Wireguard server and client using PBR peer disconnects after few minutes/seconds

Hello I'm new to Openwrt. It's been few days trying to figure out my issue but i'm giving up I hope that someone could guide me.
my setup is a bit tricky.
My openwrt router is behind 2 NATs : ISP router > ASUS router > openwrt router
ISP router has a forward of 51820 to Asus which has the same to openwrt router
I wanted to replicate the behavior of BerylAX router that works like a charm on my openwrt router. When i do like this : ISP router > ASUS router > berylAx router , it works like a charm.
Also on my ISP router i have a wg server as well, that i can connect to it and works like a charm.
Here the behavior I wanted to have:
peers that connect to openwrt router via wireguard will access to lan and will have an internet access
devices that are connected to openwrt router via wifi/lan will get routed through wgclient to connect to another wg vpn provider. ( this behavior works as expected in berylax)
in my openwrt it works but only for few minutes !
devices that are connected to openwrt router via wifi/lan will get routed through wgclient to connect to another wg vpn provider: this works without any issue , to achieve that my wgclient interface has route allowed ips unchecked, then I use PBR to route the LAN ips to wgclient which is working fine
the issue is with the other interface wg_lan (which should act like a wg server). when I try to connect to it from my phone/pc from 5g network or same network, it works for few minutes, then it hangs ( no internet access, no lan access )

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3d:f1f7:54c9::/48'
        option default_rps_val '14'
        option default_rps_flow_cnt '256'
        option default_xps_val '14'
        option default_ps '1'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wan'
        option type 'bridge'
        list ports 'eth1'

config interface 'wan'
        option device 'br-wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'br-wan'
        option proto 'dhcpv6'

config interface 'WWAN'
        option proto 'dhcp'
        option device 'usb0'

config interface 'WWAN6'
        option proto 'dhcpv6'
        option device 'usb0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'WWAN_Q'
        option proto 'dhcp'
        option device 'wwan0_1'

config interface 'WWAN6_Q'
        option proto 'dhcpv6'
        option device 'wwan0_1'
        option reqaddress 'try'
        option reqprefix 'auto'

config device 'eth0'
        option name 'eth0'

config device 'lan0'
        option name 'lan0'

config device 'lan1'
        option name 'lan1'

config device 'lan2'
        option name 'lan2'

config device 'lan3'
        option name 'lan3'

config interface 'wwan'
        option proto 'dhcp'

config interface 'wg_lan'
        option proto 'wireguard'
        option private_key priv_key here
        option listen_port '51820'
        list addresses '10.0.5.1/24'
        option mtu '1360'
        option force_link '1'

config wireguard_wg_lan
        option public_key pub_key
        option preshared_key psk
        option description desc
        list allowed_ips '10.0.5.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key pub_key
        option preshared_key psk
        option description desc
        list allowed_ips '10.0.5.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key pub_key
        option description desc
        list allowed_ips '10.0.5.4/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg_lan
        option public_key pub_key
        option preshared_key psk
        option description desc
        list allowed_ips '10.0.5.5/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config interface 'WGClient'
        option proto 'wireguard'
        option private_key priv_key here
        list addresses '10.9.0.8/24'

config wireguard_WGClient
        option public_key pub_key
        option endpoint_host ip
        option endpoint_port port
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option description desc

config rule
        option in 'lan'
        option src '192.168.5.0/24'
        option lookup '100'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option mtu_fix '1'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'WWAN'
        list network 'WWAN6'
        list network 'WWAN_Q'
        list network 'WWAN6_Q'
        list network 'wwan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg_lan'
        option name 'bpiwgserver'
        option mtu_fix '1'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config rule 'wg'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'
        option name 'Allow-WireGuard-lan'
        option src '*'

config zone
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'WGClient'
        option name 'bpiwgclient'
        option output 'REJECT'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'bpiwgclient'

config forwarding
        option dest 'wan'
        option src 'bpiwgserver'

config forwarding
        option src 'bpiwgserver'
        option dest 'bpiwgclient'

config forwarding
        option src 'bpiwgserver'
        option dest 'lan'

cat vpn-policy-routing

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_enable_column '0'
        option webui_protocol_column '0'
        option webui_chain_column '0'
        option webui_show_ignore_target '0'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option enabled '1'
        option ipv6_enabled '1'

config policy
        option interface 'WGClient'
        option name 'LanOverWGC'
        option src_addr '192.168.5.1/24'

