Wireguard configuration

Hi!

I am trying to configure a Pi-hole DNS server on GCloud and set up split tunneling on OpenWRT to forward all DNS requests to the Pi-hole.
I have followed the installation steps and configured the wireguard client in OpenWRT correctly. This setup worked for a day. Now, even the wireguard handshake is not successful. I am not sure how to resolve this.

Things I have tried:

  1. Check the datetime on the OpenWRT router
  2. Restart the interface, router

Router: Asus RT-AC58U; OpenWRT version: 19.07.4

Kindly help me with this!

Verify from both ends of the tunnel that you can see the packets arriving.

1 Like

Restart the server if possible.

Try to use the following time sync workaround:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#race_conditions

I've tested different methods and discovered that on some hardware 1 time sync is not reliable.
You need to put it in cron, otherwise WG hangs in a matter of minutes/hours and restarting WG and router doesn't help.
It's really weird, because it shows the correct time but still doesn't work until you set time in the future and sync it again.

I was able to access the Pi-hole dashboard. Is there any command which I can use to check this?

I have that workaround applied. I also tried restating the wireguard server, but to no avail.

You need to put it in cron, otherwise WG hangs in a matter of minutes/hours and restarting WG and router doesn't help.

So do i have to remove the wireguard package and reinstall?

In OpenWrt you can use the command tcpdump -i XXX -evn udp port YYY
Where XXX is the physical wan interface, e.g eth0.2 , eth1, wwan0
And YYY is the port wireguard runs.
On the server you need to access the operating system to run the same command, you cannot do it from the Pihole dashboard. If the server runs windows you can use Wireshark and filter the port of Wireguard.

1 Like

Hi @trendy!

Please find the following output:
Client:

root@OpenWrt:~# tcpdump -i eth1 -evn udp port 51515
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
22 packets received by filter
0 packets dropped by kernel

Server:

 sudo tcpdump -i ens4 -env udp port 51515
sudo: unable to resolve host pihole: Name or service not known
tcpdump: listening on ens4, link-type EN10MB (Ethernet), capture size 262144 bytes
12:23:11.549058 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 48, id 2062, offset 0, flags [none], proto UDP (17), length 176)
    103.216.145.93.16813 > 10.138.0.12.51515: UDP, length 148
12:23:16.836671 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 47, id 63404, offset 0, flags [DF], proto UDP (17), length 60)
    103.216.145.93.16703 > 10.138.0.12.51515: UDP, length 32
12:23:17.249502 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 48, id 2261, offset 0, flags [none], proto UDP (17), length 176)
    103.216.145.93.16813 > 10.138.0.12.51515: UDP, length 148
12:23:22.346708 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 48, id 2486, offset 0, flags [none], proto UDP (17), length 176)
    103.216.145.93.16813 > 10.138.0.12.51515: UDP, length 148
12:23:28.129462 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 48, id 3049, offset 0, flags [none], proto UDP (17), length 176)
    103.216.145.93.16813 > 10.138.0.12.51515: UDP, length 148
12:23:33.895429 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 48, id 3068, offset 0, flags [none], proto UDP (17), length 176)
    103.216.145.93.16813 > 10.138.0.12.51515: UDP, length 148
12:23:38.058161 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 154: (tos 0x0, ttl 47, id 4320, offset 0, flags [none], proto UDP (17), length 140)
    103.216.145.93.15954 > 10.138.0.12.51515: UDP, length 112
12:23:38.058633 42:01:0a:8a:00:0c > 42:01:0a:8a:00:01, ethertype IPv4 (0x0800), length 186: (tos 0x0, ttl 64, id 62058, offset 0, flags [none], proto UDP (17), length 172)
    10.138.0.12.51515 > 103.216.145.93.15954: UDP, length 144
12:23:38.058777 42:01:0a:8a:00:0c > 42:01:0a:8a:00:01, ethertype IPv4 (0x0800), length 190: (tos 0x88, ttl 64, id 62059, offset 0, flags [none], proto UDP (17), length 176)
    10.138.0.12.51515 > 103.216.145.93.15954: UDP, length 148
12:23:38.382430 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 154: (tos 0x0, ttl 47, id 4360, offset 0, flags [none], proto UDP (17), length 140)
    103.216.145.93.15954 > 10.138.0.12.51515: UDP, length 112
12:23:38.382806 42:01:0a:8a:00:0c > 42:01:0a:8a:00:01, ethertype IPv4 (0x0800), length 170: (tos 0x0, ttl 64, id 62092, offset 0, flags [none], proto UDP (17), length 156)
    10.138.0.12.51515 > 103.216.145.93.15954: UDP, length 128
12:23:38.383225 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 134: (tos 0x0, ttl 47, id 4361, offset 0, flags [none], proto UDP (17), length 120)
    103.216.145.93.15954 > 10.138.0.12.51515: UDP, length 92
12:23:38.383376 42:01:0a:8a:00:0c > 42:01:0a:8a:00:01, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 62093, offset 0, flags [none], proto UDP (17), length 60)
    10.138.0.12.51515 > 103.216.145.93.15954: UDP, length 32
12:23:39.650934 42:01:0a:8a:00:01 > 42:01:0a:8a:00:0c, ethertype IPv4 (0x0800), length 190: (tos 0x0, ttl 48, id 3502, offset 0, flags [none], proto UDP (17), length 176)
    103.216.145.93.16813 > 10.138.0.12.51515: UDP, length 148
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel

