Wireguard does not work after sysupgrade

Hello there,
I am using a APU3C4 x86 board as my main-router.

The last version I ran on it, before sysupgrading was the following:

Linux version 4.14.105 (mint@mint-virtual-machine) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r9614-b61495409b)) #0 SMP Thu Mar 14 21:55:06 2019

Yesterday I builded a new image and now the following version runs on the apu:

Linux version 4.19.57 (manjaro@manjaro-pc) (gcc version 7.4.0 (OpenWrt GCC 7.4.0 r10551-d616b2c906)) #0 SMP Wed Jul 17 22:06:55 2019

Since upgrading, I can not get wireguard connections from any peer to the APU.

Before doing the sysupgrade everything was working quite well. But now I dont get any connection, no matter which peer tries to connect. It seems, that the handshake couldn´t get initiated (see logs below).
The firewallrules and all other configs didn´t change, also I can ping the server from www.
I also tried to build and use a new keypair for the server, but that didn´t help.

Does anybody have an idea, how I can fix this issue?

The packages are installed:

root@APU-3B4-OpenWrt ~ # opkg list-installed | grep wireguard
kmod-wireguard - 4.19.57+0.0.20190702-1
luci-app-wireguard - git-19.199.37722-776e6d5-1
luci-proto-wireguard - git-19.199.37722-776e6d5-1
wireguard - 0.0.20190702-1
wireguard-tools - 0.0.20190702-1

And wg is also running, but no handshakes are shown:

root@APU-3B4-OpenWrt ~ # wg
interface: wg0
  public key: ****************************************
  private key: (hidden)
  listening port: 51820

peer: *****************************************
  allowed ips: 10.10.200.2/32
  persistent keepalive: every 25 seconds

peer:******************************************
  allowed ips: 10.10.200.3/32
  persistent keepalive: every 25 seconds

peer: ******************************************
  allowed ips: 10.10.200.4/32
  persistent keepalive: every 25 seconds

Here is the wireguard part of my etc/config/network:


config interface 'wg0'
        option proto 'wireguard'
        option delegate '0'
        option private_key '********************'
#       option private_key '********************'
        option listen_port '51820'
        list addresses '10.10.200.1/24'


# openSuse Laptop
config wireguard_wg0
        option public_key '********************'
        list allowed_ips '10.10.200.2'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

# Android
config wireguard_wg0
        option public_key '********************'
        list allowed_ips '10.10.200.3'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

# Macbook Anne
config wireguard_wg0
        option public_key '********************'
        list allowed_ips '10.10.200.4'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

Android App log:

