Wireguard "server" handshake not reaching wg0 interface

Hello everyone,

I am trying to build a router in the lab on tl-wr1043nd V4, to be deploied on a remote location with mwan3 failover, guest network, and wireguard for remote access to location.
OpenWrt 18.06.2 r7676-cddd7b4c77 / LuCI openwrt-18.06 branch (git-19.079.57770-b99e77d)
WAN wired if = eth0.2 - 192.168.3.208
WAN lte if = usb0 - 192.168.42.129
LAN if = eth0.1 - 10.10.10.1
Wireguard if = wg0 - 10.110.0.1:5182
Windows 10 = 192.168.3.33

/etc/config/network

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'
	option defaultroute '1'
	option metric '10'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'
	option reqprefix 'auto'

config interface 'wanlte'
	option ifname 'usb0'
	option proto 'dhcp'
	option defaultroute '1'
	option metric '20'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.10.10.1'
	option ipv6 '0'
	option stp '1'
	option igmp_snooping '1'

config interface 'guests'
	option type 'bridge'
	option ifname 'eth0.6'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.60.10.1'
	option ipv6 '0'
	option stp '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'SKRUtXcVzKVLM7r4Tr2+ctzD6c+G6ZJPPVchUBFbnno='
	option listen_port '5182'
	list addresses '10.110.0.1/24'

config wireguard_wg0
	option public_key '1NOsPrf6C660VwITI/9MkqhlSjGHhMfDOpqaZssRhCk='
	option description 'WireguardSparkx'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

Wireguard "client" peer config TunSafe windows 10 64bit

[Interface]
PrivateKey = SKRUtXcVzKVLM7r4Tr2+ctzD6c+G6ZJPPVchUBFbnno=
Address = 10.110.0.2/24
[Peer]
PublicKey = 1NOsPrf6C660VwITI/9MkqhlSjGHhMfDOpqaZssRhCk=
AllowedIPs = 10.10.10.0/24
Endpoint = 192.168.3.208:5182
PersistentKeepalive = 25

/etc/config/firewall

config zone
	option name 'WireGuard'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option network 'wg0'
	option masq '1'
	option mtu_fix '1'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option name 'Allow-Wireguard-Inbound'
	option dest_port '5182'
	option src 'wan'
	option family 'ipv4'
route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.10.1      0.0.0.0         UG    0      0        0 lo - added by mwan3 for router generated traffic
0.0.0.0         192.168.3.1     0.0.0.0         UG    10     0        0 eth0.2
0.0.0.0         192.168.42.129  0.0.0.0         UG    20     0        0 usb0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-lan
10.60.10.0      0.0.0.0         255.255.255.0   U     0      0        0 br-guests
10.110.0.0      0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.3.0     0.0.0.0         255.255.255.0   U     10     0        0 eth0.2
192.168.42.0    0.0.0.0         255.255.255.0   U     20     0        0 usb0

ip route show
default via 10.10.10.1 dev lo
default via 192.168.3.1 dev eth0.2 proto static src 192.168.3.208 metric 10
10.10.10.0/24 dev br-lan proto kernel scope link src 10.10.10.1
10.60.10.0/24 dev br-guests proto kernel scope link src 10.60.10.1
10.110.0.0/24 dev wg0 proto kernel scope link src 10.110.0.1
192.168.3.0/24 dev eth0.2 proto static scope link metric 10

So far I got mwan3 to work and installed wireguard but I am stuck since no packets are going to wg0 interface although I CAN SEE the packets from windows on eth0.2 (wired wan)

from OpenWrt ping wg0 if -> ping 10.110.0.1
PING 10.110.0.1 (10.110.0.1): 56 data bytes
64 bytes from 10.110.0.1: seq=0 ttl=64 time=0.302 ms
64 bytes from 10.110.0.1: seq=1 ttl=64 time=0.285 ms

from OpenWrt -> tcpdump -i eth0.2 port not 22 and port 5182
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.2, link-type EN10MB (Ethernet), capture size 262144 bytes
08:59:14.161862 IP 192.168.3.33.53079 > 192.168.3.208.5182: UDP, length 148
08:59:20.161998 IP 192.168.3.33.53079 > 192.168.3.208.5182: UDP, length 148
08:59:26.162091 IP 192.168.3.33.53079 > 192.168.3.208.5182: UDP, length 148
from OpenWrt -> tcpdump -i wg0 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

from OpenWrt -> lsmod | grep wire
ip6_udp_tunnel          1376  1 wireguard
udp_tunnel              2176  1 wireguard
wireguard             125152  0

