Wireguard issues over 5G cellular network

On my Openwrt router I have a wg server setup with public IPv6 ip as endpoint.

When I try to access this server from my phone’s 5G cellular network, it uses something called 464xlat, the first handshake completes successfully but subsequent handshakes fail and network activity keeps dropping and coming back.

How can I solve this?
Apologies if this is not a openwrt issue.

wg show
interface: wg0
  public key: Public-Key
  private key: (hidden)
  listening port: 56565

peer: Public-Key
  endpoint: ipv6-ip:59398
  allowed ips: 192.168.195.2/32, fd7c:35df:4fab::1/128
  latest handshake: 10 hours, 22 minutes, 20 seconds ago
  transfer: 1.03 MiB received, 11.85 MiB sent
  persistent keepalive: every 25 seconds

The 464xlat is to access an IPv4 only server from an IPv6 only client.
This doesn't seem to be the case here. Does the phone have IPv6 address?
Could you post here some troubleshooting info?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru

To be clear my cellular provider uses 464xlat with 5G SA, it is IPv6 only.

The isp on my router is dual stack.

Here’s the info you asked for

"kernel": "6.6.67",
        "hostname": "NanoPi",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R2S",
        "board_name": "friendlyarm,nanopi-r2s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0-rc4",
                "revision": "r28211-d55754ce0d",
                "target": "rockchip/armv8",
                "description": "OpenWrt 24.10.0-rc4 r28211-d55754ce0d",
                "builddate": "1734915335"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd39:249b:b031::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'REDACTED'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'
        list ip6addr 'xxxx:xxxx:xxxx:xxxx::1:fe'

config device
        option name 'eth0'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option hostname '*'
        option peerdns '0'
        list dns '9.9.9.9'
        list dns '149.112.112.112'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'
        list dns '2620:fe::fe'
        list dns '2620:fe::fe:9'
        option sourcefilter '0'
        option delegate '0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '56565'
        option delegate '0'
        option mtu '1280'
        list addresses '192.168.195.1/24'
        list addresses 'fd7c:35df:4fab::/64'

config wireguard_wg0
        option description 'iPhone'
        option public_key 'REDACTED'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '192.168.195.2/32'
        list allowed_ips 'fd7c:35df:4fab::1/128'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'wg0'
        option dest 'lan'

config forwarding
        option src 'wg0'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg0'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '56565'
        option target 'ACCEPT'
        option family 'ipv6'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config forwarding
        option src 'tailscale'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'tailscale'

config nat
        option name 'wg-66'
        option src 'wan'
        option src_ip 'fd7c:35df:4fab::/64'
        option target 'MASQUERADE'
        list proto 'all'

