WireGuard Configuration Issues

Hi to all!

I decided to migrate to WG from OpenVPN. The configuration is very simple and straightforward. What is making me mad for weeks is that I cannot configure it to work without to stop after 2-3 minutes. Right after setup I am able to connect to the router from my Android device for only couple of minutes. Then comes this:
image

I have to restart the interface in order to win another minute of service. I even start thinking of cron job to restart it, but it is not a smart solution.

I tried all the tutorials, scripts and videos with the same result. I am still not able to access my LAN devices, but this will wait its turn after the going down issue is resolved.

Here is my network configuration:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd98:93dc:94c6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '98:da:c4:15:0d:d0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'cjdns'
	option device 'tuncjdns'
	option proto 'none'

config interface 'vpn_wg'
	option proto 'wireguard'
	option private_key 'KEY'
	option listen_port 'CUSTOM_PORT'
	list addresses '10.10.10.1/24'
	list addresses 'fd00:1::1/64'
	option mtu '1420'

config wireguard_vpn_wg
	option description 'Ganchev'
	option public_key 'KEY'
	option preshared_key 'KEY'
	list allowed_ips '10.10.10.10/32'
	option persistent_keepalive '25'

And this is firewall config:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn_wg'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'cjdns'
	list network 'cjdns'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option conntrack '1'
	option family 'ipv6'

config rule
	option name 'Allow-ICMPv6-cjdns'
	option src 'cjdns'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-SSH-cjdns'
	option src 'cjdns'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule
	option enabled '0'
	option name 'Allow-HTTP-cjdns'
	option src 'cjdns'
	option proto 'tcp'
	option dest_port '80'
	option target 'ACCEPT'

config rule
	option name 'Allow-cjdns-wan'
	option src 'wan'
	option proto 'udp'
	option dest_port '40415'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.fail2ban'
	option enabled '1'
	option reload '1'

config rule
	option name 'Allow-WireGuard-VPN'
	list proto 'udp'
	option src 'wan'
	option dest_port 'CUSTOM_PORT'
	option target 'ACCEPT'

Hope that somebody can help me to resolve this issue.

Thank you!

I've used this guide recently, when setting up WG on my portable openwrt router, for connecting to the home server.
Worked like a charm, skipped the kill switch though.

Are you testing from outside e.g.

with your phone on cellular?

Yes, egc. I am testing from the cellular network. It doesn't matter when the interface goes down after a while, even when no peer is connected. frollic, I prefer the server part to be hosted by me. I do not need a payed service.

Are you saying that the config on your OpenWrt suddenly dissappears?

Can we see the peer's config?

you really need to read what peeople write you ...

1 Like

Thank you, frollic! Sorry. This guide is a bit different of what I have done, so I will do it and will post the result. At this time I started extroot procedure from scratch and will need some time to reach VPN point again.

Reflashed on brand new USB Flash. Follwed these instructions HERE Successfully connected from my Android device for about 3 minutes and after that I got this:
image
Here is my configuration:

config interface 'loopback'
 3         option device 'lo'
 4         option proto 'static'
 5         option ipaddr '127.0.0.1'
 6         option netmask '255.0.0.0'
 7
 8 config globals 'globals'
 9         option ula_prefix 'fdbb:8da7:2d9a::/48'
10
11 config device
12         option name 'br-lan'
13         option type 'bridge'
14         list ports 'eth0.1'
15
16 config interface 'lan'
17         option device 'br-lan'
18         option proto 'static'
19         option ipaddr '192.168.1.1'
20         option netmask '255.255.255.0'
21         option ip6assign '60'
22
23 config device
24         option name 'eth0.2'
25         option macaddr '****************************'
26
27 config interface 'wan'
28         option device 'eth0.2'
29         option proto 'dhcp'
30
31 config interface 'wan6'
32         option device 'eth0.2'
33         option proto 'dhcpv6'
34
35 config switch
36         option name 'switch0'
37         option reset '1'
38         option enable_vlan '1'
39
40 config switch_vlan
41         option device 'switch0'
42         option vlan '1'
43         option ports '2 3 4 5 0t'
44
45 config switch_vlan
46         option device 'switch0'
47         option vlan '2'
48         option ports '1 0t'
49
50 config interface 'cjdns'
51         option device 'tuncjdns'
52         option proto 'none'
53
54 config interface 'wg0'
55         option proto 'wireguard'
56         option private_key '****************************'
57         option listen_port '48917'
58         list addresses '10.0.0.1/24'
59         list addresses 'fd00:0::1/64'
60
61 config wireguard_wg0 'wgclient'
62         option public_key '****************************'
63         option preshared_key '****************************'
64         list allowed_ips '10.0.0.2/32'
65         list allowed_ips 'fd00:0::2/128'
66         option description 'Ganchev'
67         option private_key '****************************'

