Wireguard Server Issue

Hey everyone,

After following the wireguard server setup page on the openwrt wiki twice over then reading just about every applicable troubleshooting post on this forum, the openwrt reddit, and the wireguard reddit I'm ready to throw the towel in.

Here's what the problem is:

Wireguard server is indicating connected to peer (phone/laptop) over wan visible via wg show and via luci status. Also indicating significant packets as rx when trying to access sites via said peer and indicating tx, however as verified by wireshark on client and tcpdump running on router itself its only sending keep alives (which the client does receive). So to me it seems as though either the wg server running on openwrt doesn't want to route the traffic out once decrypted, or isn't sure what to do with it when it gets back (forward back through the tunnel to the client). Or its something even more complicated.

Here's what I've tried/basics of my setup:
-Triple checked, and even rerolled the keys to no avail, have also used the handy qr feature from openwrt to ensure it wasnt some error jn transcription

-DNS is specified explicitly in the wireguard interface as CF and google DNS servers

-Adjust MTU down to 1280 in wg interface on Openwrt and specify MTU=1280 in the wireguard conf file.

-Toggle the magic ip route setting in the peer page of the wireguard interface thats suggested here.

-The interface peer definition and my clients conf file both have mask of /32 with matching IP

-Have the accept wireguard rule enabled in traffic rules also have tried manually forwarding the port to this device from wan to lan

-I've even tried assigning the wg interface to its own fw zone vs lan and played with forward settings with no luck.

Heres what I want:

A way to debug this methodically. I have already used tcpdump woth filters to inspect what packets are being sent and received at wach interface. I also have the packet statistics from wg itself ok the router and the client. I now need a way to track whats happening with the decrypted traffic.

I can post configs etc tomorrow, I'd been staring at my monitor for too long and needed to take a break, hence the poor post formatting from my mobile. Hopefully when I come back someone can point me in the right direction.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Also a screenshot from the mobile client wireguard settings.

{
        "kernel": "5.10.161",
        "hostname": "x",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.3",
                "revision": "r20028-43d71ad93e",
                "target": "ramips/mt7621",
                "description": "OpenWrt 22.03.3 r20028-43d71ad93e"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd38:7152:a406::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr '34:98:b5:12:d7:fc'

config device
        option name 'lan2'
        option macaddr '34:98:b5:12:d7:fc'

config device
        option name 'lan3'
        option macaddr '34:98:b5:12:d7:fc'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.3.1'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config device
        option name 'wan'
        option macaddr '34:98:b5:12:d7:fd'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.203.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'wg_serv'
        option proto 'wireguard'
        option private_key 'xxxxwmsG6p0BOQZj3gqGaiMxDsjF5MIn7jiObnexfn0='
        option listen_port '29900'
        list addresses '10.8.0.2/24'
        list addresses 'fdf1:e8a1:8d3f:9::1/64'
        option mtu '1280'

config wireguard_wg_serv 'wgclient'
        option preshared_key 'xxxxOJl5SmFPcBCzOC3bUArz3xrTgbndL1895Oy90o8='
        list allowed_ips '10.8.0.2/32'
        list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
        option persistent_keepalive '25'
        option public_key 'xxxFbQrmuAciLNJurpwFSwjqzUl7fNvmfJkIm/vrnwU='
        option private_key 'xxxS9Jk58OnIOUmr0rtPGVGKWURXdPO/fPn9ZyfTh2Y='

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option leasetime '12h'
        option limit '120'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_serv'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'REJECT'
        option masq '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'
        option input 'REJECT'

config forwarding
        option src 'IoT'
        option dest 'wan'

config rule
        option name 'IoT-DHCP'
        list proto 'udp'
        option src 'IoT'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IoT-DNS'
        option src 'IoT'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IoT-Block'
        option src 'IoT'
        option target 'DROP'

config rule
        option src 'IoT'
        option target 'DROP'
        option dest '*'
        option name 'IoT-Block-ModemRouters'
        list dest_ip '192.168.12.1/24'
        list dest_ip '192.168.2.1/24'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'f passive'
        list proto 'tcp'
        option src 'wan'
        option src_dport '50000-51000'
        option dest_ip '192.168.3.218'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'f'
        list proto 'tcp'
        option src 'wan'
        option src_dport '34'
        option dest_ip '192.168.3.218'

config rule
        option src 'wan'
        list src_ip '192.168.2.1/24'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '29900'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src '*'
        list src_ip '192.168.2.1/24'
        option dest '*'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'c port'
        option src 'wan'
        option src_dport '4230'
        option dest_ip '192.168.3.218'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '29900'
        option dest_ip '192.168.3.1'

config forwarding
        option dest 'lan'