Thank you for your help

I didn't see the table 100 defined.
Moreover combining it with PBR can have unexpected results since both do the same thing and you depend on which will be evaluated first.

Source address is wrong, should be 5.0/24
And you need the same for wg_lan 10.0.5.0/24

1 Like

I removed

config rule
        option in 'lan'
        option src '192.168.5.0/24'
        option lookup '100'

and replaced the 192.168.5.1/24 with 192.168.5.0/24 in PBR policy
and wg_lan adress to 10.0.5.0/24

and now from my phone connected to wg_lan the handshake is done, access to luci via 10.0.5.0 is OK but not internet access

You need to add a PBR policy for traffic from 10.0.5.0/24 to use WGClient interface.

I think you misunderstood me, the 10.0.5.0/24 which are clients connected to wg_lan ( phone etc) i don't want to route them to WGClient, I just want them to access to WAN and LAN on the router

Alrighty, then to use the wan interface in the policy.

Still not internet on my phone, Lan seems to be recheable but no internet

I corrected the DNS on client side ( phone) to 10.0.5.0 and now it works !! Thank you very much.
one thing I don't understand, PBR override all routing? why it didn't work without pbr policy?

It depends on the default routing policy of the PBR and the strict enforcement I guess.

Correction here, I meant you need a PBR policy for source 10.0.5.0/24 not to change the wg_lan address into that. The list addresses '10.0.5.1/24' was correct and the phone must have DNS 10.0.5.1 .

Alright. so in my initial config I had two mistakes, the extra rule and the missing PBR policy.
But I still don't get why without PBR policy my phone doesn't access to the wan by default

I'm still having the issue, randomly after few minutes, my phone can't have access to WAN neither LAN. very random thing, so I deactivate WG on the phone and I reactivate it again and it works... very strange behavior that doesn't happen when I use BerylAx router

Check the logs for any hint.
logread

Hi, nothing special,
current behavior, when i connect from my phone to wgserver , the handshake is done and only one request to ifconfig.co is accepted, then it hangs

/64 [✓] wwan//0.0.0.0/2a01:e0a:1b0:6fb0:30bc:39ff:fedb:466a/64 2a01:e0a:1b0:6fb0::92d/128 fe80::30bc:39ff:fedb:466a/64 WGClient/10.9.0.8/::/0 wg_wgserver/10.0.5.1/::/0
Sun Sep 24 02:11:09 2023 authpriv.info dropbear[21267]: Exit (root) from <192.168.5.169:57097>: Exited normally
Sun Sep 24 02:16:41 2023 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED f4:26:79:69:ae:b5
Sun Sep 24 10:32:26 2023 user.info : luci: accepted login on / for root from 10.0.5.4
Sun Sep 24 11:35:27 2023 daemon.info hostapd: wlan1: STA f4:26:79:69:ae:b5 IEEE 802.11: authenticated
Sun Sep 24 11:35:27 2023 daemon.info hostapd: wlan1: STA f4:26:79:69:ae:b5 IEEE 802.11: associated (aid 1)
Sun Sep 24 11:35:27 2023 daemon.notice hostapd: wlan1: STA-OPMODE-SMPS-MODE-CHANGED f4:26:79:69:ae:b5 off
Sun Sep 24 11:35:27 2023 daemon.notice hostapd: wlan1: AP-STA-CONNECTED f4:26:79:69:ae:b5
Sun Sep 24 11:35:27 2023 daemon.info hostapd: wlan1: STA f4:26:79:69:ae:b5 RADIUS: starting accounting session A93871BFFCCF2A37
Sun Sep 24 11:35:27 2023 daemon.info hostapd: wlan1: STA f4:26:79:69:ae:b5 WPA: pairwise key handshake completed (RSN)
Sun Sep 24 11:35:27 2023 daemon.notice hostapd: wlan1: EAPOL-4WAY-HS-COMPLETED f4:26:79:69:ae:b5
Sun Sep 24 11:35:28 2023 daemon.info dnsmasq-dhcp[18138]: DHCPREQUEST(br-lan) 192.168.5.169 f4:26:79:69:ae:b5
Sun Sep 24 11:35:28 2023 daemon.info dnsmasq-dhcp[18138]: DHCPACK(br-lan) 192.168.5.169 f4:26:79:69:ae:b5 Terminator
Sun Sep 24 11:35:33 2023 user.info : luci: accepted login on /admin/network/firewall for root from 192.168.5.169
Sun Sep 24 11:35:44 2023 authpriv.info dropbear[15020]: Child connection from 192.168.5.169:53755
Sun Sep 24 11:35:47 2023 authpriv.notice dropbear[15020]: Password auth succeeded for 'root' from 192.168.5.169:53755