07-19 10:00:58.779 22305 22305 I am_on_restart_called: [0,com.wireguard.android.activity.MainActivity,performRestartActivity]
07-19 10:00:58.781 22305 22305 I am_on_start_called: [0,com.wireguard.android.activity.MainActivity,handleStartActivity]
07-19 10:00:58.784 22305 22305 I am_on_resume_called: [0,com.wireguard.android.activity.MainActivity,RESUME_ACTIVITY]
07-19 10:00:58.805 22305 22338 W Adreno-EGL: <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE
07-19 10:00:58.808 22305 22338 D vndksupport: Loading /vendor/lib/hw/gralloc.msm8974.so from current namespace instead of sphal namespace.
07-19 10:01:01.670 22305 22305 I am_on_paused_called: [0,com.wireguard.android.activity.MainActivity,performPause]
07-19 10:01:02.221 22305 22305 I am_on_stop_called: [0,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM]
07-19 10:01:05.035 22305 22305 I am_on_restart_called: [0,com.wireguard.android.activity.MainActivity,performRestartActivity]
07-19 10:01:05.038 22305 22305 I am_on_start_called: [0,com.wireguard.android.activity.MainActivity,handleStartActivity]
07-19 10:01:05.039 22305 22305 I am_on_resume_called: [0,com.wireguard.android.activity.MainActivity,RESUME_ACTIVITY]
07-19 10:01:05.053 22305 22338 W Adreno-EGL: <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE
07-19 10:01:05.054 22305 22338 D vndksupport: Loading /vendor/lib/hw/gralloc.msm8974.so from current namespace instead of sphal namespace.
07-19 10:01:08.304 22305   629 D WireGuard/GoBackend: Changing tunnel wg_server to state UP
07-19 10:01:08.305 22305   629 I WireGuard/GoBackend: Bringing tunnel up
07-19 10:01:08.305 22305   629 D WireGuard/GoBackend: Requesting to start VpnService
07-19 10:01:08.686 22305   629 D WireGuard/GoBackend: Go backend v0.0.20190517
07-19 10:01:08.686 22305   629 D WireGuard/GoBackend/wg_server: Debug log enabled
07-19 10:01:08.687 22305   629 I WireGuard/GoBackend/wg_server: Attaching to interface tun0
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: event worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: encryption worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: decryption worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: handshake worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: encryption worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: decryption worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: handshake worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: encryption worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: decryption worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: handshake worker - started
07-19 10:01:08.804 22305 22867 D WireGuard/GoBackend/wg_server: Routine: encryption worker - started
07-19 10:01:08.805 22305 22867 D WireGuard/GoBackend/wg_server: Routine: decryption worker - started
07-19 10:01:08.805 22305 22867 D WireGuard/GoBackend/wg_server: Routine: handshake worker - started
07-19 10:01:08.805 22305 22867 D WireGuard/GoBackend/wg_server: Routine: TUN reader - started
07-19 10:01:08.805 22305   629 D WireGuard/GoBackend/wg_server: UAPI: Updating private key
07-19 10:01:08.806 22305   629 D WireGuard/GoBackend/wg_server: UAPI: Removing all peers
07-19 10:01:08.806 22305   629 D WireGuard/GoBackend/wg_server: UAPI: Transition to peer configuration
07-19 10:01:08.809 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - UAPI: Created
07-19 10:01:08.809 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - UAPI: Adding allowedip
07-19 10:01:08.809 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - UAPI: Adding allowedip
07-19 10:01:08.809 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - UAPI: Updating endpoint
07-19 10:01:08.809 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - UAPI: Updating persistent keepalive interval
07-19 10:01:08.809 22305   629 E WireGuard/GoBackend/wg_server: mkdir /var: read-only file system
07-19 10:01:08.810 22305 22867 D WireGuard/GoBackend/wg_server: Routine: receive incoming IPv6 - started
07-19 10:01:08.810 22305 22867 D WireGuard/GoBackend/wg_server: Routine: receive incoming IPv4 - started
07-19 10:01:08.810 22305   629 D WireGuard/GoBackend/wg_server: UDP bind has been updated
07-19 10:01:08.810 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Starting...
07-19 10:01:08.810 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Routine: sequential receiver - started
07-19 10:01:08.810 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Routine: nonce worker - started
07-19 10:01:08.810 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Routine: sequential sender - started
07-19 10:01:08.810 22305   629 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Sending keepalive packet
07-19 10:01:08.810 22305   629 I WireGuard/GoBackend/wg_server: Device started
07-19 10:01:08.811 22305 22337 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Sending handshake initiation
07-19 10:01:08.814 22305 22337 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Awaiting keypair
07-19 10:01:13.904 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Handshake did not complete after 5 seconds, retrying (try 2)
07-19 10:01:13.905 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Sending handshake initiation
07-19 10:01:18.942 22305 22825 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Sending handshake initiation
07-19 10:01:18.955 22305 22867 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Handshake did not complete after 5 seconds, retrying (try 2)
07-19 10:01:23.948 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Sending handshake initiation
07-19 10:01:28.974 22305 22336 D WireGuard/GoBackend/wg_server: peer(9Qcz…fCmw) - Sending handshake initiation
07-19 10:01:31.550 22305 22305 I menu_item_selected: [0,Settings]
07-19 10:01:31.560 22305 22305 I am_on_paused_called: [0,com.wireguard.android.activity.MainActivity,performPause]
07-19 10:01:31.572 22305 22305 W ActivityThread: handleWindowVisibility: no activity for token android.os.BinderProxy@c5815ae
07-19 10:01:31.580 22305 22305 I am_on_create_called: [0,com.wireguard.android.activity.SettingsActivity,performCreate]
07-19 10:01:31.614 22305 22305 I am_on_start_called: [0,com.wireguard.android.activity.SettingsActivity,handleStartActivity]
07-19 10:01:31.615 22305 22305 I am_on_resume_called: [0,com.wireguard.android.activity.SettingsActivity,RESUME_ACTIVITY]
07-19 10:01:31.631 22305 22338 W Adreno-EGL: <qeglDrvAPI_eglGetConfigAttrib:607>: EGL_BAD_ATTRIBUTE
07-19 10:01:31.631 22305 22338 D vndksupport: Loading /vendor/lib/hw/gralloc.msm8974.so from current namespace instead of sphal namespace.
07-19 10:01:32.166 22305 22305 I am_on_stop_called: [0,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM]

I had a very similar issue albeit on the 19.07 branch. Working config, sysupgraded from 18.06 and it broke without any useful logging. Then all of a sudden it started to work again a few days ago. Might have gotten to do with my Android phone being on a 201906xx Wireguard version, although upgrading to 201907xx didn't fix it (at least not until a few days later it seems).

Ok that sounds interessting.
I am building from trunk - maybe this could be a problem (never got problems before, because of that...)?

I am just using wireguard for two weeks. And all my peers should have the latest version of wireguard. Here you can see which versions I use:

OpenWrt "server":

  • kmod-wireguard - 4.19.57+0.0.20190702-1
  • wireguard - 0.0.20190702-1
  • wireguard-tools - 0.0.20190702-1

Peers:
on android:

  • app version: v0.0.20190708
  • Go userspace backend: v0.0.2019.05.17

on MacOS:

  • App version: v0.0.20190610 (13) and
  • Go backend version: 0.0.20190517

on Linux:

  • don´t realy know the version, but should also be up to date, because I´m on rolling release (OpenSuse Thumbleweed)

Maybe I just have to wait a few days, before it starts working again... :smile:

There is no need to route the allowed IPs on the OpenWrt, since they already belong to the subnet of the wg interface.
Other than that, do you see the packets getting to the OpenWrt?
tcpdump -i any -vvn udp port 51820
Is there any log in OpenWrt?

1 Like

I have backported the WireGuard version from master so I'm running the same version as you:

# logread -e WireGuard
Mon Jul 15 20:39:18 2019 kern.info kernel: [   14.141803] wireguard: WireGuard 0.0.20190702 loaded. See www.wireguard.com for information.

But debugging like @trendy suggests might be the better way to try to get this working again, if it persists.

1 Like

Sorry for the late response, but I had to write an exam.

It is realy crazy, but it´s working agian, as @Borromini wrote. I didn´t change nothing. The only thing I did was reinstalling the android app, which was not fixing anything at that moment.

So thanks a lot for your help! I think this thread could be closed :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.