WireGuard handshake failed

I have a Phicomm K3 router and an iPhone, both of which have WireGuard installed. I hope that the external network can access the home network resources at home through WireGuard, but connect fails, and the log shows that the handshake cannot be successful. Here are some information:

Router wireguard infomation:

kmod-wireguard - 4.14.180+1.0.20200506-1
luci-app-wireguard - git-20.186.82389-282dbf8-1
wireguard - 1.0.20200611-1
wireguard-tools - 1.0.20191226-1

Router wireguard config:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         123.113.8.1     0.0.0.0         UG    0      0        0 pppoe-wan
10.0.0.0        *               255.255.255.0   U     0      0        0 br-lan
10.0.1.0        *               255.255.255.0   U     0      0        0 wg
10.0.1.2        *               255.255.255.255 UH    0      0        0 wg
123.113.8.1     *               255.255.255.255 UH    0      0        0 pppoe-wan

/etc/config/network

config interface 'wg'
	option proto 'wireguard'
	option listen_port '50000'
	list addresses '10.0.1.1/24'
	option private_key 'GLi6D7tl6RFozkXQ9r8bXUkSnoKBgjg2fOWIgPRWuk4='
	option mtu '1280'

config wireguard_wg
	option route_allowed_ips '1'
	option description 'IOS'
	list allowed_ips '10.0.1.2/32'
	option public_key '4FgkmfYtGKcjHq/RRlqgJZWXhz+pzEqMUX6s+vBKMXI='

/etc/config/firewall

config forwarding
	option dest 'lan'
	option src 'wg'

config forwarding
	option dest 'wg'
	option src 'lan'
config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'wg'
config rule
	option dest_port '50000'
	option src 'wan'
	option name 'Allow-WG'
	option target 'ACCEPT'

Iphone wireguard config

image732×1528 149 KB

iphone wireguar log:

2020-07-06 14:12:18.133
[NET] peer(tlC4…GQVw) - Sending handshake initiation
2020-07-06 14:12:23.357
[NET] peer(tlC4…GQVw) - Handshake did not complete after 5 seconds, retrying (try 2)
2020-07-06 14:12:23.357
[NET] peer(tlC4…GQVw) - Sending handshake initiation
2020-07-06 14:12:28.394
[NET] peer(tlC4…GQVw) - Handshake did not complete after 5 seconds, retrying (try 3)
2020-07-06 14:12:28.395
[NET] peer(tlC4…GQVw) - Sending handshake initiation

tcpdump -i any -vvn udp port 50000

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
06:16:07.600932 IP (tos 0x0, ttl 58, id 13277, offset 0, flags [none], proto UDP (17), length 176)
    114.242.250.179.43251 > 123.113.12.89.50000: [udp sum ok] UDP, length 148
06:16:07.606137 IP (tos 0x88, ttl 64, id 50587, offset 0, flags [none], proto UDP (17), length 120)
    123.113.12.89.50000 > 114.242.250.179.43251: [bad udp cksum 0xf5e5 -> 0x7b94!] UDP, length 92
06:16:12.770942 IP (tos 0x0, ttl 58, id 29105, offset 0, flags [none], proto UDP (17), length 176)
    114.242.250.179.43251 > 123.113.12.89.50000: [udp sum ok] UDP, length 148
06:16:12.776206 IP (tos 0x88, ttl 64, id 51089, offset 0, flags [none], proto UDP (17), length 120)
    123.113.12.89.50000 > 114.242.250.179.43251: [bad udp cksum 0xf5e5 -> 0x026e!] UDP, length 92

it show the router can receive the handshake 148byte messge from wan interface, and send 92byte message through lo interface, but the ios client not received this. ( looks like the wg interface doesn't work?)

and the wg interface dropped many packages:

wg        Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.0.1.1  P-t-P:10.0.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:25 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58 errors:4526 dropped:39438 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3700 (3.6 KiB)  TX bytes:7184 (7.0 KiB)

Some one can help me?

Try removing the listen port from the iOS side.

Also, you should never post the real keys And public ip addresses. if those are the actual keys for your wg tunnel, generate new ones for security.

it doesn't work, and if i remove the listen port , the ios client will auto generate a new one.

emm, my ip is dynamic and the key i will replace it. thank you verymuch.