my firewall settings:

I wonder if my port forwarding is missing something?
I have isp router forward 51820 to Asus router that forwards 51820 to openwrt router
handshake is being done every one or two minutes, so it's ok, but access to LAN or WAN is very instable..

EDIT: for sake if simplicity I removed the Asus router, now I have:
ISP router > openwrt router
ISP fowards UDP 51820 to the openwrt
still same issue, after first handshake , internet works only once, then it hangs

Using tcpdump check the incoming traffic and the replies. Since it is working for a while, it should not be a configuration issue. Maybe something is reloading PBR?
Disable both flow offloadings for test.

1 Like

it seems to be related to PBR, when i shut it down it works better. now it's running and it's working i'll monitor it... is there a way to achieve what I want without PBR?

my phone stucks now, it has the 10.0.5.5, here the tcpdump -i wg_server -n host 10.0.5.5, then i opened coingecko app:

12:54:02.502926 IP 10.0.5.5.45828 > 34.120.208.123.443: Flags [P.], seq 212:305, ack 3439, win 160, options [nop,nop,TS val 3635687 ecr 1852407730], length 93
12:54:02.656453 IP 142.250.179.78.443 > 10.0.5.5.38282: UDP, length 1250
12:54:03.991312 IP 10.0.5.5.52701 > 10.0.5.1.53: 62256+ A? mobile.api.coingecko.com. (42)
12:54:03.993966 IP 10.0.5.1.53 > 10.0.5.5.52701: 62256 2/0/0 A 104.18.29.120, A 104.18.28.120 (74)
12:54:04.612072 IP 10.0.5.5.38282 > 142.250.179.78.443: UDP, length 1250
12:54:05.560310 IP 142.250.179.78.443 > 10.0.5.5.38282: UDP, length 1250
12:54:05.567031 IP 10.0.5.5.38282 > 142.250.179.78.443: UDP, length 1250
12:54:07.087997 IP 10.0.5.5.42542 > 104.18.29.120.443: Flags [S], seq 668146266, win 65535, options [mss 1240,sackOK,TS val 3636144 ecr 0,nop,wscale 9], length 0
12:54:07.091703 IP 104.18.29.120.443 > 10.0.5.5.42542: Flags [S.], seq 2466252695, ack 668146267, win 65160, options [mss 1320,sackOK,TS val 530004523 ecr 3636144,nop,wscale 13], length 0
12:54:07.994952 IP 10.0.5.5.42542 > 104.18.29.120.443: Flags [P.], seq 1:518, ack 1, win 146, options [nop,nop,TS val 3636235 ecr 530004523], length 517
12:54:07.998004 IP 104.18.29.120.443 > 10.0.5.5.42542: Flags [.], ack 518, win 7, options [nop,nop,TS val 530005429 ecr 3636235], length 0
12:54:08.000055 IP 104.18.29.120.443 > 10.0.5.5.42542: Flags [P.], seq 1:2457, ack 518, win 8, options [nop,nop,TS val 530005431 ecr 3636235], length 2456
12:54:08.000100 IP 104.18.29.120.443 > 10.0.5.5.42542: Flags [P.], seq 2457:4812, ack 518, win 8, options [nop,nop,TS val 530005431 ecr 3636235], length 2355
12:54:08.089227 IP 34.120.208.123.443 > 10.0.5.5.45828: Flags [P.], seq 2457:3439, ack 212, win 261, options [nop,nop,TS val 1852414173 ecr 3635600], length 982
12:54:08.937724 IP 10.0.5.5.42542 > 104.18.29.120.443: Flags [P.], seq 518:582, ack 4812, win 165, options [nop,nop,TS val 3636329 ecr 530005431], length 64
