WireGuard handshake troubles in Openwrt 17.01

JC_M · December 22, 2020, 5:20am

Hey guys, I'm running out of ideas trying to establish a connection with one of the Windscribe VPN servers that allows WireGuard.
I'm using OpenWrt LUCI 17.0.1 on a TP-link TL-MR3020 with extroot and all the WireGuard required packages.
I've configured well the VPN and the WireGuard interface but there is no handshake. Can you guys help me please, I'm new at these.

Network configurations of the router

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdfc:1755:9939::/48'
network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan._orig_ifname='eth0'
network.lan._orig_bridge='false'
network.lan.ipaddr='10.0.0.1'
network.lan.gateway='10.0.0.1'
network.lan.dns='10.0.0.1'
network.lan.ifname='eth0'
network.lan.macaddr='e8:94:f6:49:10:e5'
network.@WAN[0]=WAN
network.@WAN[0].public_key='Thekey'
network.@WAN[0].allowed_ips='0.0.0.0/0'
network.@WAN[0].endpoint_host='hel-98-wg.whiskergalaxy.com'
network.@WAN[0].endpoint_port='1194'
network.@WAN[0].persistent_keepalive='30'
network.@WAN[0].route_allowed_ips='1'
network.wwan=interface
network.wwan.proto='dhcp'
network.WAN=interface
network.WAN.proto='wireguard'
network.WAN.private_key='Thekey'
network.WAN.listen_port='443'
network.WAN.addresses='100.67.142.95/32'
network.WAN.preshared_key='Thekey'
network.@wireguard_WAN[0]=wireguard_WAN
network.@wireguard_WAN[0].public_key='Thekey'
network.@wireguard_WAN[0].allowed_ips='0.0.0.0/0'
network.@wireguard_WAN[0].endpoint_host='jfk-106-wg.whiskergalaxy.com'
network.@wireguard_WAN[0].endpoint_port='443'
network.@wireguard_WAN[0].persistent_keepalive='30'
network.@wireguard_WAN[0].route_allowed_ips='1'

Firewall rules

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'

firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'

firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].network='Wireguard_VPN wwan'

firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'

firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'

firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'

firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'

firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'

firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'

firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'

firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'

firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'

firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'

firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].src='wan'
firewall.@rule[9].proto='tcp'
firewall.@rule[9].dest_port='80'
firewall.@rule[9].name='80'

firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].src='wan'
firewall.@rule[10].proto='tcp'
firewall.@rule[10].dest_port='80'
firewall.@rule[10].name='80'

firewall.@rule[11]=rule
firewall.@rule[11].enabled='1'
firewall.@rule[11].target='ACCEPT'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest_port='443'
firewall.@rule[11].name='443'
firewall.@rule[11].proto='all'

firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='VPN'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='WAN'

vgaetera · December 22, 2020, 5:29am

uci -q delete firewall.@zone[1].network
uci set firewall.@zone[1].network="wwan"
uci -q delete firewall.lan_vpn
uci set firewall.lan_vpn="forwarding"
uci set firewall.lan_vpn.src="lan"
uci set firewall.lan_vpn.dest="VPN"
uci commit firewall
/etc/init.d/firewall restart

uci -q delete network.@WAN[0]
uci -q delete network.lan.gateway
uci set network.wwan.metric="100"
uci commit network
/etc/init.d/network restart

JC_M · December 22, 2020, 6:44am

I did what you recommended

network.lan=interface
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan._orig_ifname='eth0'
network.lan._orig_bridge='false'
network.lan.ipaddr='10.0.0.1'
network.lan.ifname='eth0'
network.lan.macaddr='e8:94:f6:49:10:e5'

network.wwan=interface
network.wwan.proto='dhcp'
network.wwan.metric='100'

network.WAN=interface
network.WAN.proto='wireguard'
network.WAN.private_key='---'
network.WAN.addresses='100.67.142.95/32'
network.WAN.preshared_key='---'
network.@wireguard_WAN[0]=wireguard_WAN
network.@wireguard_WAN[0].public_key='---'
network.@wireguard_WAN[0].allowed_ips='0.0.0.0/0'
network.@wireguard_WAN[0].route_allowed_ips='1'
network.@wireguard_WAN[0].endpoint_host='jfk-106-wg.whiskergalaxy.com'
network.@wireguard_WAN[0].endpoint_port='443'
network.@wireguard_WAN[0].persistent_keepalive='25'

wireguard_WAN is automatically created when adding the Peers configs in the Web interface. I deleted as you suggested but then the Peers configs where missing

The firewall improved with your scripts and I give thanks to you for it

firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='ACCEPT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[1]=zone
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].name='wan'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@zone[1].network='wwan'
firewall.@zone[1].input='REJECT'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].forward='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='VPN'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='WAN'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='VPN'
firewall.@forwarding[0].src='lan'

Unfortunately, the WireGuard handshake still missing but at least, now is actively transmitting packages to the WireGuard server address without an answer

vgaetera · December 22, 2020, 6:55am

Is that a commercial VPN provider?
Verify the WG keys and check the output:

uci show system.ntp

JC_M · December 22, 2020, 7:33am

The system time is OK, I think is a firewall port trouble. I tried a traffic rule to open 443 at zone 2 but didn't work, I'll continue searching. Thanks a lot for your ideas, definitely improved my network structure

faser · December 22, 2020, 7:49am

Why are you using a privileged port? Also to ensure you used UDP 443 for your traffic rule?
Either temporary enable logging on that rule to see if you get hits or use tcpdump on the WAN interface.

JC_M · December 24, 2020, 4:44am

Hey guys, the problem I think is my router, each time I create the new wireguard interface, the eth0 interface shuts down and I lost internet connection. there are no problems with the traffic rules. As a funny thing, I lost the internet but yet I'm able to resolve names and access to directions in the upper network

system · January 3, 2021, 4:44am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.