Wireguard on Windows (TAP adapter seams to work ok)
[09:44:44] Loading file: C:\Program Files\TunSafe\Config\TunSafe.conf
[09:44:44] TAP Driver Version 9.21 
[09:44:44] Added Route 10.10.10.0/24  =>  10.110.0.1
[09:44:44] Sending handshake...
[09:44:50] Retrying handshake, attempt 2...
[09:44:56] Retrying handshake, attempt 3...
[09:45:02] Retrying handshake, attempt 4...
[09:45:08] Retrying handshake, attempt 5...
[09:45:12] Deleted Route 10.10.10.0/24  =>  10.110.0.1

from OpenWrt -> netstat -plantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1290/uhttpd
tcp 0 0 192.168.42.105:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 10.60.10.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 10.10.10.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 192.168.3.208:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 10.110.0.1:53 0.0.0.0:* LISTEN 12183/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 929/dropbear
tcp 0 0 192.168.3.208:22 192.168.3.33:9664 ESTABLISHED 20919/dropbear
tcp 0 0 192.168.3.208:22 192.168.3.33:6740 ESTABLISHED 3360/dropbear
tcp 0 0 192.168.3.208:22 192.168.3.33:6736 ESTABLISHED 2113/dropbear
tcp 0 0 192.168.3.208:80 192.168.3.33:15451 ESTABLISHED 1290/uhttpd
tcp 0 0 192.168.3.208:80 192.168.3.33:15505 ESTABLISHED 1290/uhttpd
tcp 0 0 192.168.3.208:80 192.168.3.33:15504 ESTABLISHED 1290/uhttpd
tcp 0 0 192.168.3.208:22 192.168.3.33:15537 ESTABLISHED 15321/dropbear
tcp 0 0 :::80 :::* LISTEN 1290/uhttpd
tcp 0 0 fe80::b87e:feff:fe2c:88eb:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 ::1:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* LISTEN 12183/dnsmasq
tcp 0 0 :::22 :::* LISTEN 929/dropbear
udp 0 0 192.168.42.105:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 127.0.0.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 10.60.10.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 10.10.10.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 192.168.3.208:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 10.110.0.1:53 0.0.0.0:* 12183/dnsmasq
udp 0 0 0.0.0.0:5182 0.0.0.0:* -
udp 0 0 0.0.0.0:67 0.0.0.0:* 12183/dnsmasq
udp 0 0 :::546 :::* 11731/odhcp6c
udp 0 0 fe80::b87e:feff:fe2c:88eb:53 :::* 12183/dnsmasq
udp 0 0 ::1:53 :::* 12183/dnsmasq
udp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* 12183/dnsmasq
udp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* 12183/dnsmasq
udp 0 0 fe80::9ade:d0ff:fea8:acbc:53 :::* 12183/dnsmasq
udp 0 0 :::5182 :::* -
udp 0 0 :::123 :::* 2139/ntpd

10.110.0.1:53 and 0.0.0.0:5182 show that wireguard is working (correct me if i'm wrong)

It looks to me like the kernel "magic" isn't taking place for wireguard modules since packets are not going from wan to wg0.
Any help would be appreciated to track down this issue.

config wireguard_wg0
	option public_key '1NOsPrf6C660VwITI/9MkqhlSjGHhMfDOpqaZssRhCk='
	option description 'WireguardSparkx'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

Change list allowed_ips to 10.110.0.2/32 and remove the route_allowed_ips

You are right that this is the correct wireguard conf but still no packets flowing trough wg0.
Telnet-ing from windows to wireguard "server" shows the traffic in wan but not on wg0.
Any ideas how to test it further to pinpoint the issue and draw a conclusion?

I've got a note on my test setup regarding tunsafe and wireguard on windows.

seems that tunsafe 1.5rc2 windows client and v1 android client won't talk to wireguard-go server 24/3/19
Well they do, once you get rid of the stupid /32 route for the peer IP if the peer and server are on the same network.
need to run command prompt on widows as admin and route delete (server Ip) then it all works ok.

If you see messages about retrying handshake, it means that handshake didn't occur, so your connection isn't established. Therefore you won't see anything in wg0 tcpdump. Check also that your routing and routing policy rules are in order, as mwan3 might have messed it.

1 Like

I am trying now with the fresh image of openwrt and only installed
luci-proto-wireguard luci-app-wireguard wireguard kmod-wireguard wireguard-tools tcpdump
Using same config as above still same behavior.
It looks like the kernel module doesn't do anything with the traffic flowing on wireguard port.
How to debug this ??? Is there on the linux side a log or something to show what's happening inside?
Could you please be more speciffic on which route you deleted on windows cmd.

Open a command prompt in windows as administrator, then run the following
route print

look for a route to the target wireguard server with a netmask of /32 ie 255.255.255.255

then delete the route
route delete [ip of target wireguard ip]

Note this wasn't required to connect to a wireguard server located outside my local network. Only when trying to test/check connection with a wireguard device inside my local network.

Could you post again the following?
cat /etc/config/network; cat /etc/config/firewall; ip -4 addr ; ip -4 ro ; ip -4 ru

Also some more information: Is the client connecting from wan or lan?
One more thing I forgot to tell you, on the windows client you have not allowed the IP of the wireguard interface (10.110.0.1)

The peer is a VPN, the allowed IPs should be 0.0.0.0/0.

It's only a laptop for remote management, I don't see the reason to allow the whole internet.

1 Like