Wireguard server may not start

I'm getting desperate with the setup of Wireguard. I have a self compiled Openwrt running. I have configured a Wireguard server via Luci on port 52882 but nmap shows me no service under this port. How can I check that the Wireguard server is running ?

wg show

And…

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
2 Likes

This is correct for multiple reasons:

  1. Wireguard uses udp, so the (IP) connection is stateless
  2. Wireguard does not respond to anything then matching packets [1]

[1] Wireguard has not really a state, but I can not find better words. A peer can just send traffic to the other peer and if the keys are matching then it works.
Nitpick on the side: WG has no server or clients. Just peers. It does not matter who init the connection.

3 Likes

The best you can do is.

  • Enable Keep Alive so that a link shows activity every couple of seconds
  • Use wg show to check the current intreface and peer status.

The wg show command will have information about the latest handshake per peer, which should constantly update due to the keep alive setting.

3 Likes

In the meantime I got a site to side connection between Openwrt (home) and OPNsense (datacenter) working but it doesn't want to work properly yet.

On the Openwrt router I can access the network behind the OPNsense but not from the LAN (home).

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'ffff:aaaa:7626::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option peerdns '0'
        option dns '127.0.0.1'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        option dns '0::1'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'wg_privkey'
        option listen_port '52840'
        list addresses '10.0.0.2/24'

config wireguard_wg0
        option description 'opnsense'
        option public_key 'wg_pubkey'
        option route_allowed_ips '1'
        option endpoint_host 'subdomain.OPNsense.domain'
        option endpoint_port '52840'
        option persistent_keepalive '30'
        list allowed_ips '192.168.1.0/24'
        list allowed_ips '10.0.0.0/24'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'luci'
        option src 'wan'
        option src_dport '8080'
        option dest_ip '192.168.2.1'
        option dest_port '8080'
        list proto 'tcp'

config zone
        option name 'vpn'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg0'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '52840'
        option proto 'udp'
        option target 'ACCEPT'
        option src_port '52840'
        list dest_ip '192.168.2.1'
        option dest 'lan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'ssh'
        list proto 'tcp'
        option src 'wan'
        option src_dport '53991'
        option dest_ip '192.168.2.1'
        option dest_port '53991'

Furthermore, I compiled Openwrt with dynamic debug support and can see a little of the Wireguard status.
echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

  • You have specified both endpoint host/port and listen port in the same config, which is only possible if none of the peers are behind CGNAT.
  • Note that using a DDNS domain as an endpoint requires a watchdog.
  • Given the current DNS settings, there's a high chance it may be looping on itself or become deadlocked due to a race condition.
1 Like

Thank you for the tips. I have changed the wireguard port on my OpenWRT and configured the watchdog. On the OpenWRT instance I have assigned the DNS server of the OPNsense.

What I need now are the firewall rules to reach the subnet behind the OPNsense from the LAN. Can someone give me a hint about this ?

1 Like

Options:

  • Assign the VPN interface to the LAN zone and remove the VPN zone.
  • Enable forwardings between the LAN and VPN zones.
1 Like

Yes you're not forwarding from lan to vpn because that is not configured in the firewall.

Additionally you have set masquerade on vpn, which means that connections from your LAN will be NATd to the tunnel IP of your router. This makes the situation inherently one-way as nothing from the VPS knows how to reach your lan directly. That may be acceptable for your use case, or you may want to set up symmetric routing by adding your home lan as an allowed_ip and a route in the VPS. Then masquerading can be turned off on vpn and forward rules both ways (lan->vpn and vpn->lan, as two separate forwards) will work.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.