config redirect
        option target 'DNAT'
        option name 'Intercept-DNS'
        option family 'any'
        option src 'lan'
        option src_dport '53'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet 192.168.29.175/24 brd 192.168.29.255 scope global eth0
       valid_lft forever preferred_lft forever
24: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 100.123.65.23/32 scope global tailscale0
       valid_lft forever preferred_lft forever
25: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
39: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 192.168.195.1/24 brd 192.168.195.255 scope global wg0
       valid_lft forever preferred_lft forever
100.69.182.94 dev tailscale0 table 52 
100.71.2.40 dev tailscale0 table 52 
100.71.199.13 dev tailscale0 table 52 
100.80.43.116 dev tailscale0 table 52 
100.90.114.63 dev tailscale0 table 52 
100.100.100.100 dev tailscale0 table 52 
100.107.196.45 dev tailscale0 table 52 
default via 192.168.29.1 dev eth0 proto static src 192.168.29.175 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.29.0/24 dev eth0 proto kernel scope link src 192.168.29.175 
192.168.195.0/24 dev wg0 proto kernel scope link src 192.168.195.1 
192.168.195.2 dev wg0 proto static scope link 
local 100.123.65.23 dev tailscale0 table local proto kernel scope host src 100.123.65.23 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.29.175 dev eth0 table local proto kernel scope host src 192.168.29.175 
broadcast 192.168.29.255 dev eth0 table local proto kernel scope link src 192.168.29.175 
local 192.168.195.1 dev wg0 table local proto kernel scope host src 192.168.195.1 
broadcast 192.168.195.255 dev wg0 table local proto kernel scope link src 192.168.195.1 
0:      from all lookup local
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/64 scope global dynamic noprefixroute 
       valid_lft 7433sec preferred_lft 7433sec
    inet6 fe80::b0f7:57ff:fe80:54cc/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
24: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 500
    inet6 fd7a:115c:a1e0::3801:4119/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::e31:3cbc:f5dd:c9ee/64 scope link stable-privacy proto kernel_ll 
       valid_lft forever preferred_lft forever
25: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::b0f7:57ff:fe80:54cd/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
34: ifb4eth0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 state UNKNOWN qlen 32
    inet6 fe80::9466:9bff:fe0e:3673/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever
39: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 state UNKNOWN qlen 1000
    inet6 fd7c:35df:4fab::/64 scope global 
       valid_lft forever preferred_lft forever
fd7a:115c:a1e0::53 dev tailscale0 table 52 metric 1024 pref medium
fd7a:115c:a1e0::/48 dev tailscale0 table 52 metric 1024 pref medium
xxxx:xxx:xx:xxxx::1:fe dev br-lan proto kernel metric 256 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
REDACTED dev br-lan proto static metric 1024 pref medium
xxxx:xxxx:xxx:xxxx::/64 dev eth0 proto static metric 256 pref medium
unreachable xxxx:xxx:xxx:xxxx::/64 dev lo proto static metric 2147483647 pref medium
unreachable fd39:249b:b031::/48 dev lo proto static metric 2147483647 pref medium
fd7a:115c:a1e0::3801:4119 dev tailscale0 proto kernel metric 256 pref medium
fd7c:35df:4fab::1 dev wg0 proto static metric 1024 pref medium
fd7c:35df:4fab::/64 dev wg0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev tailscale0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev ifb4eth0 proto kernel metric 256 pref medium
default via fe80::ea01:8dff:fe33:a959 dev eth0 proto static metric 384 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast xxxx:xxx:xxxx:xxxx:: dev eth0 table local proto kernel metric 0 pref medium
local xxxx:xxxx:xxx:xxxx::1:fe dev br-lan table local proto kernel metric 0 pref medium
local REDACTED dev eth0 table local proto kernel metric 0 pref medium
local fd7a:115c:a1e0::3801:4119 dev tailscale0 table local proto kernel metric 0 pref medium
local fd7c:35df:4fab:: dev wg0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev tailscale0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev ifb4eth0 table local proto kernel metric 0 pref medium
local fe80::e31:3cbc:f5dd:c9ee dev tailscale0 table local proto kernel metric 0 pref medium
local fe80::9466:9bff:fe0e:3673 dev ifb4eth0 table local proto kernel metric 0 pref medium
local fe80::b0f7:57ff:fe80:54cc dev eth0 table local proto kernel metric 0 pref medium
local fe80::b0f7:57ff:fe80:54cd dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev tailscale0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev ifb4eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
0:      from all lookup local
5210:   from all fwmark 0x80000/0xff0000 lookup main
5230:   from all fwmark 0x80000/0xff0000 lookup default
5250:   from all fwmark 0x80000/0xff0000 unreachable
5270:   from all lookup 52
32766:  from all lookup main

Not sure if this is your problem but the WG interface should have e.g. address ::1 i.e. `list addresses 'fd7c:35df:4fab::1/64'

The Iphone then can/should have address ::2, also change it on the iphone config

list allowed_ips 'fd7c:35df:4fab::2/128' 

Also make sure you set Persistent Keep Alive on the iphone to 25

Furthermore to have IPv6 Internet access from your iphone via the WG server you need to NAT6 the WG IPv6 subnet e.g.:
/etc/config/firewall:

config nat 'nat6'
	option family 'ipv6'
	option src 'wan'
	option src_ip 'fd7c:35df:4fab::0/64'
	option target 'MASQUERADE'
	list proto 'all'

Thanks I corrected the errors you mentioned in my config, but the issue of network drops while connected to wg is still present, only from my cellular 5G connection.

