WireGuard roadwarrior has handshake, but no traffic

Hi All,

I'm at a loss with my openwrt router as I can't get it work as a wireguard endpoint.
I have a handshake when I start the tunnel from any internet connected phone or notebook, but I can't query the dns server nor reach anything even by IP on the local lan. The end result would be to reach the lan and be able to access wan from the connected endpoint.

Running 23.05.3 on a TP-Link Archer C2600, but I had the same problem on v22 as well. I was going through this howto to configure it , but I also tried messing with the zones without any luck: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

/etc/config/network:
BusyBox v1.36.1 (2024-03-22 22:09:42 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.3, r23809-234f1a2efa
 -----------------------------------------------------

root@wrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd50:9237:ad8b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option ipaddr '192.168.60.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'pppoe'
	option username 'USERNAME'
	option password 'PASSWORD'
	option ipv6 'auto'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5t'
	option vid '2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'PRIVATE_KEY'
	option listen_port '51820'
	list addresses '10.200.250.1'

config wireguard_wg0
	option description 'nb'
	option public_key 'PUBC1'
	option private_key 'PRIVC1'

config wireguard_wg0
	option description 'nb2'
	option public_key 'PUBC2'
	option private_key 'PRIVC2'

config wireguard_wg0
	option public_key 'PUBC3'
	option private_key 'PRIVC3'
	option description 'phone'

root@wrt:~#
/etc/config/firewall:
root@wrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'wg dns'
	option src 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip '10.200.250.1'
	option enabled '0'

config rule
	option name 'wg in'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	option log '1'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config rule
	option name 'admin_from_vpn'
	list proto 'tcp'
	option src 'vpn'
	option dest_port '80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'lan'

root@wrt:~#

phone cfg:
Public Key:
PUBC3
Addresses:
10.200.250.3/32
DNS servers:
192.168.60.1
Peer:
Public Key:
public of wg server
Allowed IPs:
0.0.0.0/0
Endpoint:
my_ip:51820

Make the address a /24. 10.200.250.1/24

You are missing the allowed IPs and route_allowed_ips options here. Allowed IPs should usually be in the same subnet as the main interface but a /32 -- for example, 10.200.250.2/32

2 Likes

In addition to the good advice of the former speaker:

That will allow you to reach your LAN clients from WG

To allow internet for your WG clients add:

config forwarding
	option src 'vpn'
	option dest 'wan'
2 Likes

Hi, thanks for taking the time to help.
I made the changes and added 10.200.250.1/24 to the interface, and it still did not work. But it was strange that on the interfaces page it still said 10.200.250.1/32, so I did an interface restart and now /24 was shown. And I could reach lan now, I also added forward rule from vpn to wan, but still does not work I will try a network restart just in case.

If the restart doesn't fix the problem, please post the updated network and firewall files.

Lan still works fine, but no internet connection, is forwarding from vpn to wan enough?

root@wrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd50:9237:ad8b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option ipaddr '192.168.60.1'

config interface 'wan'
	option device 'eth0.2'
	option proto 'pppoe'
	option username 'USERNAME'
	option password 'PASSWORD'
	option ipv6 'auto'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'
	option vid '1'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 5t'
	option vid '2'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'PRIVATE_KEY'
	option listen_port '51820'
	list addresses '10.200.250.1/24'

config wireguard_wg0
	option description 'nb'
	option public_key 'PUBC1'
	option private_key 'PRIVC1'

config wireguard_wg0
	option description 'nb2'
	option public_key 'PUBC2'
	option private_key 'PRIVC2'

config wireguard_wg0
	option public_key 'PUBC3'
	option private_key 'PRIVC3'
	option description 'phone'
	list allowed_ips '10.200.250.3/32'

root@wrt:~# 

root@wrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'wg dns'
	option src 'lan'
	option dest_port '53'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip '10.200.250.1'
	option enabled '0'

config rule
	option name 'wg in'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	option log '1'
	list network 'wg0'

config forwarding
	option src 'vpn'
	option dest 'lan'

config rule
	option name 'admin_from_vpn'
	list proto 'tcp'
	option src 'vpn'
	option dest_port '80 443'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest 'lan'

config forwarding
	option src 'vpn'
	option dest 'wan'

root@wrt:~# 

Maybe I need to add masquarading as the origin wan to any is not taking place?

Yes, but your issue is likely about routing.

You need to add option route_allowed_ips '1' to this:

Although this rule is disabled, it is not necessary and can be deleted.

And same with this one:

Restart your router and try again.

Hi,

I had some time again and got back to checking why the connection does not work and I got to a point where ip connection was working but my router threw away all dns requests from my clients. I was checking the dns options but found no way to add respond to these networks option so in the end I added the vpn interface and in response to this dnsmasq started to listening on the vpn interface as well.

udp        0      0 127.0.0.1:53            0.0.0.0:*                           
udp        0      0 192.168.60.1:53         0.0.0.0:*                           
udp        0      0 10.200.250.1:53         0.0.0.0:*       

This had the funny sideeffect that now dnsmasq even responds to me on the ip 192.168.60.1 from 10.200.250.0/24 as well... Is there a better solution to this?

Now I checked another wg endpoint that I have that is running FreeBSD and there I could allow the traffic via PF firewall and route everything else to wan and dnsmasq still responds despite being bound to one of the lan interfaces... I find this strange, but it's a secure default.

PS: I even tried adding a firewall rule to allow tcp/udp port 53 to 192.168.60.1 from the vpn network but I still got no answer so I had the idea that the rejection must be done on the dnsmasq service level.