Wireguard Guide doesn't complete handshake

sudo-woodo · March 8, 2023, 8:51am

Hi all, followed the openwrt provided tutorial for setting up multiple peers but I haven't been able to successfully complete the handshake between wireguard on my android and my openwrt router.

Tutorial link

I am using PPPOE and a VLAN to connect to my ISP, hopefully that doesn't complicate things.

I found a similar situation in the forums here, but I followed their solution and couldn't fix the handshake issue.

Forum post

See below for information, if there's anything else you need let me know

ubus call system board;
uci export network;
uci export dhcp; uci export firewall;
head -n -0 /etc/firewall.user;

ubus call system board;
{
        "kernel": "5.10.161",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "rockchip/armv8",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }

uci export network;
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9f:5f21:8150::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        option igmp_snooping '1'

config device
        option name 'eth1'
        option macaddr '82:34:28:38:d4:96'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '192.168.1.1'

config device
        option name 'eth0'
        option macaddr '80:34:28:38:d4:96'

config interface 'wan'
        option proto 'pppoe'
        option username 'user'
        option password 'password'
        option ipv6 'auto'
        option device 'eth0.10'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'WG'
        option proto 'wireguard'
        option private_key 'PRIVATE'
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'

config wireguard_WG
        option description 'Peer'
        option public_key 'PUB'
        list allowed_ips '0.0.0.0/0'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key 'PRIVATE'
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1420'

config wireguard_wg_lan
        option public_key 'PUB'
        option preshared_key 'PSK'
        option description '1_lan_Alpha'
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'PUB'
        option preshared_key 'PSK'
        option description '2_lan_Bravo'
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'PUB'
        option preshared_key 'PSK='
        option description '3_lan_Charlie'
        list allowed_ips '10.0.5.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key 'PUB'
        option preshared_key 'PSK'
        option description '4_lan_Delta'
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

uci export dhcp;
package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list rebind_domain 'plex.direct'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'hybrid'
        option dhcpv6 'hybrid'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

uci export firewall;
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg_lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config include
        option path '/etc/firewall.fail2ban'
        option enabled '1'
        option reload '1'

config rule 'wg'
        option name 'Allow-WireGuard-lan'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

head -n -0 /etc/firewall.user;
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

iptables -A INPUT -s 192.168.1.235 -j DROP
iptables -A INPUT -s 192.168.1.179 -j DROP

wg show

wg show
interface: WG
  public key: fQI738oBZ3qmCVaFMf6II+2QfI0SJmeSMECtdKhi3Fw=
  private key: (hidden)
  listening port: 55436

peer: ErCIBur8/FyI+SpFAXyfJTDOF1rvi3nlYvHnPBz3K3c=
  allowed ips: 0.0.0.0/0

interface: wg_lan
  public key: ptaRXSpqa0BTPdd9eP84PmXYLox5EiR798O06qEFlWM=
  private key: (hidden)
  listening port: 51820

peer: keCX2A1riwvOTEkA6CZNBx/ZVzXtsplJZZlSZJWPaxk=
  preshared key: (hidden)
  allowed ips: 10.0.5.2/32
  persistent keepalive: every 25 seconds

peer: /awLaqZhW/gmLBTtpAqV3yKfhDaeAxxAJvLoOMS6ThI=
  preshared key: (hidden)
  allowed ips: 10.0.5.3/32
  persistent keepalive: every 25 seconds

peer: oX+0STf0UwnEhd2oCoAg/HfFfVkTsymucewQ9p2TEC0=
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32
  persistent keepalive: every 25 seconds

peer: 3f80jCN828S+6JQ8rm+/j6QHbaVEWJT5XCTGGaM/8UA=
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32
  persistent keepalive: every 25 seconds

andyboeh · March 8, 2023, 9:23am

Do you get a public IP address from your ISP when connecting via PPPoE?

trendy · March 8, 2023, 9:41am

Do you see any hits on the firewall?
iptables-save -c | grep 51820

sudo-woodo · March 8, 2023, 6:21pm

@andyboeh - I do get a public IP, here's what I see under interfaces:

interface

But when I look at my DDNS it's coming up with a different IP range: 103.8.*.* (* are redacted, would add another image of this, but since I'm a newbie I can't add more than one image per post)

@trendy - I just updated to 22.03 for this router and it looks like iptables-save isn't available, is there an equivalent command for nftables? I'll have a quick search tgoo

andyboeh · March 8, 2023, 6:31pm

... and which one do your clients connect to? The "real" one or the "wrong" DDNS-one?

EDIT: psherman is right and that's why I asked if you have a public IP. It doesn't matter which of the two IPs your clients connect to, it can't work with either.

psherman · March 8, 2023, 6:33pm

You are behind CG-NAT. This means you do not have a public IP address on your WAN, and you will not be able to have any inbound connections.

sudo-woodo · March 8, 2023, 6:51pm

Cheers for your help @andyboeh and @psherman - it sounds like I might need switch to another one ISP if i want to use WG.

There could be an option to switch plans within to my ISP to one that doesn't require PPPOE or VLAN config, by my expectation is that the CG-NAT would be implemented across all their connections, not just my plan

psherman · March 8, 2023, 6:57pm

PPPoE and VLANs are just parameters related to the connection method. They are not directly related to the type of address you are provided (NAT/CG-NAT vs public IP). It is possible (although IMO not likely) that the ISP uses these connection methods only for CG-NAT connections.

