WireGuard Configuration Issues

Hi to all!

I decided to migrate to WG from OpenVPN. The configuration is very simple and straightforward. What is making me mad for weeks is that I cannot configure it to work without to stop after 2-3 minutes. Right after setup I am able to connect to the router from my Android device for only couple of minutes. Then comes this:

I have to restart the interface in order to win another minute of service. I even start thinking of cron job to restart it, but it is not a smart solution.

I tried all the tutorials, scripts and videos with the same result. I am still not able to access my LAN devices, but this will wait its turn after the going down issue is resolved.

Here is my network configuration:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd98:93dc:94c6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '98:da:c4:15:0d:d0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'cjdns'
	option device 'tuncjdns'
	option proto 'none'

config interface 'vpn_wg'
	option proto 'wireguard'
	option private_key 'KEY'
	option listen_port 'CUSTOM_PORT'
	list addresses '10.10.10.1/24'
	list addresses 'fd00:1::1/64'
	option mtu '1420'

config wireguard_vpn_wg
	option description 'Ganchev'
	option public_key 'KEY'
	option preshared_key 'KEY'
	list allowed_ips '10.10.10.10/32'
	option persistent_keepalive '25'

And this is firewall config:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn_wg'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'cjdns'
	list network 'cjdns'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option conntrack '1'
	option family 'ipv6'

config rule
	option name 'Allow-ICMPv6-cjdns'
	option src 'cjdns'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-SSH-cjdns'
	option src 'cjdns'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-HTTP-cjdns'
	option src 'cjdns'
	option proto 'tcp'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Allow-cjdns-wan'
	option src 'wan'
	option proto 'udp'
	option dest_port '40415'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.fail2ban'
	option enabled '1'
	option reload '1'

config rule
	option name 'Allow-WireGuard-VPN'
	list proto 'udp'
	option src 'wan'
	option dest_port 'CUSTOM_PORT'
	option target 'ACCEPT'

Hope that somebody can help me to resolve this issue.

Thank you!

I've used this guide recently, when setting up WG on my portable openwrt router, for connecting to the home server.
Worked like a charm, skipped the kill switch though.

Are you testing from outside e.g.

with your phone on cellular?

Yes, egc. I am testing from the cellular network. It doesn't matter when the interface goes down after a while, even when no peer is connected. frollic, I prefer the server part to be hosted by me. I do not need a payed service.

Are you saying that the config on your OpenWrt suddenly dissappears?

Can we see the peer's config?

you really need to read what peeople write you ...

Thank you, frollic! Sorry. This guide is a bit different of what I have done, so I will do it and will post the result. At this time I started extroot procedure from scratch and will need some time to reach VPN point again.