Wireguard setup, no handshake

Hello,
I am desperate with my failed attempts to get Wireguard running. Whatever I do, it always results in no handshake. My goal is pretty basic, remote devices should connect to my router and route all internet traffic through the tunnel.
In my perception there are three possible culprits:

  1. wrong keys (check multiple times),
  2. port forwarding incorrect (see below ip routes),
  3. DynamicDNS not working (see wh show, translated correctly)

I am using OpenWRT version 23.05.3, with LAN IP: 192.168.1.1

wg show
interface: WireGuard
  public key: JezsKP2b1vzjWpuZNFzNtHKR5xFcvtuBdhAJ42enLno=
  private key: (hidden)
  listening port: 51820

peer: yDyJrk3aDtzDomv/BHqQweu3u0bPakPh+CIrLh78SiU=
  endpoint: 97.108.30.106:51820
  allowed ips: 192.168.2.2/32
  transfer: 0 B received, 896.09 KiB sent
  persistent keepalive: every 25 seconds

ip routes
default via 62.155.246.54 dev pppoe-wan 
62.155.246.54 dev pppoe-wan scope link  src 97.108.30.106 
97.108.30.106 via 62.155.246.54 dev pppoe-wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
192.168.2.3 dev WireGuard scope link 
192.168.2.0/24 dev WireGuard scope link  src 192.168.2.1 
192.168.2.2 dev WireGuard scope link 
/etc/config/firewall
config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan'
	list network 'vpn'
	list network 'WireGuard'
config forwarding
	option src 'lan'
	option dest 'wan'
config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'
config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.2.1'
	option dest_port '51820'



The wireguard service was restarted repeatedly to ensure all setting are active. Any ideas what else could be done? Am I missing something?
Cheers
Oscar

To begin with , the following rule is wrong, delete it

Replace with:

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Reboot and test again, if it does not work, then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
ip route show table all
ip rule show
wg show

I will have access to my router this evening and test it then.
You suggest replacing my src-->dest forwarding with an opening of the wg port on the wan side only :thinking:

1 Like

Yes I assume WireGuard runs on the router

that's right

There are a few You Tube videos on this...
If I can do it anyone can....
Configure Wireguard by "Load Configuration" drag and drop
Set up the 2 Firewall Zones and your done..

ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
cat /etc/config/network

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.33.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'wan.7'
	option proto 'pppoe'
	option username 'hidden'
	option password 'hidden'
	option ipv6 '0'

config device
	option type '8021q'
	option ifname 'wan'
	option vid '7'
	option name 'wan.7'
config interface 'WireGuard'
	option proto 'wireguard'
	option private_key 'hidden'
	option listen_port '51820'
	list addresses '192.168.2.1/24'

config wireguard_WireGuard
	option description 'Mobile'
	option public_key 'yDyJrk3aDtzDomv/BHqQweu3u0bPakPh+CIrLh78SiU='
	option private_key 'hidden'
	list allowed_ips '192.168.2.2/32'
	option route_allowed_ips '1'
	option endpoint_host 'dyndns-address'
	option persistent_keepalive '25'
	option endpoint_port '51820

``
cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option confdir '/tmp/dnsmasq.d'
	option localuse '1'
	option noresolve '1'
	list server '127.0.0.53'

config dhcp 'lan'
	option interface 'lan'
	option start '11'
	option limit '17'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
cat /etc/config/firewall
config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'
ip route show
default via 62.155.246.54 dev pppoe-wan 
62.155.246.54 dev pppoe-wan scope link  src 93.204.28.62 
93.204.31.206 via 62.155.246.54 dev pppoe-wan 
192.168.1.3 dev WireGuard scope link 
192.168.2.0/24 dev WireGuard scope link  src 192.168.2.1 
192.168.2.2 dev WireGuard scope link
ip rule show
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default

wg show
interface: WireGuard
  public key: JezsKP2b1vzjWpuZNFzNtHKR5xFcvtuBdhAJ42enLno=
  private key: (hidden)
  listening port: 51820

peer: yDyJrk3aDtzDomv/BHqQweu3u0bPakPh+CIrLh78SiU=
  endpoint: 93.204.31.206:51820
  allowed ips: 192.168.2.2/32
  transfer: 0 B received, 30.06 KiB sent
  persistent keepalive: every 25 seconds

image
There seems to be no traffic ....

remove the endpoint host and port:

reboot and try again.

