Wireguard problems, transmits packets but only bytes

borgqueenx · March 28, 2023, 7:47pm

I have a wireguard interface that i'm trying to make work, but it often wont establish a connection with the server.
It shows that it made a handshake, it also transmits packets but only a few bytes. my internet connection remains active but not flowing through wireguard. If i enforce the firewall config to flow traffic through wireguard, all my internet stops working.
At other times (doing exactly the same) it works, without the need to force the connection through the firewall.

How do you start to dig into wireguard logs to see why it is not functioning?

psherman · March 28, 2023, 8:17pm

There really aren't any logs.

Let's start with your configs..

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

borgqueenx · March 30, 2023, 10:54am

System firmware and info:

Network info:


root@MainRouter:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'surfshark'
        option proto 'wireguard'
        option private_key 'redacted'
        list addresses '10.14.0.2/16'
        list dns '162.252.172.57'
        list dns '149.154.159.92'

config wireguard_surfshark
        option description 'de-fra.prod.surfshark.com.conf'
        option public_key 'redacted'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '138.199.19.182'
        option endpoint_port '51820'
        option persistent_keepalive '25'

Firewall Settings:


root@MainRouter:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'surfshark'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfshark'

config forwarding
        option src 'lan'
        option dest 'wan'

Wireguard info:


root@MainRouter:~# wg show
interface: surfshark
  public key: redacted
  private key: (hidden)
  listening port: 46273

peer: redacted
  endpoint: 138.199.19.182:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 2 seconds ago
  transfer: 99.10 KiB received, 366.07 KiB sent
  persistent keepalive: every 25 seconds
root@MainRouter:~#

Wireguard info shows above that it is connected, but it only transmits a few kb in the total time it was connected(for about 40 hours now)

When i change the green circle below into the surfshark adapter instead of wan, my whole internet stops working.

krazeh · March 30, 2023, 11:21am

You need to add a forwarding from the lan zone to the surfshark zone. You don't have to remove the existing lan -> wan forwarding, you can just add your surfshark zone as an additional forwarding.

You also don't appear to have selected 'Route allowed IPs' when setting up your peer. You need to do that, unless you're intending to manually add appropriate routing rules.

borgqueenx · March 30, 2023, 11:27am

With the same rules applying as lan>wan? Accept, accept and accept?

As for the second step, i thought the 0.0.0.0/0 range meant that everything is that all devices and addresses go through the peer/wireguard. Any idea what i should enter there?

krazeh · March 30, 2023, 11:37am

If you click 'Edit' at the end of the lan > wan forwarding row, then on the screen that opens you should see Allow forward to destination zones. It'll have a drop down next to it. You just need to click on the arrow and then tick the Surfshark zone along with the wan zone.

The IP/range is correct. You just need to also tick the checkbox that says Route allowed IPs. It's on the peer config screen, just below where you add the allowed IPs.

borgqueenx · March 30, 2023, 11:41am

That did the trick, i very much appriciate it! If you can satisfy my curiosity, what caused this to not work before? What does this "route allowed ip" option do?

Thank you very much for the help <3

krazeh · March 30, 2023, 11:44am

You weren't allowing traffic from your LAN to be forwarded to your surfshark connection (as it was in a different zone and you didn't have any forwarding set up).

And you didn't have any routing rules in place to tell the router that it should send traffic out via the surfshark connection. Ticking Route allowed IPs means the required rules to tell the router to send any traffic for the IP ranges you add in the Allowed IP box out through the wireguard connection will be created automatically. If you don't tick it then you have to manually add the required routes.

borgqueenx · March 30, 2023, 11:48am

thanks!
Lastly, this probably does not protect traffic to always flow through the wireguard adapter? As lan can now either go to WAN or wireguard with this setting?
Is there a way to enable a killswitch?

In post 3, i have said that i normally have set up LAN > surfshark (wireguard). But when i did that, my internet would stop working. That's probably because the rule of 'Route allowed IPs' was disabled in the peer settings.

krazeh · March 30, 2023, 12:02pm

Deleting the lan > wan forwarding should do it. And yes, the previous internet stoppage was likely due to the lack of correct routing.

borgqueenx · April 9, 2023, 8:27am

it worked for 10 days straight, and in the middle of the night stopped working, around 3 hours ago. Woke up with my phone connected to cellular that gave me "device offline" messages.
I tried re-connecting the wireguard interface to no luck. Rebooting the router also did not work, Loading configuration of other server locations also did not work. (I did enable the route of ip's in peer settings)
Tried asking the company in live chat and they can confirm their servers are working. I cannot get a handshake with them when i view the wireguard tab in luci. Yet, tiny amounts of data are being exchanged.

Weirdly enough, if the wireguard interface is enabled and i then disable it, i still do not get my internet back, even though my firewall settings now have LAN > WAN. no wireguard interface attached. I have to reboot the router with autostart for wireguard disabled, then i have my internet back....but not through wireguard.

Any idea's what happened or what i can try?

This is the log when disabling wireguard> internet still down.

Sun Apr  9 10:16:22 2023 daemon.notice netifd: Interface 'surfshark' is now down
Sun Apr  9 10:16:22 2023 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Sun Apr  9 10:16:22 2023 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 4 names
Sun Apr  9 10:16:22 2023 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 names
Sun Apr  9 10:16:22 2023 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sun Apr  9 10:16:23 2023 daemon.warn odhcpd[1935]: No default route present, overriding ra_lifetime!

And this is a link to the complete log i grabbed after a reboot with everything how it was like normal:
https://justpaste.it/aghpp

frank92735 · April 9, 2023, 10:30am

I tested surfshark on C7 v2 22.03.2 (drag and drop config file) and it would run for 3-4 days and then disconnect. The key would be no good after that and require a new config. Solution (for me) was to use mullvad. It always just works.

borgqueenx · April 9, 2023, 11:47am

the issue is maybe also on the router. when i enable wireguard(with surfshark as provider) internet gets disconnected until i disable the wireguard interface AND reboot. Firewall is set from LAN to WAN, not LAn to wireguard, and it is not working for some reason.

borgqueenx · April 9, 2023, 12:04pm

is there a log or something where you can see if a key was denied?

psherman · April 9, 2023, 12:53pm

You may have a few different things happening:

Correct time is required for Wireguard to start. If WG attempts to start with incorrect time, it will not be able to handshake and then will have a chicken-or-egg situation with the fact that the internet is not reachable to correct the time via NTP.

When you start WG (specifically in the situation where you have allowed IPs of 0.0.0.0/0), it will overwrite the existing routing table (i.e. the default route via the wan). This means that disabling wg will cause the internet to stop working (or won't restore the functionality).

Make sure the time is correct before you attempt to start your WG tunnel, and set a metric on the wan to avoid the situation where the default route is lost.

borgqueenx · April 9, 2023, 12:57pm

if i see the local time in system overview, it is exact with my computer's time.
How do i add that metric to wan so that internet does not get lost when starting/disabling wireguard?

psherman · April 9, 2023, 12:58pm

It's in thread I linked. Let me know if you have difficulty.

borgqueenx · April 9, 2023, 1:12pm

super, thank you. that's one problem then hopefully solved.
I generated a new keypair from the vpn provider surfshark and it worked, so the issue is probably on their side. Live chat unfortunately saw me generating a new key pair as the solution and fix, instead of wanting to solve older generated keypairs not working anymore.

psherman · April 9, 2023, 1:17pm

Great!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

borgqueenx · April 9, 2023, 1:25pm

I'd like the topic to stay open until i face the same issue with the current provider, to make sure its a issue on their side, is that ok?