config forwarding
        option src 'wan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.195/24 brd 192.168.2.255 scope global wan
       valid_lft forever preferred_lft forever
18: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
       valid_lft forever preferred_lft forever
22: wlan0-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.203.1/24 brd 192.168.203.255 scope global wlan0-1
       valid_lft forever preferred_lft forever
32: wg_serv: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.8.0.2/24 brd 10.8.0.255 scope global wg_serv
       valid_lft forever preferred_lft forever
default via 192.168.2.1 dev wan  src 192.168.2.195
10.8.0.0/24 dev wg_serv scope link  src 10.8.0.2
192.168.2.0/24 dev wan scope link  src 192.168.2.195
192.168.3.0/24 dev br-lan scope link  src 192.168.3.1
192.168.203.0/24 dev wlan0-1 scope link  src 192.168.203.1
broadcast 10.8.0.0 dev wg_serv table local scope link  src 10.8.0.2
local 10.8.0.2 dev wg_serv table local scope host  src 10.8.0.2
broadcast 10.8.0.255 dev wg_serv table local scope link  src 10.8.0.2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.2.0 dev wan table local scope link  src 192.168.2.195
local 192.168.2.195 dev wan table local scope host  src 192.168.2.195
broadcast 192.168.2.255 dev wan table local scope link  src 192.168.2.195
broadcast 192.168.3.0 dev br-lan table local scope link  src 192.168.3.1
local 192.168.3.1 dev br-lan table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev br-lan table local scope link  src 192.168.3.1
broadcast 192.168.203.0 dev wlan0-1 table local scope link  src 192.168.203.1
local 192.168.203.1 dev wlan0-1 table local scope host  src 192.168.203.1
broadcast 192.168.203.255 dev wlan0-1 table local scope link  src 192.168.203.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Your main interface and the peer have the same IPv4 address... change one of them. Maybe change the interface to 10.8.0.1/24

What is the intent of this rule? Currently, it will cause all traffic to be dropped from the IoT zone, which means no internet access, either.

And the next rule here... is this supposed to block only those specific addresses, or should it be blocking the entire subnets? Are those subnets upstream of your OpenWrt router?
What you're currently doing is blocking just the 2 individul IP addresses. If you want to block the subnets, make it 192.168.12.0/24 and 192.168.2.0/24

Same thing here... is this intended to allow the upstream network to reach the OpenWrt router itself? do you want the whole network to be able to reach the router, or just a single host? Again, if the whole network: 192.168.2.0/24

What is the purpose of the following rule:

This should next one should be removed... you already have a traffic rule allowing UDP 29900... a redirect is not appropriate here.

These next two are incomplete... just delet them.

Wow!

Sometimes it's the simple things that can be the most frustrating. Guess my interpretation of CIDR notation has been off for a while now...

I had always presumed that the terminating octet was kind of a DNC because the mask portion /24 would indicate that only the masked bits would be used for routing. Thanks a bunch for the handful of tips on fixing up my configs.

Have neighboring subnets on 2 lans, wanted the ability to communicate between the lan hosts on these networks but don't want them to be on the same larger subnet. Has to do with wanting different packages/policies/vlans in different regions within the network with only a single LAN connection between routers. I understand the complication this introduces in terms of double NAT but I'm already far beyond that with this setup, stuck with 4to6/6to4 CGNAT with ISP issued gateway with no bridge mode.

Yeah.... this is a common mistake. But now you'll be able to fix those issues.

Regarding the other rule... with masquerading enabled on your OpenWrt WAN, accepting connections from 192.168.2.0/24 can only go as far as the router itself... you won't be able to connect to hosts behind the router.

If your main router supports static routes, you can insert routes on that device and then turn off masquerading.... then you upstream network can easily connect to hosts behind your OpenWrt router (allowed/limited by using the firewall). This has the added benefit of removing a layer of NAT masquerading since now you'd have symmetric routing.

I have static routes on the main router to direct all traffic with .3.x to the lan IP of the cascaded router. Have been using this setup for a while with ability to connect to hosts between the 2 lans.

Device discovery obviously doesn't work and thus far if connecting a WAN service to the cascaded router I've had to port forward a 2nd time on the cascaded router but besides that I've been happy. I may try to disable masq on cascaded router WAN, I had considered the same thing with the same line of thought prior but was as I said, happy enough when I got it all working and forgot about it :D.

ok... yeah. all makes sense.

Back to the original problem -- is that solved now, or are there still issues?

Yes, thank you very much.

One last question before you close this out. Why even specify the /24 vs /32 for the wg interface IP addr? If we specifying the terminating octet as any value besides 0 assigns it as per usual.

For which interface? WG?

On the WG interface, the idea is to expliitly specify a subnet size that includes all of the peer addresses. /24 is easy and common... but it could be larger or smaller, of course. Specifying the peers as /32 is again the explicit way to say that the peer address is a single address, and only traffic matching that address can go through the tunnel to that peer.

Gotcha,

Yeah I was specifically referring to this from the wg interface page on luci.

Also what exactly does this break down into, the range of all address from 10.8.0.1 to 10.8.0.255 not including 0, or solely the address 10.8.0.1. If the latter that's why I don't understand the significance of supplying the address as 10.8.0.1/24 vs 10.8.0.1/32 as it's only interpreted as 10.8.0.1/32.

I understand why masks are valuable and now I know from you to specify them with 0 in the octet if I want to include the whole octet, I'm just trying to understand how to use CIDR in openwrt correctly.

In a /24 network, valid host ranges are 1-254 (last octet). the 0 address is the network/subnet ID, and 255 is the broadcast address.

Buy specifying the address (10.8.0.1) and the subnet (/24), you tell the interface that it shall use the address given, and that it can make L2 connections with other devices in the /24 range (so now 2-254 are available). Since WG is then routed (L3), this also tells the router the address and size of the network so that it can establish the appropriate routing tables.

Does that help?

Yeah that was a great explanation!

So in this specific example from the screenshot the /24 could just as well be /32 as it's for this specific interface right? Because it's not like it's specifying the range for DHCP purposes and the peer IP is specified in the peer config.

No, it still needs to be able to contain its own address as well as the peers. It could be smaller than /24... if you had only 1 peer, it might look like this:

10.8.0.1/30 --> 'server'
10.8.0.2/32 --> remote peer

If you had 2-5 peers, it would need to be a /29, etc.

10.8.0.1/29 --> 'server'
10.8.0.2/32 --> remote peer1
...
10.8.0.6/32 --> remote peer5

Got it, thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.