Wireguard server: only TX when using public 4G network

MatteoDXB · August 5, 2023, 8:00pm

I would like to set up a wireguard server on my router (with OpenWRT) to access my devices from outside my home.
I created the configuration following the guides on the site and also trying other tutorials (for example https://www.youtube.com/watch?v=TQxwqY-m30Y&t=1151s).

I always ended up that the connection between my client (on my phone) and the server (on my OpenWRT router) happens only when I connect my client to the wifi network of the server. In all other cases (for example my phone connected to the 4G network), I get the client to get only TX but no RX and there is no handshake. In case of phone outside my wifi, I am using the public IP assigned from the provider as endpoint. I tried also with DuckDNS, but the result is the same, only TX on the client and no RX.

Shall I change anything in the configuration?

NETWORK:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'EDITED'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'EDITED'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'EDITED'
        option listen_port '51820'
        list addresses '10.0.0.1/24'
        option force_link '1'

config wireguard_wg0
        option description 'Home'
        option public_key 'EDITED'
        option preshared_key 'EDITED'
        list allowed_ips '10.0.0.3/32'
        option route_allowed_ips '1'
root@OpenWrt:~#

FIREWALL

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list device 'wg0'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list device 'wg0'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'wan'
        option src_dport '51820'

root@OpenWrt:~#

AndrewZ · August 5, 2023, 8:38pm

Remove redirect rule and consider changing 10.x to something different like 172.16.x.x to avoid potential conflicts with the address space used by mobile carriers.

egc · August 5, 2023, 8:47pm

Try the following

Remove from WAN zone

Remove from LAN zone

trendy · August 5, 2023, 9:58pm

Remove from wan zone.

Remove from lan zone.

Remove the last redirect.

Make sure that you are not behind CGNAT, i.e the wan address is the same that you see if you browse to http://icanhazip.com . Look on the firewall for hits on the rule to allow WG traffic on wan.

MatteoDXB · August 6, 2023, 4:57am

I have applied all the suggested changes and I have verified that the IP I used is the same as seen when running the http://icanhazip.com/, however still same issue, there is no rx when I my phone is not inside the local wifi. Same result even when changing the port to 4444 and reducing the MTU to 400.

Is there need for ipv6? Is there any other file conf I shall share to support the analysis?

Network

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd04:92c9:74a3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'c0:c9:e3:3b:6a:fc'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'EDIT'
        option force_link '1'
        list addresses '172.16.99.1/24'
        option listen_port '4444'

config wireguard_wg0
        option description 'Home'
        option public_key 'EDIT'
        option preshared_key 'EDIT'
        option route_allowed_ips '1'
        list allowed_ips '172.16.99.2/32'
        option endpoint_port '4444'

Firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding 'lan_wan'
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option proto 'udp'
        option target 'ACCEPT'
        option dest_port '4444'

psherman · August 6, 2023, 5:13am

Remvoe the endpoint port from the peer config.

MatteoDXB:

config wireguard_wg0
        option description 'Home'
        option public_key 'EDIT'
        option preshared_key 'EDIT'
        option route_allowed_ips '1'
        list allowed_ips '172.16.99.2/32'
        option endpoint_port '4444'

Let's see the remote peer config.

MatteoDXB · August 6, 2023, 5:45am

Removed the port from the endpoint. As below the configuration, the key is correct, I can connect when in local network.

psherman · August 6, 2023, 5:47am

The interface IP address of your phone's configuration is wrong (it should be 172.16.99.2/32)

You also probably need to add DNS (a good one would be 192.168.1.1).

Try that. If that doesn't work, let's see the output of wg show

MatteoDXB · August 6, 2023, 5:54am

Fixed the interface on the phone and added the DNS. No changes.

root@OpenWrt:/etc/config# wg show
interface: wg0
public key: EDIT
private key: (hidden)
listening port: 4444

peer: EDIT
preshared key: (hidden)
endpoint: zz.zzz.zzz.zz:4444
allowed ips: 172.16.99.2/32
root@OpenWrt:/etc/config#

psherman · August 6, 2023, 6:01am

Have you restarted your router?

MatteoDXB · August 6, 2023, 6:40am

Yes, router restarted, nothing changed, still only TX.

I noted that I have no IPv6 public, only IPv4. Can this be the issue?

psherman · August 6, 2023, 7:10am

Remove the ipv6 allows ips from the phone’s configuration.

Then let’s see wg show again.

MatteoDXB · August 6, 2023, 7:18am

Same result.

I have another doubt: I connected the OpenWRT router to the fiber hag of the telco company, but I can't open any port there... should I? Or maybe I shall use 443 or 80? I am afraid the connection is blocked from that hag. I tried also with OpenVPN warrior and it does not work

interface: wg0
public key: EDIT
private key: (hidden)
listening port: 4444

peer: EDIT
preshared key: (hidden)
allowed ips: 172.16.99.2/32
root@OpenWrt:~#

AndrewZ · August 6, 2023, 7:45am

Run tcpdump on the router and see if you have any traffic on selected UDP port (4444).

MatteoDXB · August 6, 2023, 7:48am

No traffic on 4444. I am start thinking that is a problem of the fiber hag. Might be? I am connected behind that one.

psherman · August 6, 2023, 7:49am

You’re not getting a handshake.

Try removing the preshared key from both sides.
Next, regenerate the keys for both peers and make sure the public keys are exchanged properly.

AndrewZ · August 6, 2023, 7:49am

Then make a few steps back and see if you have a public IP on your router WAN.

MatteoDXB · August 6, 2023, 7:57am

The WAN router has 192.168.70.67/24 IP, that I guess is the internal IP, but when I check "what's my ip" I get a public IP in range of 94.xxx.

shall I use also the IP of the WAN router somewhere? as of now I can see it only in the WAN interface under IPv4

AndrewZ · August 6, 2023, 8:00am

Then check the same on the next device - the one that is provided by your ISP.
If it has no public IP either - game is over.

MatteoDXB · August 6, 2023, 8:02am

How do I check it on the wan router that it has a public IP? Running the what's my ip is not enough? I am not clear how to check this specific part.