Wireguard no RX, only TX packets

Hi there,

feeling a bit dumb here. Had a wireguard vpn set up and working with Android client, but cannot reproduce on my new router (turris omnia).

Here is the config: /etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	option private_key '*privkey_server*'
	option listen_port '51820'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option public_key '*pubkey_client*'
	option description 'phone'
	option private_key '*privkey_client*'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.10.10.2/32'

Firewall rules:

And the setup on Android:

where 1 = pubkey_client
and 2 = pubkey_server

It connects (sometimes after two tries), but no RX, only TX and no access to home network. Can somebody help out?

Let's see the complete network and firewall files:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

ubus call system board

{
	"kernel": "5.15.148",
	"hostname": "turris",
	"system": "ARMv7 Processor rev 1 (v7l)",
	"model": "Turris Omnia",
	"board_name": "cznic,turris-omnia",
	"rootfs_type": "btrfs",
	"release": {
		"distribution": "TurrisOS",
		"version": "7.0.2",
		"revision": "r20343+125-4e1d1b7df0",
		"target": "mvebu/cortexa9",
		"description": "TurrisOS 7.0.2 4e1d1b7df0ce6fa96d7462dc883917682f428046"
	}
}

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd93:6410:07a0::/48'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ip6ifaceid 'eui64'
	option ip6addr 'fe80::1'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'
	option hostname 'turris'
	option ipv6 '1'

config interface 'guest_turris'
	option enabled '1'
	option proto 'static'
	option device 'br-guest-turris'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option ip6assign '64'

config device 'br_guest_turris'
	option name 'br-guest-turris'
	option type 'bridge'
	option bridge_empty '1'

config device 'br_lan'
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config device 'dev_wan'
	option name 'eth2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'redacted'
	option listen_port '51820'
	list addresses '10.10.10.1/24'

config wireguard_wg0
	option public_key 'redacted'
	option description 'phone'
	option private_key 'redacted'
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '10.10.10.2/32'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option sentinel_minipot '1'
	option sentinel_dynfw '1'
	option sentinel_fwlogs '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config zone 'guest_turris'
	option enabled '1'
	option name 'tr_guest'
	option input 'REJECT'
	option forward 'REJECT'
	option output 'ACCEPT'
	list network 'guest_turris'

config forwarding 'guest_turris_forward_wan'
	option enabled '1'
	option name 'guest to wan forward'
	option src 'tr_guest'
	option dest 'wan'

config rule 'guest_turris_dns_rule'
	option enabled '1'
	option name 'guest dns rule'
	option src 'tr_guest'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

config rule 'guest_turris_dhcp_rule'
	option enabled '1'
	option name 'guest dhcp rule'
	option src 'tr_guest'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule 'guest_turris_Allow_DHCPv6'
	option src 'tr_guest'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '546-547'
	option dest_ip 'fe80::/10'
	option dest_port '546-547'
	option family 'ipv6'
	option target 'ACCEPT'

config rule 'guest_turris_Allow_MLD'
	option src 'tr_guest'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'

config rule 'guest_turris_Allow_ICMPv6_Input'
	option src 'tr_guest'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'

config rule 'wan_ssh_turris_rule'
	option name 'wan_ssh_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '22'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_http_turris_rule'
	option name 'wan_http_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '80'
	option proto 'tcp'
	option src 'wan'

config rule 'wan_https_turris_rule'
	option name 'wan_https_turris_rule'
	option enabled '0'
	option target 'ACCEPT'
	option dest_port '443'
	option proto 'tcp'
	option src 'wan'

config rule 'turris_wan_6in4_rule'
	option enabled '0'

config rule 'turris_wan_6to4_rule'
	option enabled '0'

config include 'bcp38'
	option type 'script'
	option path '/usr/lib/bcp38/run.sh'

