WireGuard Handshake Failed

thekiefs · October 27, 2024, 8:33pm

Followed this guide but couldn't get the handshake to work. So I copied over the settings exactly from a current working instance to this new instance, but I keep getting the same error in peer:

[NET] peer(Jof1…oxVU) - Handshake did not complete after 5 seconds, retrying (try 2)

I've triple checked the keys, and at a loss for how to troubleshoot next. Any ideas?

versions

kmod-wireguard - 5.15.167-1
wireguard-tools - 1.0.20210914-2
luci-proto-wireguard - git-24.299.74085-56294d0

/etc/config/network

config interface 'loopback'
 3         option device 'lo'
 4         option proto 'static'
 5         option ipaddr '127.0.0.1'
 6         option netmask '255.0.0.0'
 7
 8 config globals 'globals'
 9         option ula_prefix 'fdbd:b522:3090::/48'
10
11 config device
12         option name 'br-lan'
13         option type 'bridge'
14         list ports 'lan1'
15         list ports 'lan2'
16         list ports 'lan3'
17         list ports 'lan4'
18
19 config interface 'lan'
20         option device 'br-lan'
21         option proto 'static'
22         option ipaddr '192.168.2.1'
23         option netmask '255.255.255.0'
24         option ip6assign '60'
25
26 config interface 'wan'
27         option device 'wan'
28         option proto 'dhcp'
29
30 config interface 'wan6'
31         option device 'wan'
32         option proto 'dhcpv6'
33
34 config interface 'vpn'
35         option proto 'wireguard'
36         option private_key 'XX'
37         option listen_port '51820'
38         list addresses '10.200.200.1/24'
39
40 config wireguard_vpn 'wgclient'
41         option public_key 'XX'
42         option description 'thekiefs'
43         list allowed_ips '10.200.200.2'

/etc/config/firewall

  2 config defaults
  3         option syn_flood '1'
  4         option input 'REJECT'
  5         option output 'ACCEPT'
  6         option forward 'REJECT'
  7
  8 config zone 'lan'
  9         option name 'lan'
 10         list network 'lan'
 11         list network 'vpn'
 12         option input 'ACCEPT'
 13         option output 'ACCEPT'
 14         option forward 'ACCEPT'
 15
 16 config zone 'wan'
 17         option name 'wan'
 18         list network 'wan'
 19         list network 'wan6'
 20         option input 'REJECT'
 21         option output 'ACCEPT'
 22         option forward 'REJECT'
 23         option masq '1'
 24         option mtu_fix '1'
 25
 26 config forwarding
 27         option src 'lan'
 28         option dest 'wan'
 29
 30 config rule
 31         option name 'Allow-DHCP-Renew'
 32         option src 'wan'
 33         option proto 'udp'
 34         option dest_port '68'
 35         option target 'ACCEPT'
 36         option family 'ipv4'
 37
 38 config rule
 39         option name 'Allow-Ping'
 40         option src 'wan'
 41         option proto 'icmp'
 42         option icmp_type 'echo-request'
 43         option family 'ipv4'
 44         option target 'ACCEPT'
 45
 46 config rule
 47         option name 'Allow-IGMP'
 48         option src 'wan'
 49         option proto 'igmp'
 50         option family 'ipv4'
 51         option target 'ACCEPT'
 52
 53 config rule
 54         option name 'Allow-DHCPv6'
 55         option src 'wan'
 56         option proto 'udp'
 57         option dest_port '546'
 58         option family 'ipv6'
 59         option target 'ACCEPT'
 60
 61 config rule
 62         option name 'Allow-MLD'
 63         option src 'wan'
 64         option proto 'icmp'
 65         option src_ip 'fe80::/10'
 66         list icmp_type '130/0'
 67         list icmp_type '131/0'
 68         list icmp_type '132/0'
 69         list icmp_type '143/0'
 70         option family 'ipv6'
 71         option target 'ACCEPT'
 72
 73 config rule
 74         option name 'Allow-ICMPv6-Input'
 75         option src 'wan'
 76         option proto 'icmp'
 77         list icmp_type 'echo-request'
 78         list icmp_type 'echo-reply'
 79         list icmp_type 'destination-unreachable'
 80         list icmp_type 'packet-too-big'
 81         list icmp_type 'time-exceeded'
 82         list icmp_type 'bad-header'
 83         list icmp_type 'unknown-header-type'
 84         list icmp_type 'router-solicitation'
 85         list icmp_type 'neighbour-solicitation'
 86         list icmp_type 'router-advertisement'
 87         list icmp_type 'neighbour-advertisement'
 88         option limit '1000/sec'
 89         option family 'ipv6'
 90         option target 'ACCEPT'
 91
 92 config rule
 93         option name 'Allow-ICMPv6-Forward'
 94         option src 'wan'
 95         option dest '*'
 96         option proto 'icmp'
 97         list icmp_type 'echo-request'
 98         list icmp_type 'echo-reply'
 99         list icmp_type 'destination-unreachable'
100         list icmp_type 'packet-too-big'
101         list icmp_type 'time-exceeded'
102         list icmp_type 'bad-header'
103         list icmp_type 'unknown-header-type'
104         option limit '1000/sec'
105         option family 'ipv6'
106         option target 'ACCEPT'
107
108 config rule
109         option name 'Allow-IPSec-ESP'
110         option src 'wan'
111         option dest 'lan'
112         option proto 'esp'
113         option target 'ACCEPT'
114
115 config rule
116         option name 'Allow-ISAKMP'
117         option src 'wan'
118         option dest 'lan'
119         option dest_port '500'
120         option proto 'udp'
121         option target 'ACCEPT'
122
123 config rule 'wg'
124         option name 'Allow-WireGuard-Inbound'
125         option src '*'
126         option dest_port '51820'
127         option proto 'udp'
128         option target 'ACCEPT'