These are the logs I see on wg app on iPhone

[NET] UDP bind has been updated
2025-01-05 15:36:51.648
[NET] Routine: receive incoming v4 - started
2025-01-05 15:36:51.648
[NET] Routine: receive incoming v6 - started
2025-01-05 15:36:51.648
[NET] peer(bcQ/…welM) - Sending keepalive packet
2025-01-05 15:37:12.322
[NET] peer(bcQ/…welM) - Retrying handshake because we stopped hearing back after 15 seconds
2025-01-05 15:37:12.322
[NET] peer(bcQ/…welM) - Sending handshake initiation
2025-01-05 15:37:12.622
[NET] peer(bcQ/…welM) - Receiving keepalive packet

Next step look at MTU, start both sides at 1420, if that does not work got to 1360 then to 1280 on both sides.
Although 1280 is said to be the minimum for IPv6 try to go lower then 1280

As suggested by you I tried various mtu sizes on both the server and on the iPhone app but none of them give me a reliable connection to wg.

I keep seeing this particular log very often

[NET] peer(bcQ/…welM) - Retrying handshake because we stopped hearing back after 15 seconds

Based on the logs it seems like the keepalive packets get no response sometimes

2025-01-05 17:45:49.232
[NET] peer(bcQ/…welM) - Sending keepalive packet
2025-01-05 17:47:50.596
[NET] peer(bcQ/…welM) - Sending handshake initiation
2025-01-05 17:47:50.672
[NET] peer(bcQ/…welM) - Received handshake response
2025-01-05 17:47:50.672
[NET] peer(bcQ/…welM) - Sending keepalive packet
2025-01-05 17:48:46.614
[NET] peer(bcQ/…welM) - Receiving keepalive packet

Irrelevant to your issue, but wg0 zone is not needed. You can add wg0 interface in lan zone.

This rule is not needed, you can do NAT66 in wan zone.

uci set firewall.wan.masq6='1'
uci add_list firewall.wan.masq_src='fd7c:35df:4fab::0/64'
uci commit firewall
service firewall restart

Did you add the persistent keepalive 25 on both iphone and OpenWrt?

This can be checked with tcpdump.
opkg update; opkg install tcpdump; tcpdump -i eth0 -vnn udp port 56565

I have tried assigning wg interface to the lan zone but that didn’t solve any issues.

Here are some logs of tcpdump while connected from my phone to wg

tcpdump: listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:42:16.753577 IP6 (hlim 64, next-header UDP (17) payload length: 216) 2405:xx:xx:xx:xx:xx:fe80:54cc.56565 > 2409:xx:xx:xxxx:xx:xx:9ea3.56013: [bad udp cksum 0x58c8 -> 0x3e28!] UDP, length 208
12:42:16.771045 IP6 (class 0x28, flowlabel 0x60500, hlim 56, next-header UDP (17) payload length: 104) 2409:xx:xx:xx:xx:xx:304c:9ea3.56013 > 2405:xx:xx:xx:xx:xx:fe80:54cc.56565: [udp sum ok] UDP, length 96
12:42:16.810206 IP6 (hlim 64, next-header UDP (17) payload length: 344) 2405:xx:xx:xx:xx:xx:fe80:54cc.56565 > 2409:xx:xx:xx:xx:xx:xx:9ea3.56013: [bad udp cksum 0x5948 -> 0x9932!] UDP, length 336
12:42:16.810265 IP6 (hlim 64, next-header UDP (17) payload length: 360) 2405:xx:xx:xxx:xxx:xxx:fe80:54cc.56565 > 2409:xx:xx:xx:xx:xx:304c:9ea3.56013: [bad udp cksum 0x5958 -> 0x674f!] UDP, length 352
12:42:16.830984 IP6 (class 0x28, flowlabel 0x60500, hlim 56, next-header UDP (17) payload length: 104) 2409:xx:xx:xx:xxx:xxx:304c:9ea3.56013 > 2405:xxx:xxx:xxxx:xxxx:xxx:fe80:54cc.56565: [udp sum ok] UDP, length 96

Looks fine, you have 5 packets exchanged within 10msec.

I forgot to mention that earlier but yes Persistent Keepalive is set to 25 on both the wg0 interface and on the iPhone app.