Hi,
my setup is:
- globally reachable server S, wireguard ip 10.0.1.1
- random router R from my ISP
- openwrt router O, wireguard ip 10.0.1.9. O also acts as an AP, bridging its own wifi network with the one from R
O goes through R to connect to S. I have configured Wireguard on O to connect to S.
The output of wg
on O looks like:
peer: SOME_PUBLIC_KEY
endpoint: IP_FROM_S:PORT_S
allowed ips: 10.0.1.0/24
latest handshake: 36 seconds ago
transfer: 26.80 KiB received, 840 B sent
persistent keepalive: every 25 seconds
The latest handshake
never goes beyond a few minutes (2 I think).
allowed ips
is /24
so that I can access other peers through S. I've tried with a /32
but it didn't improve the situation.
Problem is: while the tunnel works fine at the beginning (ping works from both sides, I can start an ssh connection from one side to the other), it no longer works after a few minutes. It varies, sometimes 2min, sometimes 10min. At this point, wg
still has about the same content: recent handshake, and the KiB of data sent / received keeps increasing slightly, which I find surprising given that ping no longer works.
If I restart the interface on O, nothing changes, it still doesn't work.
But if I restart the whole device O, then it works again, for a few minutes. So I suspect that my bridge config interacts with wireguard in a bad way somehow.
The output of ip r
seems to stay the same when it's working and when it's not:
root@OpenWrt:~# ip r
default via 192.168.1.1 dev wlan1 proto static src 192.168.1.228
10.0.1.0/24 dev all_ping proto static scope link
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.228
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
Output from cat /etc/config/network; cat /etc/config/firewall ; cat /etc/config/dhcp ; ip -4 addr ; ip -4 ro ; ip -4 ru
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdcb:f984:b6c3::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.10.1'
option gateway '192.168.1.1'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_eth0_2_dev'
option name 'eth0.2'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
config interface 'wwan'
option proto 'dhcp'
config interface 'repeater_bridge'
option proto 'relay'
list network 'lan'
list network 'wwan'
option ipaddr '192.168.1.228'
config interface 'wwan6'
option proto 'dhcpv6'
option reqprefix 'auto'
option reqaddress 'none'
option ifname '@wwan'
config interface 'all_ping'
option proto 'wireguard'
option private_key 'PRIVKEY'
option delegate '0'
list addresses '10.0.1.9/32'
option listen_port '51992'
config wireguard_all_ping
option public_key 'pubkey'
option description 'descrip'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_host 'IP'
option endpoint_port 'PORT'
list allowed_ips '10.0.1.0/24'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wwan repeater_bridge wwan6 vpn wwan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option network 'all_ping'
option input 'ACCEPT'
option forward 'REJECT'
option name 'wg'
option output 'ACCEPT'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
option ra 'relay'
option ndp 'relay'
list dns '2606:4700:4700::1111'
list dns '2606:4700:4700::1001'
config dhcp 'wan6'
option ignore '1'
option interface 'wwan'
option ra 'relay'
option ndp 'relay'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.10.1/24 brd 192.168.10.255 scope global br-lan
valid_lft forever preferred_lft forever
8: all_ping: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.0.1.9/32 brd 255.255.255.255 scope global all_ping
valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.1.228/24 brd 192.168.1.255 scope global wlan1
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlan1 proto static src 192.168.1.228
10.0.1.0/24 dev all_ping proto static scope link
192.168.1.0/24 dev wlan1 proto kernel scope link src 192.168.1.228
192.168.10.0/24 dev br-lan proto kernel scope link src 192.168.10.1
0: from all lookup local
2: from all iif lo lookup 16800
2: from all iif wlan1 lookup 16801
2: from all iif br-lan lookup 16802
32766: from all lookup main
32767: from all lookup default
Any idea?