Wireguard no RX

Hello.

Please i can't figure out why my wireguard client connection on my router does not work.
i'm behind a CGNAT

I have a VPS where i have installed wireguard server, and i made a client conf for my router.

these are the contents of my network and firewall:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd5:5f8c:2da6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '00:31:92:d2:68:4c'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option metric '20'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option metric '20'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxx'
	option metric '10'
	list addresses '10.66.66.2/24'
	list addresses 'fd42:42:42::2/128'

config wireguard_wg0
	option description 'Arr'
	option public_key 'xxxxxxxxxxxxxxxx'
	option preshared_key 'xxxxxxxxxxxxxxxxx'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option endpoint_host '10.0.0.173'
	option endpoint_port '51820'
	option persistent_keepalive '25'


root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd5:5f8c:2da6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr '00:31:92:d2:68:4c'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option metric '20'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option metric '20'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxx'
	option metric '10'
	list addresses '10.66.66.2/24'
	list addresses 'fd42:42:42::2/128'

config wireguard_wg0
	option description 'Arr'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxx'
	option preshared_key 'xxxxxxxxxxxxxxxxx'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option endpoint_host '10.0.0.173'
	option endpoint_port '51820'
	option persistent_keepalive '25'





root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'solar-assistant'
	option family 'ipv4'
	list proto 'tcp'
	option src 'wan'
	option src_dport '1883'
	option dest_ip '192.168.1.101'
	option dest_port '1883'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'
	option masq '1'

config forwarding
	option src 'lan'
	option dest 'vpn'

config rule
	option name 'wg0'
	list proto 'udp'
	option src '*'
	option src_port '51820'
	option dest '*'
	option dest_port '51820'
	option target 'ACCEPT'

From this delete:

	option endpoint_host '10.0.0.173'
	option endpoint_port '51820'

then

Change this to:

config rule
        option name 'wg0'
        option target 'ACCEPT'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'

@krazeh to me it looks like the OP is behind CGNAT so he/she should either setup as a simple client or as a site-to-site setup ?

3 Likes

Start from scratch and configure your client as shown here:

2 Likes

endpoint_host needs to be the public IP of your VPS. An IP that starts with 10 is not public, it is from the RFC1918 set of reserved private IP ranges.

6 Likes

Missed that, so as @mk24 says

	option endpoint_host '10.0.0.173'
	option endpoint_port '51820'

needs to be left in but changed to use the correct IP for the VPS.

3 Likes

Thank you everyone.

changing the endpoint to the VPS IP worked.

after a reboot it didn't appear to work until i restarted the wireguard network on the router again.

1 Like

CGNAT is RFC 6598, address space 100.64.0.0/10.
Nobody will pay VPS services w/o at least one public ip.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.