It seems that the server is trying to send the wireguard packets to a private IP 10.138.0.12 and will be blocked, since 10. IPs are not routed on the internet. Could you post your configurations to verify that everything is correct?

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
2 Likes

Here is the output:

root@OpenWrt:~# ubus call system board
{
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "ASUS RT-AC58U",
        "board_name": "asus,rt-ac58u",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"
        }
}
root@OpenWrt:~# uci export network; uci export firewall;
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda1:800a:c6ab::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device 'lan_eth0_dev'
        option name 'eth0'
        option macaddr '88:d7'

config interface 'wan'
        option ifname 'eth1'
        option proto 'pppoe'
        option password '***'
        option ipv6 'auto'
        option username '***'

config device 'wan_eth1_dev'
        option name 'eth1'
        option macaddr '88:d7'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config interface 'wg'
        option proto 'wireguard'
        option mtu '1380'
        list addresses 'fd42:42:42::2/64'
        list addresses '10.66.66.2/24'
        option private_key '***'

config wireguard_wg
        option persistent_keepalive '25'
        option endpoint_port '51515'
        option endpoint_host '***'
        option public_key '***'
        option preshared_key '***'
        list allowed_ips 'fd42:42:42::1/128'
        list allowed_ips '10.66.66.1/32'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6 wg'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
root@OpenWrt:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWrt:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
8: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 10.13.155.130 peer 10.13.13.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
12: wg: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.66.66.2/24 brd 10.66.66.255 scope global wg
       valid_lft forever preferred_lft forever
default via 10.13.13.1 dev pppoe-wan proto static
10.13.13.1 dev pppoe-wan proto kernel scope link src 10.13.155.130
10.66.66.0/24 dev wg proto kernel scope link src 10.66.66.2
*** via 10.13.13.1 dev pppoe-wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 10.13.155.130 dev pppoe-wan table local proto kernel scope host src 10.13.155.130
broadcast 10.66.66.0 dev wg table local proto kernel scope link src 10.66.66.2
local 10.66.66.2 dev wg table local proto kernel scope host src 10.66.66.2
broadcast 10.66.66.255 dev wg table local proto kernel scope link src 10.66.66.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local proto kernel scope link src 192.168.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

That's not going to solve handshake issues. Nor is it necessary if the OP is just accessing a single host at the other end of the tunnel.

1 Like

Yeah. I am trying to implement a split tunnel. Only the DNS queries to be sent through the VPN.

1 Like

Post from both client and server:

wg show
1 Like

I can see that your provider is assigning you 10. IP, which means you are behind cgnat.

Have you configured some endpoint_host on the server? If yes, you should remove it. If there is nothing you may want to restart the wg on the server, as it seems that it is trying to send to some invalid IP.

1 Like

I have not configured any specific endpoint_host on the server.
I did a quick restart of the wireguard server, and it looks to be working as of now! I will keep a check on this for another day or two.

It's pretty strange that the other devices connected to the same internet were able to successfully connect to the tunnel. Just the router was unable to do that.

1 Like

It looks like the problem was due to the time settings. The problem occurred when the internet connectivity used to go down. The cron job to set the time to the future was not helping!

Since I was using a split tunnel for just the DNS requests anyway, I just switched to using the IP addresses of the NTP servers. I am not facing any issue since then. Hope that it stays that way!

Thank you so much for the prompt help @trendy & @vgaetera!

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.