Wireguard handshake only works within Wifi

davidtluong · October 26, 2024, 3:37am

Wireguard only seems to only work within my network, not sure how to proceed forward here, will output what I saw what was asked of others, I did test nc -u publicip 51820 to see if the port was open, so it might not be on the WAN side... Not sure what's blocking it as I'm fairly certain the ISP isn't since I can get wireguard working easily with my GL.iNet GL-MT3000 through its GUI. From what I'm reading on my firewall rules it should be open... When I disable and enable the PING firewall rule the outside network test behaves as expected...

From outside the LAN

nc -v -u -z -w 3 home 51820
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to publicip:51820.
Ncat: Connection refused.

From inside the LAN

nc -v -u -z -w 3 home 51820
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Connected to publicip:51820.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.01 seconds.

ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer A7 v5",
	"board_name": "tplink,archer-a7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd53:5bfe:198b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device
	option name 'eth0.2'
	option macaddr 'e8:48:b8:10:c7:9e'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option disabled '1'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'hidden'
	option listen_port '51820'
	list addresses '192.168.9.1/24'

config wireguard_vpn 'wgclient'
	option public_key 'hidden'
	option preshared_key 'hidden'
	list allowed_ips '192.168.9.2/32'
	option private_key 'hidden'
	option endpoint_host 'hidden'
	option endpoint_port '51820'

config wireguard_vpn
	option public_key 'hidden'
	option private_key 'hidden'
	option endpoint_host 'hidden'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	list allowed_ips '192.168.9.3/32'

cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option logfacility 'KERN'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

cat /etc/config/firewall 

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	list network 'lan'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone 'wan'
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option src_port '51820'
	option family 'ipv4'
	option dest_port '51820'

ip route show
default via hidden dev eth0.2  src hidden
hidden/21 dev eth0.2 scope link  src hidden
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.9.0/24 dev vpn scope link  src 192.168.9.1

ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

wg show
interface: vpn
  public key: ov7xKLcBqYevreLwD7fQ676V7Ysgif0tIm+QnWy6CC4=
  private key: (hidden)
  listening port: 51820

peer: d2OmkhztigstJi3AH9fF4/udo50rS6ktZbwaM4z4RHM=
  preshared key: (hidden)
  endpoint: 192.168.1.140:51820
  allowed ips: 192.168.9.2/32
  latest handshake: 18 minutes, 3 seconds ago
  transfer: 550.39 KiB received, 1.15 MiB sent

elbertmai · October 26, 2024, 5:00am

Are you sure? According to wg show, it appears the other peer is set to use your router's private IP address on LAN as the endpoint. This would explain why it doesn't work outside the LAN.

Please share the Wireguard configuration for the d2Omkhzt... peer.

psherman · October 26, 2024, 5:00am

Your problem may be explained by the lack of a public IP address on your router's WAN.... let's check that first... what are the first two octets of the following command (in bold: aaa.bbb.ccc.ddd)

ifstatus wan | grep address

I do see other things that should probably be changed, but we need to start with the above.

davidtluong · October 26, 2024, 5:08am

"ipv4-address": [
		"address": "47.135.x.x",
"ipv6-address": [
	"ipv4-address": [
	"ipv6-address": [

[Interface]
PrivateKey = hidden
Address = 192.168.9.2/32
ListenPort = 51820
DNS = 192.168.1.1

[Peer]
PublicKey = o-REDACTED-=
PresharedKey = hidden
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 47.135.x.x:51820

PersistentKeepAlive not defined

pavelgl · October 26, 2024, 5:16am

davidtluong:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option src_port '51820'
	option family 'ipv4'
	option dest_port '51820'

Remove option src_port '51820' from the rule.

The endpoint host and port are used when the router initiates a connection to a remote peer and you need to set the remote IP address and listening port. In your case (if I understand correctly) you want the router to accept connections.

Remove these options from both peer sections.

davidtluong · October 26, 2024, 5:19am

Haha, it was literally just the src_port, thanks!

psherman · October 26, 2024, 5:20am

So the good news is that you do indeed have a public IP.

Moving on... in addition to what @pavelgl already pointed out

davidtluong:

config wireguard_vpn 'wgclient'
	option public_key 'hidden'
	option preshared_key 'hidden'
	list allowed_ips '192.168.9.2/32'
	option private_key 'hidden'
	option endpoint_host 'hidden'
	option endpoint_port '51820'

This peer is missing the following line:

	option route_allowed_ips '1'

system · November 5, 2024, 5:21am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.