Wireguard question ...traffic from LAN or WAN are not forwarded to wg Interface

Hi guys,
I am trying to fugure out the wireguad setup for hours now. As well I used tcpdum for traffic capture.

Not able to get handshake with wireguard.

Here is my setup

First made sure that forwarding is enabled.

root@OpenWrt:/etc/config# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
root@OpenWrt:/etc/config#


/etc/config/network

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'GA9FhJ/Tsxxxxxxxxxxxxxxxxxxxxxxxxx'
        option listen_port '51822'
        list addresses '172.31.0.2/24'

config wireguard_wg0
        option description 'wireguardSite2Site'
        option public_key '+HikL/0rM7xxxxxxxxxxxxxxxxxxxxxxxxxx'
        list allowed_ips '172.31.0.0/24'
        list allowed_ips '10.1.1.0/24'
        option endpoint_host 'opnsense.xxxxxxxxxxxxxx.com'
        option endpoint_port '51822'
        option route_allowed_ips '1'

config interface 'wg1'
        option proto 'wireguard'
        option private_key 'eLx2A6xxxxxxxxxxxxxxxxxxxxxx'
        list addresses '10.10.10.1/24'
        option listen_port '51820'

config wireguard_wg1
        option description 'wireguardRoadwarrior'
        list allowed_ips '10.10.10.2/32'
        #option route_allowed_ips '1'
        #option endpoint_port '51820'
        option public_key 'r7eKIfxxxxxxxxxxxxxxxxxx'


/etc/config/firewall

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option dest 'lan'
        option src 'wg'

config forwarding
        option dest 'wg'
        option src 'lan'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'wg'

config rule
        option dest_port '51820-51830'
        option src 'wan'
        option name 'Allow-WG'
        option target 'ACCEPT'

root@OpenWrt:/etc/config#

Created the keys
root@OpenWrt:/etc/wireguard# wg genkey | tee wgserver.key | wg pubkey > wgserver.pub
root@OpenWrt:/etc/wireguard# wg genkey | tee wgclient.key | wg pubkey > wgclient.pub



tcpdump shows only incomming traffic from client to lan interface but wireguard ist not answering / handshaking


Tried the windows client on lokal lan for first test :

[Interface]
PrivateKey = uDVAYxxxxxxxxxxxxxxxxxxxxx
Address = 10.10.10.2/32

[Peer]
PublicKey = r7eKIfkl9/Y6mcpxxxxxxxxxxxxxxxxxxxx=
AllowedIPs = 10.10.10.0/24
Endpoint = 192.168.134.230:51820

You see, the public key on both boxes is same.

Open connection with windows box:

![2021-09-26 17_02_59-Window|564x333](upload://m84aQgtsP5QYXpF0PWSZwdlV5Gr.jpeg)

Message on windows client.
Cannot get handshake.

![2021-09-26 17_04_49-Window|643x500](upload://5I3f6voyaSNLJa3KFIRdzP5yg1W.jpeg)

I have checked 100 times the keys.
As well I have disabled the firewall 100 times to locate the error.

With tcp dump I can see, that the fraffic is comming in from internal client on port 51820.
But the wireguard interface is not answering.

Perhaps I am too stupid to locate the error.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
16:45:15.408646 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:15.408713 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:20.458973 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:20.459059 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:25.540554 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:25.540609 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:30.594370 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:30.594462 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:35.612499 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:35.612566 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:40.682409 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148
16:45:40.682465 IP 192.168.134.39.62058 > 192.168.134.230.51820: UDP, length 148


Perhaps someone who has experienced this error can help cause I am totally stuck.

Hi, I just noticed this when I reload the firewall by /etc/init.d/firewall reload

root@OpenWrt:/etc/config# /etc/init.d/firewall reload
Warning: Unable to locate ipset utility, disabling ipset support
Warning: Section 'wan' cannot resolve device of network 'wan6'
Warning: Section 'wan' cannot resolve device of network 'vpn3'
Warning: Section @zone[3] (wg) cannot resolve device of network 'wg'
Warning: Section @rule[12] (Allow-WG) does not specify a protocol, assuming TCP+UDP
Warning: Section @zone[3] (wg) has no device, network, subnet or extra options


Is the error realated to this ?