You can contact your ISP to find out if they offer an option for a public IP (possibly at additional cost or a different plan).

sudo-woodo · March 8, 2023, 7:18pm

Good call @psherman - just got in contact with my ISP, they seem to think I already have a public IP but they have offered me a static IP for $5 per month, do you know if that would do the trick?

I'm going to test it out regardless as I can cancel it next month with no additional charges.

psherman · March 8, 2023, 7:21pm

I'm not sure why they think that, but...

As long as the static IP is actually a public IP, and as long as the extra $5/mo is worth it to you, yes, that should probably help.

badulesia · March 8, 2023, 7:30pm

$5 a month for that ?! It's a total scam. In France, ISPs rarely provide a public/static IP unless you ask for it. If so, it's either free of charge or a small amount (~$10) paid only once.

Wireguard
Here is a simple tutorial that I used recently to setup WG on my router.
Set up Wireguard on OpenWrt - Robin Bühler

andyboeh · March 8, 2023, 7:47pm

In Austria, AFAIK (I'm not a lawyer) you even have a right for a public IP, at no additional cost, at least on request. There are ISPs (like mine) that only provide a public IPv6 address (whether that's legal is subject to discuss), but that's fine for my use-case.

EDIT: For clarification, they assign you dynamic IPs. Static IPs come at an additional cost.

sudo-woodo · March 8, 2023, 7:53pm

@psherman, I think they did give me a public IP finally, both my WAN interface and DDNS IP are giving me the same result (202.56.*.*) which is the same address that my ISP said my IP address would be!

Now I understand why I had to tick allow non public IP addresses earlier when configuring DDNS lol... because I didn't have a public IP.

I can see traffic over WG on Openwrt interface but it's not showing any traffic transferred on the app for some reason. I'll do a bit of digging.

Cheers for the link @badulesia if I can't get the config right after a bit of work I'll give that guide a go

psherman · March 8, 2023, 8:05pm

Perfect!

What is the output of

wg show

slh · March 8, 2023, 11:45pm

While we've gone beyond an urgent need for this, there may (have been) another alternative.

ISPs using cgNAT usually (really should) offer IPv6 in addition, which may be enough to serve your needs for a wireguard endpoint. Yes, this way your VPN would only be accessible via IPv6 (meaning you'd need IPv6 support everywhere you're going to access the VPN, so LTE (tends to be possible around here), various guest networks (usually not provided) and friends&family (spotty, at best). This approach of IPv6(-only) to access my VPN works for me in a similar situation (cgNAT plus semi-static /56 IPv6 prefix), as my ISP can't give me a public IPv4 address for neither good words. nor money.

sudo-woodo · March 9, 2023, 1:32am

@psherman, I'm making progress, but still no cigar!

See below for more info

wg show
interface: wg_lan
  public key: 0mwqx27rgj6T3rvP/C9Khl6aqVyTngrSyW0j4e3zHSg=
  private key: (hidden)
  listening port: 51820

peer: +YZb9+IgG2s8PinZa7ivXwDJ3YCrNdH3rJcq/ndJMBY=
  preshared key: (hidden)
  endpoint: 192.168.1.204:60673
  allowed ips: 10.0.5.2/32
  transfer: 9.83 KiB received, 6.25 KiB sent
  persistent keepalive: every 25 seconds

peer: X9UbHBG+VniFynEGiyTKZoFZjYopVNoiR6hfbYCw2VE=
  preshared key: (hidden)
  allowed ips: 10.0.5.3/32
  persistent keepalive: every 25 seconds

peer: 9tnRAYcPPexXT6s+N8gmqAoz4LNG3wJcQ/ahvYZyNTM=
  preshared key: (hidden)
  allowed ips: 10.0.5.4/32
  persistent keepalive: every 25 seconds

peer: GYSvd0qW4GSIPYfUX0Jke2s62w5VcUKyp90AxjRhFyc=
  preshared key: (hidden)
  allowed ips: 10.0.5.5/32
  persistent keepalive: every 25 seconds

peer: DQmq7FiPhF0SJmM02OF0neyNVq5h1XGlOvSQby8SyFI=
  endpoint: 202.56.44.164:51820
  allowed ips: 10.0.5.6/32
  transfer: 0 B received, 8.24 KiB sent
  persistent keepalive: every 25 seconds

The weird thing is that on the Wireguard status page I can see data being sent / received, but the wireguard app is only showing data being transmitted from my phone, not received.

My wireguard app on android keeps coming up with
Received invalid response message from 202.56.*.*

And listening on 51820 isn't showing any traffic..

touch /var/log/wireguard-tcpdump.log
tcpdump -ttttni any 'udp port 51820' >> /var/log/wireguard-tcpdump.log

sudo-woodo · March 9, 2023, 2:08am

hello all, thanks for all your help. I can confirm that I've got it working!!

After all that I re-ran the openwrt tutorial and left the DNS field as default and it worked.

So logically I think the issue was that I didn't have a public IP address and once that was fixed it should have worked, but I'd tweaked the original auto_wg_username-id.sh in a vain attempt to get things working and that was what made things more difficult.

The changes I remember making were:

interface DNS server to 192.168.1.1
disable enabled route-ips on the peer

But it looks like re-running the auto_wg_username-id.sh and having a public IP did the trick

Thanks for all your help, you all have been epic!!

psherman · March 9, 2023, 2:29am

Great!!!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · March 19, 2023, 2:30am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.