And Firewall:

config defaults
  3         option syn_flood '1'
  4         option input 'ACCEPT'
  5         option output 'ACCEPT'
  6         option forward 'REJECT'
  7
  8 config zone 'lan'
  9         option name 'lan'
 10         list network 'lan'
 11         list network 'wg0'
 12         option input 'ACCEPT'
 13         option output 'ACCEPT'
 14         option forward 'ACCEPT'
 15
 16 config zone 'wan'
 17         option name 'wan'
 18         list network 'wan'
 19         list network 'wan6'
 20         option input 'REJECT'
 21         option output 'ACCEPT'
 22         option forward 'REJECT'
 23         option masq '1'
 24         option mtu_fix '1'
 25
 26 config forwarding
 27         option src 'lan'
 28         option dest 'wan'
 29
 30 config rule
 31         option name 'Allow-DHCP-Renew'
 32         option src 'wan'
 33         option proto 'udp'
 34         option dest_port '68'
 35         option target 'ACCEPT'
 36         option family 'ipv4'
 37
 38 config rule
 39         option name 'Allow-Ping'
 40         option src 'wan'
 41         option proto 'icmp'
 42         option icmp_type 'echo-request'
 43         option family 'ipv4'
 44         option target 'ACCEPT'
 45
 46 config rule
 47         option name 'Allow-IGMP'
 48         option src 'wan'
 49         option proto 'igmp'
 50         option family 'ipv4'
 51         option target 'ACCEPT'
 52
 53 config rule
 54         option name 'Allow-DHCPv6'
 55         option src 'wan'
 56         option proto 'udp'
 57         option dest_port '546'
 58         option family 'ipv6'
 59         option target 'ACCEPT'
 60
 61 config rule
 62         option name 'Allow-MLD'
 63         option src 'wan'
 64         option proto 'icmp'
 65         option src_ip 'fe80::/10'
 66         list icmp_type '130/0'
 67         list icmp_type '131/0'
 68         list icmp_type '132/0'
 69         list icmp_type '143/0'
 70         option family 'ipv6'
 71         option target 'ACCEPT'
 72
 73 config rule
 74         option name 'Allow-ICMPv6-Input'
 75         option src 'wan'
 76         option proto 'icmp'
 77         list icmp_type 'echo-request'
 78         list icmp_type 'echo-reply'
 79         list icmp_type 'destination-unreachable'
 80         list icmp_type 'packet-too-big'
 81         list icmp_type 'time-exceeded'
 82         list icmp_type 'bad-header'
 83         list icmp_type 'unknown-header-type'
 84         list icmp_type 'router-solicitation'
 85         list icmp_type 'neighbour-solicitation'
 86         list icmp_type 'router-advertisement'
 87         list icmp_type 'neighbour-advertisement'
 88         option limit '1000/sec'
 89         option family 'ipv6'
 90         option target 'ACCEPT'
 91
 92 config rule
 93         option name 'Allow-ICMPv6-Forward'
 94         option src 'wan'
 95         option dest '*'
 96         option proto 'icmp'
 97         list icmp_type 'echo-request'
 98         list icmp_type 'echo-reply'
 99         list icmp_type 'destination-unreachable'
100         list icmp_type 'packet-too-big'
101         list icmp_type 'time-exceeded'
102         list icmp_type 'bad-header'
103         list icmp_type 'unknown-header-type'
104         option limit '1000/sec'
105         option family 'ipv6'
106         option target 'ACCEPT'
107
108 config rule
109         option name 'Allow-IPSec-ESP'
110         option src 'wan'
111         option dest 'lan'
112         option proto 'esp'
113         option target 'ACCEPT'
114
115 config rule
116         option name 'Allow-ISAKMP'
117         option src 'wan'
118         option dest 'lan'