Seems like a key issue, since you cannot get a handshake from an internal client.
Use the script to create the configuration and keys for server and clients.

Thank you very much for your help.

Is that script executeable in openwrt ?

Tried but nothing happend .. did I oversee something ?

root@OpenWrt:~# nano /root/auto_wg_username-id.sh
root@OpenWrt:~# cd /root
root@OpenWrt:~# ls
auto_wg_username-id.sh
root@OpenWrt:~# ./auto_wg_username-id.sh
root@OpenWrt:~# ls -li /etc/wireguard/
root@OpenWrt:~# ^C
root@OpenWrt:~# cat auto_wg_username-id.sh
#!/bin/ash
clear
echo "======================================"
echo "|     Automated WireGuard Script     |"
echo "|        Named Peers with IDs        |"
echo "======================================"
# Define Variables
echo -n "Defining variables... "
export LAN="lan"
export interface="10.0.5"
export DDNS="voip01.profi-itservice.de"
export peer_ID="1" # The ID number to start from
export peer_IP="2" # The IP address to start from
export WG_${LAN}_server_port="51820"
export WG_${LAN}_server_IP="${interface}.1"
export WG_${LAN}_server_firewall_zone="${LAN}"
export quantity="4" # Change the number '4' to a

Arg I am too stupid.
But seems I have forgotten some variables cause the script is missing something ..

root@OpenWrt:~# cd /root
root@OpenWrt:~# ls -li
   2513 -rwxr-xr-x    1 root     root          5753 Sep 26 18:57 auto_wg_username-id.sh
root@OpenWrt:~# chmod 755 auto_wg_username-id.sh

root@OpenWrt:~# ./auto_wg_username-id.sh
======================================
|     Automated WireGuard Script     |
|        Named Peers with IDs        |
======================================
Defining variables... Done
Creating directories and pre-defining permissions on those directories... Done
Removing pre-existing WireGuard interface... Done
Generating WireGuard server keys for 'lan' network... Done
Creating WireGuard interface for 'lan' network... Done
Adding firewall rule for 'lan' network... Done
Removing pre-existing peers... Done

Creating directory for peer '1_lan_Alpha'... Done
Generating peer keys for '1_lan_Alpha'... Done
Generating peer PSK for '1_lan_Alpha'... Done
Adding '1_lan_Alpha' to WireGuard server... Done
Creating config for '1_lan_Alpha'... Done

Creating directory for peer '2_lan_Bravo'... Done
Generating peer keys for '2_lan_Bravo'... Done
Generating peer PSK for '2_lan_Bravo'... Done
Adding '2_lan_Bravo' to WireGuard server... Done
Creating config for '2_lan_Bravo'... Done

Creating directory for peer '3_lan_Charlie'... Done
Generating peer keys for '3_lan_Charlie'... Done
Generating peer PSK for '3_lan_Charlie'... Done
Adding '3_lan_Charlie' to WireGuard server... Done
Creating config for '3_lan_Charlie'... Done

Creating directory for peer '4_lan_Delta'... Done
Generating peer keys for '4_lan_Delta'... Done
Generating peer PSK for '4_lan_Delta'... Done
Adding '4_lan_Delta' to WireGuard server... Done
Creating config for '4_lan_Delta'... Done

Commiting changes... uci: Parse error (invalid character in name field) at line 14, byte 27
uci: Parse error (invalid character in name field) at line 14, byte 27
uci: Parse error (invalid command) at line 1, byte 0
Done

Restarting WireGuard interface... Done

Restarting firewall... Done
root@OpenWrt:~#

You don't need to write the file with nano or any other editor. Copy-paste the whole script as you see it in OpenWrt. The first line cat <<-"SCRIPT_EOF" > "/root/auto_wg_username-id.sh" will create the script and the last line will make it executable.