 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.541996 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:03.542175 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:03.542193 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:03.542202 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 528
00:41:03.550393 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.550397 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.564085 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 720
00:41:03.566182 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:03.568740 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 256
00:41:03.571741 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 576
00:41:03.572491 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1056
00:41:03.575785 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.588696 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 240
00:41:03.606077 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1056
00:41:03.617173 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 512
00:41:03.623353 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 272
00:41:03.674834 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:03.879315 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:04.332899 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:04.390510 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:04.450053 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 576
00:41:04.454527 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:04.456151 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:04.457726 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 656
00:41:04.461662 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:04.563184 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 224
00:41:04.579818 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 224
00:41:04.585554 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:04.585558 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 80
00:41:05.564514 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:05.564552 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 624
00:41:05.568586 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:05.568588 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:05.596727 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 304
00:41:05.614764 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 304
00:41:05.661533 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.044498 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:06.044500 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.380460 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:06.385233 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:06.396494 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 128
00:41:06.397422 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:06.404414 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:06.405364 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 112
00:41:06.405689 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:06.407241 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:06.533643 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.570402 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.575181 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.577092 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 624
00:41:06.610719 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.612418 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 288
00:41:06.618551 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.619956 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 160
00:41:06.657089 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.663309 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 496
00:41:06.698606 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.705740 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 624
00:41:06.712385 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 176
00:41:06.712444 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 128
00:41:06.716589 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.758769 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.758771 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:06.813614 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 192
00:41:06.821715 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:06.833348 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 272
00:41:06.841737 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.849321 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.854210 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.866505 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 640
00:41:06.876830 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.902539 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 288
00:41:06.907546 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:06.909039 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 160
00:41:06.922766 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.929001 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 640
00:41:06.937245 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 96
00:41:06.974120 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1200
00:41:06.974172 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 256
00:41:06.980673 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:07.224551 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 240
00:41:07.224553 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 240
00:41:07.269040 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 240
00:41:07.269041 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 240
00:41:07.769097 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:07.769138 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 624
00:41:07.870679 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:07.870680 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:07.910482 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:07.910483 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 112
00:41:07.910484 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:08.166699 IP 192.168.1.210.50237 > 192.168.1.1.51820: UDP, length 96
00:41:09.803699 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:09.803734 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 624
00:41:10.038940 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:10.407136 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1072
00:41:10.518891 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:10.686816 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1072
00:41:10.974081 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 224
00:41:10.999289 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1072
00:41:11.251710 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 224
00:41:11.479005 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1312
00:41:11.496906 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 208
00:41:11.526701 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 352
00:41:11.608507 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 1072
00:41:12.116707 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 352
00:41:12.811418 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 608
00:41:13.203723 IP 192.168.1.1.51820 > 192.168.1.210.50237: UDP, length 352
^C
366 packets captured
366 packets received by filter
0 packets dropped by kernel

I assume then then next step would be to try and do the same stuff over the Internet (LTE to DDNS to WAN to LAN)?

Edit and update: Just exchanged my router's IP for the DDNS address and was able to get a link over LTE, also able to browse both using 10.0.5.1 as DNS resolver instead of 1.1.1.1. Thank you! Now all that's left is to establish the connection using IPv6 and other peers.

19

Woohoo!! Glad it is working now!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like
20

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.