Client/peer config

[Interface]
PrivateKey = XXXX
Address = 10.200.200.2/32
DNS = 192.168.2.1

[Peer]
PublicKey = XX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.mycustomddns.com:51820
PersistentKeepalive = 25

psherman · October 27, 2024, 8:59pm

Your config looks mostly good.

This should be 10.200.200.2/32 and you’ll need to add:

option route_allowed_ips '1'

The next thing to check is that you have a proper public ip that matches your domain name.

Does this:

ifstatus wan | grep address

Match this (obviously using the real domain that yoh use):

nslookup vpn.mycustomddns.com

thekiefs · October 27, 2024, 9:53pm

Thanks, I changed wgclient to match your recommended settings, but I get the same handshake error.

ifstatus is pulling my ipv4 address as 10.0.0.185 which is obviously wrong.

ifstatus wan | grep address
		"addresses",
	"ipv4-address": [
			"address": "10.0.0.185",
	"ipv6-address": [
		"ipv4-address": [
		"ipv6-address": [
root@Xnet:~# nslookup vpn.X.X.com
Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	vpn.X.X.com

I worked around this in DDNS by doing a IP Address Source as URL http://checkip.dyndns.com instead of wan network, so I am sending the right IP to the DDNS provider. Not sure what else could be causing this

psherman · October 27, 2024, 10:07pm

Well, if obviously won't work, but the information you are getting is accurate.

Not necessarily. The checkip method will always return a public IP, but that IP address may not be exclusively yours if your ISP uses NAT/CG-NAT.

What is immediately upstream of your OpenWrt router?

thekiefs · October 27, 2024, 10:56pm

Interesting, good point. Immediately upstream is a router/modem combo. I disabled the wireless on the combo and just plugged internet from OpenWrt into Port 1 on the combo. I'll try accessing the combo and see if there's a way to completely disable NAT.

psherman · October 27, 2024, 11:47pm

Yes, disabling the wireless won't disable the device's routing mode operation. If your upstream router supports bridge mode, that will pass the ISP issued IP address directly to your OpenWrt wan. If not, hopefully there is a port forwarding option... if you can port forward, that will also help. But you'll still need to make sure that the IP address you get from the IP check is actually the address on the wan of your ISP modem/router.

thekiefs · November 3, 2024, 9:20pm

I managed to log into the modem/router combo and put it in Bridge Mode, but I'm still getting the handshake errors.

Anything I can do to troubleshoot?

psherman · November 3, 2024, 10:18pm

First thing to do would be to ensure that you have a public IP on the wan of your OpenWrt router.

What are the first two octects (in bold: aaa.bbb.ccc.ddd) of the following:

ifstatus wan | grep address

mk24 · November 3, 2024, 11:49pm

When you're really free of CGNAT, the WAN IP will match what a "whats my IP" site reports. This is essential to take incoming connections.

thekiefs · November 3, 2024, 11:57pm

Thanks, yeah, that was the issue. DDNS wasn't updating my domain properly: https://community.cloudflare.com/t/cloudflare-ddns-custom-a-record-not-updating/339976

system · November 13, 2024, 11:58pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.