Wireguard, handshakes works but traffic not tunneled

Dear All,

I've been using DDWRT on multiple devices for some years.
With one of these devices, a wrt3200acm, I setup a Wireguard server that I am using to connect multiple peers with no issues (2 smartphones, 1 portable router, another wrt3200acm).

I am now looking to switch firmware as newer devices seem to be lacking in support on DD-WRT.

I bought a Linksys MR8300 V1.1 and flashed OpenWrt 22.03.
I connected my laptop via LAN.
I changed the lan ip.
I connected the router wirelessly tomy ISP router.
I update the software list and installed luci-app-wireguard luci-proto-wireguard (and I think as dependencies wireguard-tools and kmod-wireguard has been installed as well).

Then I rebooted and added a Wireguard interface, imported configuration downloaded from the server.
And it works, handshakes are succesfull (I see the handshakes on the server device), and 1 package at a time both RX and TX are increasing, slowly but they are.

But... only the handshakes are happening, in fact from my laptop it seems that I am still connected to my ISP router, I am not into the tunnel at all.

It seems that the VPN is up and running, but the traffic happening through my laptop and the router is still not routed to the tunnel, like creating two routes, one to the tunnel and one to the ISP, and the traffic is directed to the ISP instead of the tunnel.

I tried adding my wireguard interface to the LAN firewall zone but that didn't change anything.

Ports are open on the ISP router.

I am a bit lost as the tunnel works on all my devices but I am failing to use OpenWRT as a client.

Furthermore, the fact that I have access to the ISP internet is quite scary, in fact I'd like to have a killswitch enabled, forcing all the traffic via the tunnel.

Any hint is appreciated, I am a bit lost here.

Is the WG instance on your OpenWrt router intended to run as a 'server'?

let's see your config files...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

and also please provide the config for the remote peer.

If you are testing this while on the same network as your OpenWrt router/WG peer, and assuming that the OpenWrt side is acting as the 'server' in this scenario, you would necessarily have the same apparent IP address with and without the VPN tunnel running.

No, I am not on the same network.
Server is in House1, cascade connected to the router of ISP1
OpenWRT is in House2, cascade connected to the router of ISP2
I check the handshakes on the server side, connecting to the tunnel with my mobile, with the wireguard application.
Sorry it it was not clear, openWRT is client, not server, server is running on ddwrt and supporting multiple devices, such as mobile routers, 2 mobiles, another router. I just need this openWRT router that I just bought playing as any other client on that tunnel.

root@OpenWrt:~# cat /etc/config/network

REMOVED BEGINNING

config interface 'WG0'
        option proto 'wireguard'
        option private_key REDACTED
        option listen_port '51820'
        list addresses '10.4.0.10/24'
        option peerdns '0'
        list dns '192.168.3.1'
        option metric '10'

config wireguard_WG0
        option description 'Imported peer configuration'
        option public_key REDACTED
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host REDACTED MY SERVER DDNS
        option endpoint_port '51820'
        option route_allowed_ips '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG0'
        option input 'REJECT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'vpn'

How is the OpenWrt router at house 2 connected to the ISP router? Is it LAN - LAN, or LAN - WAN?
How are the hosts at house 2 connected to the network? Do they connect directly to the OpenWrt router (on a unique subnet), or are they connecting to the ISP router?

Please include the beginning... it is relevant to the configuration and troubleshooting.

Remove the listen port on the interface definition (since this is 'client' mode).

These don't do anything on OpenWrt. You'll need to specify this in the dnsmasq config... this can be a bit annoying, actually... see this thread.

The ISP router is cabled to the fiber wall socket.
I am connecting the OpenWRT router with the WiFi of the ISP router.
I connect my laptop to the OpenWRT router that should be WG client, with LAN cable, so the traffic of my laptop should be in the tunnel.

Removed the listen port, still it doesn't work.

about dns, well ok, I'll work on it, but that shouldn't be an issue. If that would be the cause, then I would have the WG Server IP but maybe with DNS leaks, while I am still running on my real IP not tunneled.

full network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddd:1030:d873::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.1'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option metric '20'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'

config device
        option name 'wlan1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'WG0'
        option proto 'wireguard'
        option private_key REDACTED
        option listen_port 
        list addresses '10.4.0.10/24'
        option peerdns '0'
        list dns '192.168.3.1'
        option metric '10'

config wireguard_WG0
        option description 'Imported peer configuration'
        option public_key REDACTED
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host REDACTED SERVER DDNS
        option endpoint_port '51820'
        option route_allowed_ips '1'

So the OpenWrt router connects via wifi to the ISP router... I assume that it is linked with the wwan network in your config, is that correct?

What is the upstream network's subnet?

The following should be removed (general rule is not to have any wlan devices in the network file -- these are handled purely by the wireless config file).

Let's take a look at two other files as well as the wg status:

• /etc/config/dhcp
• /etc/config/wireless
• output of wg show

that is correct, it's connected to WWAN, right now the status is

Protocol: DHCP client
Uptime: 0h 8m 36s
MAC: XXXXXXXX
RX: 2.40 MB (4514 Pkts.)
TX: 887.32 KB (3172 Pkts.)
IPv4: 192.168.1.57/24

as you can see the subnet mask of the ISP router is 192.168.1.X, no other networks with this subnet are connected to the tunnel.

Removed (unconfigured) wlan1 from devices, now only br-lan and eth0 are not grayed out.