12:54:09.807188 IP 10.0.5.5.40178 > 142.250.75.227.443: Flags [.], seq 1:257, ack 1, win 146, options [nop,nop,TS val 3636416 ecr 2721236718], length 256
12:54:09.810476 IP 142.250.75.227.443 > 10.0.5.5.40178: Flags [.], ack 257, win 261, options [nop,nop,TS val 2721251196 ecr 3636416], length 0
12:54:09.853755 IP 104.18.29.120.443 > 10.0.5.5.42542: Flags [P.], seq 3685:4812, ack 518, win 8, options [nop,nop,TS val 530007285 ecr 3636235], length 1127
12:54:11.088348 IP 10.0.5.5.42550 > 104.18.29.120.443: Flags [S], seq 3935454404, win 65535, options [mss 1240,sackOK,TS val 3636544 ecr 0,nop,wscale 9], length 0
12:54:11.092312 IP 104.18.29.120.443 > 10.0.5.5.42550: Flags [S.], seq 3970926709, ack 3935454405, win 65160, options [mss 1320,sackOK,TS val 3392511680 ecr 3636544,nop,wscale 13], length 0
12:54:11.366891 IP 142.250.179.78.443 > 10.0.5.5.38282: UDP, length 1250
12:54:11.663818 IP 34.120.208.123.443 > 10.0.5.5.45828: Flags [F.], seq 3439, ack 212, win 261, options [nop,nop,TS val 1852417747 ecr 3635600], length 0
12:54:11.943519 IP 10.0.5.5.45850 > 34.120.208.123.443: Flags [S], seq 2105090352, win 65535, options [mss 1240,sackOK,TS val 3636629 ecr 0,nop,wscale 9], length 0
12:54:11.946056 IP 34.120.208.123.443 > 10.0.5.5.45850: Flags [S.], seq 3005606702, ack 2105090353, win 65535, options [mss 1320,sackOK,TS val 3954530606 ecr 3636629,nop,wscale 8], length 0
12:54:12.128772 IP 104.18.29.120.443 > 10.0.5.5.42550: Flags [S.], seq 3970926709, ack 3935454405, win 65160, options [mss 1320,sackOK,TS val 3392512717 ecr 3636544,nop,wscale 13], length 0
12:54:12.252236 IP 34.120.208.123.443 > 10.0.5.5.45850: Flags [S.], seq 3005606702, ack 2105090353, win 65535, options [mss 1320,sackOK,TS val 3954530912 ecr 3636629,nop,wscale 8], length 0
12:54:12.604931 IP 104.18.29.120.443 > 10.0.5.5.42542: Flags [.], seq 1:1229, ack 518, win 8, options [nop,nop,TS val 530010036 ecr 3636235], length 1228
12:54:12.852665 IP 74.125.206.188.5228 > 10.0.5.5.48574: Flags [FP.], seq 1:204, ack 537, win 261, options [nop,nop,TS val 2962275684 ecr 3632135], length 203
12:54:12.858274 IP 10.0.5.5.48574 > 74.125.206.188.5228: Flags [.], ack 205, win 148, options [nop,nop,TS val 3636722 ecr 2962275684,nop,nop,sack 1 {1:205}], length 0
12:54:13.794156 IP 10.0.5.5.45850 > 34.120.208.123.443: Flags [P.], seq 1:212, ack 1, win 146, options [nop,nop,TS val 3636816 ecr 3954530606], length 211
12:54:13.796616 IP 34.120.208.123.443 > 10.0.5.5.45850: Flags [.], ack 212, win 261, options [nop,nop,TS val 3954532457 ecr 3636816], length 0
12:54:13.798627 IP 34.120.208.123.443 > 10.0.5.5.45850: Flags [P.], seq 1:2457, ack 212, win 261, options [nop,nop,TS val 3954532459 ecr 3636816], length 2456
12:54:13.798667 IP 34.120.208.123.443 > 10.0.5.5.45850: Flags [P.], seq 2457:3439, ack 212, win 261, options [nop,nop,TS val 3954532459 ecr 3636816], length 982