It seems that the iphone can't receive the handshake message from router.

That is okay. In fact, That is better. Just leave it blank and let it do stuff automatically.

EDIT: looking at your MTU, that is fairly small and usually not necessary to set. Unless you specifically need it, I'd recommend removing it from both sides. It's not likely the source of your issue, but doesn't help.

Please post the complete contents of your /etc/config/network and /etc/config/firewall files (redact any private details, but leave all rfc1918 addresses intact).

Yes, the MTU is not the source of my issue, i have changed it to default
here is the config conent:
/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:d910:e0ee::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '10.0.0.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'pppoe'
	option password 'XXXXX'
	option ipv6 'auto'
	option username 'XXXXX'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'D8:C8:E9:97:AD:A0'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '3 5t'

config interface 'wg'
	option proto 'wireguard'
	option listen_port '50000'
	list addresses '10.0.1.1/24'
	option private_key 'GLi6D7tl6RFozkXQ9r8bXUkSnoKBgjg2fOWIgPRWuk4='

config wireguard_wg
	option route_allowed_ips '1'
	option public_key 'FTxzkUg9/1UtXNp2Nh+Rqa7acazSPsHesVHZD/fSQSg='
	option description 'IOS'
	list allowed_ips '10.0.1.2/32'
	option persistent_keepalive '25'

config wireguard_wg
	option route_allowed_ips '1'
	option public_key 'D/crpSaYETC/uPkrRvZ2ZFo27UbBWTiQN2NM8eyDiG8='
	option description 'android'
	list allowed_ips '10.0.1.3/32'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'v2ray'
	option type 'script'
	option path '/etc/firewall.v2ray'
	option family 'any'
	option reload '1'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'REJECT'
	option network 'wg'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'wg'

config forwarding
	option dest 'wg'
	option src 'lan'

config rule
	option dest_port '50000'
	option src 'wan'
	option name 'Allow-WG'
	option target 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'wg'

Hope you can help me, I have tried lots of times, but it always not work, and i add a new android client, not work else, so it's not the client problem, the issue is router.

The port forward looks ok, but to try and rule out the firewall move the Wireguard interface into the LAN firewall zone (rather than having it as a separate zone).

What's the output of running wg?

Some more questions:

Have you restarted your router since adding the WG peers? You must at least restart the WG interface, but I usually opt to reboot the entire router just to be sure.

Do you have a public IP address? If you look at your IPv4 upstream address and then check to make sure it matches the address you get when you do an external IP check (such as googling "what's my IP"). If your upstream address is anything in the RFC1918 or CG-NAT ranges, you won't be able to do this.

Also, you have upnp and v2ray in your firewall -- do you need those? If you remove those, does it solve the problem?

wg output:

interface: wg
  public key: tlC432XNTXpFbXHj+//ndzaMyBAUalIL3CIfLGxGQVw=
  private key: (hidden)
  listening port: 50000

peer: FTxzkUg9/1UtXNp2Nh+Rqa7acazSPsHesVHZD/fSQSg=
  allowed ips: 10.0.1.2/32
  persistent keepalive: every 25 seconds

peer: D/crpSaYETC/uPkrRvZ2ZFo27UbBWTiQN2NM8eyDiG8=
  endpoint: 124.64.19.13:63062
  allowed ips: 10.0.1.3/32
  transfer: 6.65 KiB received, 4.13 KiB sent

1. i will restart the WG interface
2. i have public ip, and the route can receive the handshake message, the issue is can't send handshake message to client,because the client receive nothing.
3. yes, i need v2ray and upnp, i can remove temporary to test it.

I remove the upnp and v2ray, and it worked. thank you very much, but i realy need upnp and v2ray, do you know the reason?

I don't know why they are conflicting, but the high port number you've chosen for WG may be at issue here. You could try a lower port number (say in the 8000's range).

also try re-enabling one at a time to see which one actually causes the conflict.

ok, i will try it. thank you.

the issue is v2ray's udp proxy

image722×192 11 KB

not the port problem, because i test it previous.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.