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '100'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'sta'
        option network 'wwan'
        option ssid REDACTED
        option encryption 'psk2'
        option key REDACTED

root@OpenWrt:~# wg show
interface: WG0
  public key: REDACTED
  private key: (hidden)
  listening port: 52085

peer: REDACTED
  endpoint: REDACTED
  allowed ips: 0.0.0.0/0
  latest handshake: 56 seconds ago
  transfer: 1.16 KiB received, 1.64 KiB sent
  persistent keepalive: every 25 seconds
root@OpenWrt:~#

I'm not seeing anything wrong here. Try removing the lan > wan zone forwarding from the firewall. This will force everything though the tunnel (or not allow it at all).

You may need to check the other side of the connection -- can you post the config file from the DD-WRT side (as well as any relevant firewall rules)?

This looks like it should work. I would use lowercase for the interface name 'wg0'-- make sure to change it consistently in all the files.

Look at the routing table-- Wireguard should have installed the split default route 0.0.0.0/1 and 128.0.0.0/1 via wireguard interface. Run a traceroute to a well-known numeric IP such as 8.8.4.4.

Using the 10.4.0.0 IP of the wireguard server router, you should be able to ping it through the tunnel, if the firewall on the server is set up to allow incoming pings. Your vpn zone would need to allow input (or have an allow ping on VPN rule) to be able to ping 10.4.0.10 from the other side.

removing it just disable internet, openWRT for some reasons doesn't want the traffic to go through a probably working tunnel.

but pinging my server ddns with wireguard port from the openwrt terminal works.

I don't know what's wrong. Nothing special on ddwrt really, in fact those configs work for all the other devices I have.

I'll sleep on this and return on this later, I might need to drop OpenWRT, but unfortunately this device is not compatible with ddwrt.

This seems to indicate that the tunnel is indeed running.

It is worth looking at the config on the DD-WRT side just in case there is an error or inconsistency that we can spot. Another thing -- are other 'clients' connected to the DD-WRT 'server' while you are testing this? It is plausible that this is causing an issue if things are not configured properly (such as the allowed IPs for each of the peers listed in the DD-WRT config).

This is categorically incorrect. The problem is something with the configuration, not a compatibility issue between the two platforms.

the last peer is the OpenWRT router we are talking about.

Ok... so that all looks okay (at least as far as the stuff you've shown -- I don't know if there are any other things on the DD-WRT side that need to be considered.

Try doing as @mk24 suggested (making wg0 all lowercase in the network and firewall files). Then restart your router and see if things work.

From the router itself, try pining a public IP address as well as performing a trace route (do this by IP, not domain names).

Shouldn't the Peer : Enabled radio button be clicked instead of disabled?

Every peer in your wireguard network needs to have a unique public / private key pair. It will not work to run the same keys on two peers that are connected at the same time.

It looks like the dd-wrt tunnel has an IP of 10.4.0.1 and Firewall Incoming is not checked, so you should be able to send pings down the tunnel to that IP.

Sorry @mk24 i missed your previous reply.
I'll return on this tomorrow, I already did some ping testing with our without domains, from the router and from the laptop. I'll also give a try to the lowercase thing.
Sorry could you please point me to this checkbox that you think should be enabled?

Many thanks for the help.

I changed the interface name to be lowercase, and it's consistently reflected in the rest of the configuration.

But the issue persist, traffic is not going in the tunnel but to the ISP.

Router ping 10.4.0.1 successful
Router ping 192.168.4.1 (server router) not successful
This means that even though the tunnel is up and the handshake happens, the device is not connected to the WG network, as with my mobile if I connect to the tunnel I can browse 192.168.4.1 .
Router ping 10.4.0.1 succesful but I don't know how this could help.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddd:1030:d873::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.10.1'
        list dns '1.1.1.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option metric '20'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'

config device
        option name 'eth0'
        option ipv6 '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key REDACTED
        option listen_port '51820'
        list addresses '10.4.0.10/24'
        option peerdns '0'
        list dns '192.168.3.1'
        option metric '10'

config wireguard_wg0
        option description 'Imported peer configuration'
        option public_key SERVERKEY
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '25'
        option endpoint_host SERVER DDNS
        option endpoint_port '51820'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        list network 'wg0'

config rule
        option name 'AllowWG'
        list proto 'udp'
        option src '*'
        option dest '*'
        option dest_port '51820'
        option target 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

root@OpenWrt:~#

Now I reflashed the full firmware to eliminate any possibility to have some of my options interacting with the wg0 interface.

Reflashed,
Set Password,
Changed LAN IP,
Connected WWAN,
Updated Software List,
Installed luci-app-wireguard (that installed all the rest)
Rebooted router,
Interface, New Interface, wg0, Wireguard VPN, Import configuration
Assigned to new zone named vpn,
firewall:
1 VPN-REJECT reject accept reject masq=Y
2 adding VPN to LAN-WAN so now its LAN-WAN,VPN
save and apply

now it's a very clean setup out of the box but the issue persist.

You need to remove the metric assigned to the wireguard interface.
This creates a second default gateway route with a lower priority.

root@Home:~# ip ro li default
default via 192.168.1.1 dev eth0.2 proto static src 192.168.1.254
default dev wg0 proto static scope link metric 5

Hi @pavelgl I already removed it and made a fresh flash of the firmware, issue unfortunately persist.

The metric was actually a try to make the router understand the priority of the tunnel, in fact I set a bigger value for the usual route.

this is interesting, browsing to 10.4.0.1 I am in the configuration page of the router used to host the wg server, this is the proof that OpenWRT router is indeed connected to the tunnel, it just can't push internet traffic through it.
This probably also proves that the WG port, on the ISP router (where OpenWRT is), are open, otherwise also the local traffic should not go through.
But if I browse 192.168.4.1 I am not prompted with the same config page (while I am when connected to any other device in the tunnel).
If I ping 1.1.1.1 removing WAN from the lan firewall settings, then it doesn't work, this means that it's not DNS, it's just blocked traffic for some reasons.