Wireguard does not work?

ninjanoir78 · April 22, 2024, 10:40am

HI,

I've read this week-end on the forum that someone else have soem problems with wireguard. I use the same config as usual and since 4 days wireguard does not work. No connection, but no error neither. I tried the wg config file on my android app, computer apps and it is working, the provider is up and working except here on OpenWrt. Also, I tried, the master build, my own build, the 23.05 etc.. all the same.

root@OpenWrt:~# ubus call system board
{
   "kernel": "5.15.153",
   "hostname": "OpenWrt",
   "system": "ARMv7 Processor rev 0 (v7l)",
   "model": "Netgear Nighthawk X4S R7800",
   "board_name": "netgear,r7800",
   "rootfs_type": "squashfs",
   "release": {
   	"distribution": "OpenWrt",
   	"version": "23.05",
   	"revision": "r23835-9b33b74ef7",
   	"target": "ipq806x/generic",
   	"description": "OpenWrt 23.05-SNAPSHOT r23835-9b33b74ef7"
   }
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbc:18a5:431c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option metric '5'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'Qxxxxxxxxxxxxxxxxxxxxxxxxxxx
	option mtu '1390'
	option metric '10'
	list addresses 'xx.x.x.x/32'

config wireguard_wg0
	option description 'proton.conf'
	option public_key 'rlVxxxxxxxxxxxxxxxxxxxxxxxx
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'xx.xx.xx.xx'
	option endpoint_port '51820'
	option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

root@OpenWrt:~# wg show
interface: wg0
  public key: Gmxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 42910

peer: pB//xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  endpoint: xxx.xx.xx.x:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 36 seconds ago
  transfer: 92 B received, 212 B sent
  persistent keepalive: every 25 seconds

root@OpenWrt:~# cat /etc/config/pbr
config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '0'
	option resolver_set 'none'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '0'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config policy
	option name 'pc_jim'
	option src_addr 'xx:xx:xx:xx'
	option interface 'wg0'

config policy
	option name 'formuler'
	option src_addr 'xx:xx:xx:xx'
	option interface 'wan'

Mon Apr 22 06:48:35 2024 daemon.notice netifd: Network device 'wg0' link is down
Mon Apr 22 06:48:35 2024 daemon.notice netifd: Interface 'wg0' is now down
Mon Apr 22 06:48:35 2024 daemon.notice netifd: Interface 'wg0' is setting up now
Mon Apr 22 06:48:36 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon Apr 22 06:48:36 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Mon Apr 22 06:48:36 2024 daemon.notice netifd: Interface 'wg0' is now up
Mon Apr 22 06:48:36 2024 daemon.notice netifd: Network device 'wg0' link is up
Mon Apr 22 06:48:36 2024 user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)
Mon Apr 22 06:49:31 2024 daemon.notice netifd: Network device 'wg0' link is down

_bernd · April 22, 2024, 11:24am

I can't see a wg0 interface in your /etc/config/network?

ninjanoir78 · April 22, 2024, 11:26am

Sorry ,it was there. But I deleted the interface for some minutes. I forgot to add it before posting.
But you can see it with wg show

frollic · April 22, 2024, 11:34am

doesn't say anything about your network ...

there's also no rule for port 51820 in the firewall, are you testing it locally ?