maybe it's a DNS issue, the interface has Use DNS servers advertised by peer checked, and my phone has the DNS set at the interface itself 10.0.5.1, so I don't know where the dns are resolved

here we go I isolate the ifconfig.co request:
hanged phone 10.0.5.4 :

 tcpdump -i wg_wgserver host ifconfig.co
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg_wgserver, link-type RAW (Raw IP), capture size 262144 bytes
13:17:18.622103 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [S], seq 1723293692, win 65535, options [mss 1240,sackOK,TS val 2700222738 ecr 0,nop,wscale 9], length 0
13:17:18.626102 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [S.], seq 1106583784, ack 1723293693, win 65160, options [mss 1320,sackOK,TS val 3807491431 ecr 2700222738,nop,wscale 13], length 0
13:17:19.000677 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [P.], seq 1:518, ack 1, win 128, options [nop,nop,TS val 2700223154 ecr 3807491431], length 517
13:17:19.004335 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [.], ack 518, win 7, options [nop,nop,TS val 3807491809 ecr 2700223154], length 0
13:17:19.010065 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [P.], seq 1:2457, ack 518, win 8, options [nop,nop,TS val 3807491815 ecr 2700223154], length 2456
13:17:19.010113 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [P.], seq 2457:4245, ack 518, win 8, options [nop,nop,TS val 3807491815 ecr 2700223154], length 1788
13:17:19.794607 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [P.], seq 3685:4245, ack 518, win 8, options [nop,nop,TS val 3807492600 ecr 2700223154], length 560
13:17:19.970977 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [P.], seq 518:1220, ack 4245, win 148, options [nop,nop,TS val 2700224114 ecr 3807492600], length 702
13:17:20.946784 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [.], seq 1:1229, ack 518, win 8, options [nop,nop,TS val 3807493752 ecr 2700223154], length 1228
13:17:20.983044 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [.], ack 4245, win 148, options [nop,nop,TS val 2700225152 ecr 3807492600,nop,nop,sack 1 {1:1229}], length 0
13:17:23.251106 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [.], seq 1:1229, ack 518, win 8, options [nop,nop,TS val 3807496056 ecr 2700223154], length 1228
13:17:23.291334 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [.], ack 4245, win 148, options [nop,nop,TS val 2700227447 ecr 3807492600,nop,nop,sack 1 {1:1229}], length 0
13:17:28.244569 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [.], seq 1:1025, ack 518, win 8, options [nop,nop,TS val 3807501049 ecr 2700223154], length 1024
13:17:28.298198 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [.], ack 4245, win 148, options [nop,nop,TS val 2700232454 ecr 3807492600,nop,nop,sack 1 {1:1025}], length 0
13:17:34.005539 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [F.], seq 4245, ack 518, win 8, options [nop,nop,TS val 3807506809 ecr 2700223154], length 0