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'
	option output 'ACCEPT'

config forwarding
	option dest 'lan'
	option src 'wireguard'

config forwarding
	option dest 'wan'
	option src 'wireguard'

config forwarding
	option dest 'wireguard'
	option src 'lan'

config redirect
	option dest_port '51820'
	option src 'wan'
	option name 'wireguard'
	option src_dport '51820'
	option dest 'lan'
	option dest_ip '192.168.1.1'
	option target 'DNAT'

config include 'sentinel_firewall'
	option type 'script'
	option path '/usr/libexec/sentinel/firewall.sh'
	option family 'any'
	option reload '1'

wg show

interface: wg0
  public key: 'redacted'
  private key: (hidden)
  listening port: 51820

peer: 'redacted'
  allowed ips: 10.10.10.2/32
  persistent keepalive: every 25 seconds

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Your device is supported by official OpenWrt:

https://firmware-selector.openwrt.org/?version=23.05.4&target=mvebu%2Fcortexa9&id=cznic_turris-omnia

1 Like

I am 99% confident you either reused a key that is already working on other device, or didn't follow the manual how to set WG on OpenWRT.
With WG, if you get only TX, it means you messed up with keys.
P.S.
I run a stable Turris Omnia image for many years.

1 Like

thank you for the quick reply. I might consider switching to pure openWRT, but I remember hitting a similar snag on openWRT. I just don't remember how I solved it.

1 Like

Hmm, I generated new keypairs using LuCi and then transferred the config to the client via QR Code. WIll try to setup new keys and re-transfer..

When you're running official OpenWrt, we can help you through any snags you run into. However, the Turris OS is not the same as official OpenWrt, so you'll need to ask them for help as long as that is the firmware on your device.

Doesn't look like he runs Turris OS, they usually provide that crippled Forris UI.
But you can flash a completely working vanilla OpenWRT on it and it will work great. I think he messed up with keys.

The release information certainly seems to suggest that it is turris OS, given that it specifically says

LuCI can be changed with themes, so maybe the OS has been updated and/or the OP downloaded a different theme.

nope, definitely running Turris OS, you can use Luci for 'advanced' config

1 Like

I think it was sth. weird like setting DNS Server to 1.1.1.1?

Well, then @pshreman was right, but anyway check your keys.
As for WG, Turris OS and OpenWRT are pretty much the same.
This is because WG is already in the kernel since 5.6, so there is
little difference between various Wrt flavors.

1 Like

so I have re-generated keys and retransferred them via qr code to the client app.. no luck

Not really how it should work.
If you get a WG client setup from a VPN provider, just copy and paste them in your router. Follow the guide from the VPN provider. QR codes are only applicable when you set your OpenWRT as a "server", which I believe not the goal you are trying to achieve. Anyway, the setup is trivial, if you set a client on your phone, you will be able to set it as a client on OpenWRT, all providers have a manual for that.

Kernel versions being the same, yes... but there are absolutely differences in how the underlying OS works. They've got their similarities, but there are differences -- some potentially major, some maybe just nuanced. Otherwise, they wouldn't have a separate fork and release track than the official project.

Yes, it is, actually.

The OP is trying to configure a road-warrior setup. That is not using a VPN provider. The two endpoints are their router and their mobile device.

1 Like

They do it for other reasons, they keep stabled stuff, and they bundle in their "fool-proof" apps, like Forris UI, schnapps, LXC container and what not. I remember it very well, I got the Turris Omnia from their Kickstrarter campaign in 2016, and all I wanted is a pure vanilla image without that CZ.NIC crap. Eventually I made it possible, and only since 19.04 or something it was possible to flash Vanilla, the CZ.NIC guys were really cocky about their firmware, somewhat like what Mediatek is doing now with Filogic boards.

But the point is that it is not the same. Their OS is, by definition, not official OpenWrt and it has changes (especially when you add in the "fool-proof apps", LXC containers, and the rest of it). This is a different animal than official OpenWrt. Therefore, it is a binary situation:

  • Run Turris OS --> ask them for help because they know their OS and the details about how it works

or

  • Run official OpenWrt --> we can help here beacuse we know how OpenWrt works. We cannot properly support forks like Turris OS or GL-Inet's firmware because we aren't aware of what changes were made and how that will affect the behavior and configuration details relative to how the official OpenWrt firmware would work. Their stuff is a black box to us.
2 Likes