I have a wireguard interface that i'm trying to make work, but it often wont establish a connection with the server.
It shows that it made a handshake, it also transmits packets but only a few bytes. my internet connection remains active but not flowing through wireguard. If i enforce the firewall config to flow traffic through wireguard, all my internet stops working.
At other times (doing exactly the same) it works, without the need to force the connection through the firewall.
How do you start to dig into wireguard logs to see why it is not functioning?
If you click 'Edit' at the end of the lan > wan forwarding row, then on the screen that opens you should see Allow forward to destination zones. It'll have a drop down next to it. You just need to click on the arrow and then tick the Surfshark zone along with the wan zone.
The IP/range is correct. You just need to also tick the checkbox that says Route allowed IPs. It's on the peer config screen, just below where you add the allowed IPs.
You weren't allowing traffic from your LAN to be forwarded to your surfshark connection (as it was in a different zone and you didn't have any forwarding set up).
And you didn't have any routing rules in place to tell the router that it should send traffic out via the surfshark connection. Ticking Route allowed IPs means the required rules to tell the router to send any traffic for the IP ranges you add in the Allowed IP box out through the wireguard connection will be created automatically. If you don't tick it then you have to manually add the required routes.
Lastly, this probably does not protect traffic to always flow through the wireguard adapter? As lan can now either go to WAN or wireguard with this setting?
Is there a way to enable a killswitch?
In post 3, i have said that i normally have set up LAN > surfshark (wireguard). But when i did that, my internet would stop working. That's probably because the rule of 'Route allowed IPs' was disabled in the peer settings.
it worked for 10 days straight, and in the middle of the night stopped working, around 3 hours ago. Woke up with my phone connected to cellular that gave me "device offline" messages.
I tried re-connecting the wireguard interface to no luck. Rebooting the router also did not work, Loading configuration of other server locations also did not work. (I did enable the route of ip's in peer settings)
Tried asking the company in live chat and they can confirm their servers are working. I cannot get a handshake with them when i view the wireguard tab in luci. Yet, tiny amounts of data are being exchanged.
Weirdly enough, if the wireguard interface is enabled and i then disable it, i still do not get my internet back, even though my firewall settings now have LAN > WAN. no wireguard interface attached. I have to reboot the router with autostart for wireguard disabled, then i have my internet back....but not through wireguard.
Any idea's what happened or what i can try?
This is the log when disabling wireguard> internet still down.
Sun Apr 9 10:16:22 2023 daemon.notice netifd: Interface 'surfshark' is now down
Sun Apr 9 10:16:22 2023 daemon.info dnsmasq: read /etc/hosts - 12 names
Sun Apr 9 10:16:22 2023 daemon.info dnsmasq: read /tmp/hosts/dhcp.cfg01411c - 4 names
Sun Apr 9 10:16:22 2023 daemon.info dnsmasq: read /tmp/hosts/odhcpd - 2 names
Sun Apr 9 10:16:22 2023 daemon.info dnsmasq-dhcp: read /etc/ethers - 0 addresses
Sun Apr 9 10:16:23 2023 daemon.warn odhcpd: No default route present, overriding ra_lifetime!
And this is a link to the complete log i grabbed after a reboot with everything how it was like normal: https://justpaste.it/aghpp
I tested surfshark on C7 v2 22.03.2 (drag and drop config file) and it would run for 3-4 days and then disconnect. The key would be no good after that and require a new config. Solution (for me) was to use mullvad. It always just works.
the issue is maybe also on the router. when i enable wireguard(with surfshark as provider) internet gets disconnected until i disable the wireguard interface AND reboot. Firewall is set from LAN to WAN, not LAn to wireguard, and it is not working for some reason.
Correct time is required for Wireguard to start. If WG attempts to start with incorrect time, it will not be able to handshake and then will have a chicken-or-egg situation with the fact that the internet is not reachable to correct the time via NTP.
When you start WG (specifically in the situation where you have allowed IPs of 0.0.0.0/0), it will overwrite the existing routing table (i.e. the default route via the wan). This means that disabling wg will cause the internet to stop working (or won't restore the functionality).
Make sure the time is correct before you attempt to start your WG tunnel, and set a metric on the wan to avoid the situation where the default route is lost.
super, thank you. that's one problem then hopefully solved.
I generated a new keypair from the vpn provider surfshark and it worked, so the issue is probably on their side. Live chat unfortunately saw me generating a new key pair as the solution and fix, instead of wanting to solve older generated keypairs not working anymore.