13:17:58.648820 IP 10.0.5.4.37278 > 172.64.170.5.443: Flags [FP.], seq 518:1255, ack 4246, win 148, options [nop,nop,TS val 2700262802 ecr 3807506809], length 737
13:17:58.652675 IP 172.64.170.5.443 > 10.0.5.4.37278: Flags [R], seq 1106588030, win 0, length 0
13:18:13.289310 IP 10.0.5.4.46284 > 172.64.170.5.443: Flags [S], seq 2549463695, win 65535, options [mss 1240,sackOK,TS val 2700277443 ecr 0,nop,wscale 9], length 0
13:18:13.293237 IP 172.64.170.5.443 > 10.0.5.4.46284: Flags [S.], seq 892276402, ack 2549463696, win 65160, options [mss 1320,sackOK,TS val 765646577 ecr 2700277443,nop,wscale 13], length 0
13:18:14.330142 IP 172.64.170.5.443 > 10.0.5.4.46284: Flags [S.], seq 892276402, ack 2549463696, win 65160, options [mss 1320,sackOK,TS val 765647614 ecr 2700277443,nop,wscale 13], length 0
13:18:26.670589 IP 10.0.5.4.33238 > 172.64.170.5.443: Flags [S], seq 1065649711, win 65535, options [mss 1240,sackOK,TS val 2700290834 ecr 0,nop,wscale 9], length 0
13:18:26.674452 IP 172.64.170.5.443 > 10.0.5.4.33238: Flags [S.], seq 2672382540, ack 1065649712, win 65160, options [mss 1320,sackOK,TS val 1204996036 ecr 2700290834,nop,wscale 13], length 0
13:18:27.715954 IP 172.64.170.5.443 > 10.0.5.4.33238: Flags [S.], seq 2672382540, ack 1065649712, win 65160, options [mss 1320,sackOK,TS val 1204997078 ecr 2700290834,nop,wscale 13], length 0
13:18:34.531050 IP 10.0.5.4.33252 > 172.64.170.5.443: Flags [S], seq 586541301, win 65535, options [mss 1240,sackOK,TS val 2700298642 ecr 0,nop,wscale 9], length 0
13:18:34.533690 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [S.], seq 2655564932, ack 586541302, win 65160, options [mss 1320,sackOK,TS val 297136557 ecr 2700298642,nop,wscale 13], length 0
13:18:35.593925 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [S.], seq 2655564932, ack 586541302, win 65160, options [mss 1320,sackOK,TS val 297137618 ecr 2700298642,nop,wscale 13], length 0
13:18:35.830231 IP 10.0.5.4.33252 > 172.64.170.5.443: Flags [P.], seq 1:518, ack 1, win 128, options [nop,nop,TS val 2700299986 ecr 297136557], length 517
13:18:35.832811 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [.], ack 518, win 7, options [nop,nop,TS val 297137856 ecr 2700299986], length 0
13:18:35.838468 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [P.], seq 1:4245, ack 518, win 8, options [nop,nop,TS val 297137862 ecr 2700299986], length 4244
13:18:38.473959 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [P.], seq 3685:4245, ack 518, win 8, options [nop,nop,TS val 297140498 ecr 2700299986], length 560
13:18:42.377939 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [.], seq 1:1229, ack 518, win 8, options [nop,nop,TS val 297144402 ecr 2700299986], length 1228
13:18:50.185530 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [.], seq 1:1025, ack 518, win 8, options [nop,nop,TS val 297152210 ecr 2700299986], length 1024
13:18:50.832222 IP 172.64.170.5.443 > 10.0.5.4.33252: Flags [F.], seq 4245, ack 518, win 8, options [nop,nop,TS val 297152856 ecr 2700299986], length 0

working phone: 10.0.5.5:

13:20:58.034112 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 1250
13:20:58.038532 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.039366 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.040515 IP 10.0.5.5.39966 > 172.64.170.5.443: Flags [S], seq 1370500442, win 65535, options [mss 1240,sackOK,TS val 3721685 ecr 0,nop,wscale 9], length 0
13:20:58.043942 IP 172.64.170.5.443 > 10.0.5.5.39966: Flags [S.], seq 1611405669, ack 1370500443, win 65160, options [mss 1320,sackOK,TS val 3383281726 ecr 3721685,nop,wscale 13], length 0
13:20:58.046503 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 1250
13:20:58.046530 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 163
13:20:58.048045 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 520
13:20:58.048599 IP 10.0.5.5.39966 > 172.64.170.5.443: Flags [.], ack 1, win 146, options [nop,nop,TS val 3721685 ecr 3383281726], length 0
13:20:58.049261 IP 10.0.5.5.39966 > 172.64.170.5.443: Flags [P.], seq 1:549, ack 1, win 146, options [nop,nop,TS val 3721685 ecr 3383281726], length 548
13:20:58.050164 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 485
13:20:58.050192 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 24
13:20:58.050211 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 24
13:20:58.050234 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 49
13:20:58.052647 IP 172.64.170.5.443 > 10.0.5.5.39966: Flags [.], ack 549, win 7, options [nop,nop,TS val 3383281735 ecr 3721685], length 0
13:20:58.053176 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 24
13:20:58.055181 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 44
13:20:58.055209 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 47
13:20:58.055832 IP 172.64.170.5.443 > 10.0.5.5.39966: Flags [P.], seq 1:213, ack 549, win 8, options [nop,nop,TS val 3383281738 ecr 3721685], length 212
13:20:58.059356 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 29
13:20:58.063176 IP 10.0.5.5.39966 > 172.64.170.5.443: Flags [.], ack 213, win 148, options [nop,nop,TS val 3721687 ecr 3383281738], length 0
13:20:58.065662 IP 10.0.5.5.39966 > 172.64.170.5.443: Flags [P.], seq 549:613, ack 213, win 148, options [nop,nop,TS val 3721687 ecr 3383281738], length 64
13:20:58.068960 IP 172.64.170.5.443 > 10.0.5.5.39966: Flags [P.], seq 213:725, ack 613, win 8, options [nop,nop,TS val 3383281751 ecr 3721687], length 512
13:20:58.076739 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.076773 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.076796 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.076815 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 190
13:20:58.085033 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 44
13:20:58.085064 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 43
13:20:58.097699 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.097732 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 1200
13:20:58.097753 IP 172.64.170.5.443 > 10.0.5.5.38710: UDP, length 354
13:20:58.103677 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 43
13:20:58.103678 IP 10.0.5.5.38710 > 172.64.170.5.443: UDP, length 43
13:20:58.110601 IP 10.0.5.5.39966 > 172.64.170.5.443: Flags [.], ack 725, win 150, options [nop,nop,TS val 3721692 ecr 3383281751], length 0

in my 10.0.5.4 phone, i have err connection closed
As you see, there is no UDP transfers for the 10.0.5.4

i'm monitoring, still working fine since fllow offloating deactivation.

You can use a different PBR method replacing the PBR app:

uci set network.@wireguard_WGClient[0].route_allowed_ips="1"
for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.wg_lan.ip${IPV}table="2"
uci set network.WGClient.ip${IPV}table="3"
uci -q delete network.lan_vpn${IPV%4}
uci set network.lan_vpn${IPV%4}="rule${IPV%4}"
uci set network.lan_vpn${IPV%4}.in="lan"
uci set network.lan_vpn${IPV%4}.lookup="3"
uci set network.lan_vpn${IPV%4}.priority="30000"
done
uci commit network
/etc/init.d/network restart

This way should be more stable due to better integration with netifd.
Be sure to enable IPv6 NAT or NPT if your setup is dual-stack.

1 Like