If it doesn't connect, let's see the output of

wg show
cat /etc/config/firewall

and also your remote peer's wg config.

1 Like

If you are accepting incoming connections from a "road warrior" mobile, do not configure an endpoint_host or endpoint_port on the server. When the connection comes in it will automatically register to whatever the mobile's IP is.

What you have done should not break anything though unless maybe you're using your own DDNS address-- looping back to yourself is not right. Remember that the settings in the config wireguard_xxxx block are related to the other side of the link.

Also when testing the road warrior at home, do not have it connected to your home network. It needs a separate Internet connection to simulate being on the road, so turn off the wifi in the phone and make it use the LTE network.

1 Like
wg show
interface: WireGuard
  public key: JezsKP2b1vzjWpuZNFzNtHKR5xFcvtuBdhAJ42enLno=
  private key: (hidden)
  listening port: 51820

peer: yDyJrk3aDtzDomv/BHqQweu3u0bPakPh+CIrLh78SiU=
  allowed ips: 192.168.2.2/32
  persistent keepalive: every 25 seconds

cat /etc/config/firewall (restricted to WG rule)
config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Please post the complete firewall file. And we still need to see the remote peer config.

I don't know whether my mobile phone is a road warrior....

though I do not understand why this is, I am aware of it. I am using 4G to "connect" to my router

After we see the complete firewall file and the remote peer config, we may have some additional ideas/recommendations/things to try.

I actually may ask you to try to connect while your phone is on this wifi network, but we'll see if that is necessary. In the meantime, we need to see those requested configs.

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option family 'ipv4'
	list network 'lan'
	list network 'vpn'
	list network 'WireGuard'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option family 'ipv4'

config zone
	option name 'Fon'
	option forward 'REJECT'
	option output 'ACCEPT'
	option family 'ipv4'
	option input 'ACCEPT'
	list network 'Fon'

config forwarding
	option dest 'wan'
	option src 'Fon'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67'
	option name 'Fon DHCP'
	option family 'ipv4'
	option src 'Fon'

config rule
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'Fon DNS'
	option family 'ipv4'
	option src 'Fon'

config rule 'guest_dns'
	option name 'DNS-Guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'
	option src 'guest'

config rule 'guest_dhcp'
	option name 'DHCP-Guest'
	option src_port '68'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'
	option src 'guest'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'Fon'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

WG configuration on the Android mobile phone:

Name: vpn
addresses: 192.168.2.2/32
incoming port: 51820
DNS server: 192.168.1.1
tunneled apps: all
PEER
public key: JezsKP2b1vzjWpuZNFzNtHKR5xFcvtuBdhAJ42enLno=
keepalive: 25
endpoint: dyndns_address:51820
allowed IPs: 0.0.0.0/0,::/0

in Luci, under wireguard, the external IP rather than the dyndns address as entered in the phone is shown

There's a lot of stuff in the firewall that is either vestigal from previous configs, or is indicative of additional things in your configuration that you redacted. I'll work on the assumption that there are no errors or conflicts should the latter be true, but it's generally very important to provide the whole picture and only redact sensitive parts.

That said, in the android config:

  • remove the incoming port from the android interface definition.
  • I don't see a private key in the interface section -- did you remove it or is it missing? It is required.

Try changing the endpoint address to 1192.168.1.1:51820 and attempt to connect while you are on the same wifi network. Does it handshake? (wg show`)

My bad, I overlooked the private key on the phone, as it is hidden. But it is there: Has been created in OpenWRT and transfered to the phone via QR code.

The firewall may be a mess (?), but it is as shown. Nothing redacted for the current topic.
I noticed that the config for the zone 'lan' includes 'WireGuard', as intended, and vpn, which is a remnant from a previous (IPsec) VPN configuration. Should not interfere though?

I have no access to my router until later this evening and test connecting from within my local wlan.

Tried this, but the app breaks down

What exactly do you mean the "app breaks down" -- can you be more specific about what happens?

Did you get a handshake?

Are you using the official Android app?