119         option dest_port '500'
120         option proto 'udp'
121         option target 'ACCEPT'
122
123 config include 'bcp38'
124         option type 'script'
125         option path '/usr/lib/bcp38/run.sh'
126
127 config include 'pbr'
128         option fw4_compatible '1'
129         option type 'script'
130         option path '/usr/share/pbr/pbr.firewall.include'
131
132 config include 'miniupnpd'
133         option type 'script'
134         option path '/usr/share/miniupnpd/firewall.include'
135
136 config include
137         option path '/etc/firewall.fail2ban'
138         option enabled '1'
139         option reload '1'
140
141 config zone
142         option name 'cjdns'
143         list network 'cjdns'
144         option input 'REJECT'
145         option output 'ACCEPT'
146         option forward 'REJECT'
147         option conntrack '1'
148         option family 'ipv6'
149
150 config rule
151         option name 'Allow-ICMPv6-cjdns'
152         option src 'cjdns'
153         option proto 'icmp'
154         list icmp_type 'echo-request'
155         list icmp_type 'echo-reply'
156         list icmp_type 'destination-unreachable'
157         list icmp_type 'packet-too-big'
158         list icmp_type 'time-exceeded'
159         list icmp_type 'bad-header'
160         list icmp_type 'unknown-header-type'
161         option limit '1000/sec'
162         option family 'ipv6'
163         option target 'ACCEPT'
164
165 config rule
166         option enabled '0'
167         option name 'Allow-SSH-cjdns'
168         option src 'cjdns'
169         option proto 'tcp'
170         option dest_port '22'
171         option target 'ACCEPT'
172
173 config rule
174         option enabled '0'
175         option name 'Allow-HTTP-cjdns'
176         option src 'cjdns'
177         option proto 'tcp'
178         option dest_port '80'
179         option target 'ACCEPT'
180
181 config rule
182         option name 'Allow-cjdns-wan'
183         option src 'wan'
184         option proto 'udp'
185         option dest_port '11780'
186         option target 'ACCEPT'
187
188 config rule 'wg'
189         option name 'Allow-WireGuard'
190         option src 'wan'
191         option dest_port '48917'
192         option proto 'udp'
193         option target 'ACCEPT'

Still have no idea why Wireguard interface goes down after 3 minutes of operation.

Did you set keepalive 25 on the client?

No change with and without it.

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#web_interface

Web interface - I have it already
Dynamic connection - Done
Dynamic address - Done

No change so far.
I am tired from WG. Going back to OpenVPN.

1 Like

What does the log show when wireguard stops? Are you running any scripts that could create and destroy interfaces? In the default OpenWrt, a Wireguard interface will not be destroyed after it has started. Connectivity might be lost but the wg0 interface will still exist. Does ip link show and ip addr show show that the wg0 interface continues to exist?

1 Like

Are you testing from outside e.g. with your phone on cellular?

Do you have flow offloading on the router enabled? I have seen spurious reports of disconnections with flow offload and PBR (although how that works eludes me)

1 Like

It is a brand new OpenWRT installation. WG is the first configuration I do on it.
Where can I find the corresponding log?
How to check if I have flow offloading enabled? If it is in Firewall settings - Software flow offloading is not checked.

It is under the Firewall > General settings, I do not see it enabled in your config so probably you do not have it enabled.