Wireguard connection drops after a few minutes

thekiefs · January 18, 2024, 7:14am

Hi - I'm super noob, running into issues with wireguard. Connection seems to die after about 2 minutes, very similar problem to here but I didn't really understand the solution (Wireguard peer becomes unreachable after a few minutes)

My setup is simple, I followed these steps: https://birkhoff.me/articles/setting-up-a-wireguard-server-on-openwrt

openwrt router O, wireguard IP 10.200.200.1/24, DDNS
peer P, wireguard ip 10.200.200.2/32

on client, i never get beyond a few KiB of transfer, similar to other thread:

peer: SOME_PUBLIC_KEY
  endpoint: IP_FROM_S:PORT_S
  allowed ips: 0.0.0.0/0, ::/0
  persistent keepalive: every 25 seconds
  latest handshake: 40 seconds ago
  transfer: 180 KiB received, 150 KiB sent

here are my configs - any help would be appreciated!

client
[Interface]
PrivateKey = X
Address = 10.200.200.2/32
DNS = 192.168.1.1

[Peer]
PublicKey = X
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = x.com:51820
PersistentKeepalive = 25

**cat /etc/config/network**

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc0:646a:f5da::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'x'

config device
	option name 'lan2'
	option macaddr 'x'

config device
	option name 'lan3'
	option macaddr 'x

config device
	option name 'lan4'
	option macaddr 'x'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'x'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'x'
	list addresses '10.200.200.1/24'
	option listen_port '51820'

config wireguard_wg0
	option description 'x'
	option public_key 'x'
	list allowed_ips '10.200.200.2'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option private_key 'x'

**cat /etc/config/firewall**
config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

**cat /etc/config/dhcp**
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option confdir '/tmp/dnsmasq.d'
	list rebind_domain 'plex.direct'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

trendy · January 18, 2024, 9:18am

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; ip route get 10.200.200.1

thekiefs · January 18, 2024, 3:44pm

Thanks. Redacted my ip.

{
	"kernel": "5.15.137",
	"hostname": "xnet",
	"system": "ARMv7 Processor rev 2 (v7l)",
	"model": "Linksys WRT1900AC v1",
	"board_name": "linksys,wrt1900ac-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.2",
		"revision": "r23630-842932a63d",
		"target": "mvebu/cortexa9",
		"description": "OpenWrt 23.05.2 r23630-842932a63d"
	}
}
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet X.50/20 brd x.255 scope global wan
       valid_lft forever preferred_lft forever
14: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
23: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.200.200.1/24 brd 10.200.200.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 107.184.96.1 dev wan  src x.50
10.200.200.0/24 dev wg0 scope link  src 10.200.200.1
10.200.200.2 dev wg0 scope link
107.184.96.0/20 dev wan scope link  src x.50
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
local 10.200.200.1 dev wg0 table local scope host  src 10.200.200.1
broadcast 10.200.200.255 dev wg0 table local scope link  src 10.200.200.1
local x.50 dev wan table local scope host  src x.50
broadcast 107.184.111.255 dev wan table local scope link  src x.50
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
0:	from all lookup local
32766:	from all lookup main
32767:	from all lookup default
local 10.200.200.1 dev lo  src 10.200.200.1

thekiefs · January 19, 2024, 7:39am

Any ideas here?

trendy · January 19, 2024, 8:09am

Your issue doesn't seem connected to the other one.
Do you still see packets on the router when the issue occurs?
opkg update; opkg install tcpdump; tcpdump -i wan -n udp port 51820

egc · January 19, 2024, 8:32am

I have seen something like that when the ISP blocks WG, it takes some time before it is detected.

I have seen strange behaviour when the MTU is too high but actually not this.

tcpdump is the way to go indeed

thekiefs · January 19, 2024, 10:40pm

Yeah, I see packets. Initiated a connection from my phone to the server. My phone is also not loading any websites even on immediate connection now...

Interestingly, the IP of phoneisp.31567 and phoneisp2.41961 below is not the same as the IP of my actual phone (but it's owned by the same ISP)... is it potentially not getting to my phone? Is there a definitive way to find out if my phone's ISP (T-Mobile) is to blame here? I won't have access to another internet for a day or so to check.

tcpdump -i wan -n udp port 51820
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:23:33.261359 IP homeserver.51820 > phoneisp2.41961: UDP, length 148
14:23:34.241316 IP phoneisp.31567 > homeserver.51820: UDP, length 148
14:23:39.021352 IP homeserver.51820 > phoneisp2.41961: UDP, length 148
14:23:39.473537 IP phoneisp.31567 > homeserver.51820: UDP, length 148
14:23:44.714619 IP phoneisp.31567 > homeserver.51820: UDP, length 148
14:23:44.781344 IP homeserver.51820 > phoneisp2.41961: UDP, length 148
14:23:50.091497 IP phoneisp.31567 > homeserver.51820: UDP, length 148
14:23:50.534461 IP homeserver.51820 > phoneisp2.41961: UDP, length 148
14:23:55.222927 IP phoneisp.31567 > homeserver.51820: UDP, length 148

Even after I killed the connection from my phone, there's still an active connection that I can see pings from, and it's the same ip as **phoneisp2.41961
Edit -> solved the above on my mobile by checking the keypair and fixing that. Right now I'm not experiencing any timeouts.... will update if this issue comes back.

trendy · January 19, 2024, 11:11pm

You are most probably behind CGNAT, which is not causing the problem you experienced.

system · January 29, 2024, 11:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.