Hi, I configured wireguard server on my Archer C6 v3.2 router and using OpenWrt 22.03.
But my interface randomly shuts down and I have to restart it everytime. Can anyone please help me on this regards?
Check the system log and kernel log for error messages and for error messages for wireguard. Located under system menu.
On the wireguard interface peer settings set keep alive to 25.
On the wireguard interface peer settings confirm "Route Allowed IPs" is checked.
Check the main overview page to see how much ram is free.
You could also install a package called watchcat to reboot the router if the connection is lost.
Double check your wireguard network address is /24 or /32.
Let’s see the config:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
1 Like
Thanks for both suggestions. Please see below.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd0f:ece9:42da::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.0.1'
config interface 'wan'
option proto 'dhcp'
option device 'wan'
option macaddr '00:00:00:00:00'
config interface 'wan6'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option device 'wan'
option auto '0'
config device
option name 'eth0'
option mtu '1500'
option macaddr '00:00:00:00:00'
config device
option name 'wan'
option macaddr '00:00:00:00:00'
config interface 'wg_lan'
option proto 'wireguard'
option private_key 'HIDDENKEY'
list addresses '10.0.5.1/24'
option mtu '1420'
option listen_port '51821'
config wireguard_wg_lan
option public_key 'HIDDENKEY'
option preshared_key 'HIDDENKEY'
option description '1_lan_Alpha'
list allowed_ips '10.0.5.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HTTPS'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.0.8'
option dest_port '443'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'torrent'
option src 'wan'
option src_dport '6881'
option dest_ip '192.168.0.8'
option dest_port '6881'
config rule 'wg'
option src 'wan'
option proto 'udp'
option target 'ACCEPT'
option name 'Allow-WireGuard-guest'
option dest_port '51821'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option dest_ip '192.168.0.128'
option dest_port '51820'
option src_dport '51820'
option name 'ubuntu_vpn'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'router_vpn'
option src 'wan'
option src_dport '51821'
option dest_ip '192.168.0.1'
option dest_port '51821'
Systemlog after restarting the interface which turned down itself again.
Sat Oct 1 18:04:46 2022 daemon.notice netifd: Interface 'wg_lan' is now down
Sat Oct 1 18:04:46 2022 daemon.notice netifd: Interface 'wg_lan' is setting up now
Sat Oct 1 18:04:46 2022 daemon.notice netifd: Interface 'wg_lan' is now up
Sat Oct 1 18:04:46 2022 daemon.notice netifd: Network device 'wg_lan' link is up
Sat Oct 1 18:04:46 2022 user.notice firewall: Reloading firewall due to ifup of wg_lan (wg_lan)
Sat Oct 1 18:08:28 2022 daemon.notice netifd: wan (7490): udhcpc: sending renew to server XXX.XXX.XXX.XXX
Sat Oct 1 18:08:28 2022 daemon.notice netifd: wan (7490): udhcpc: lease of XXX.XXX.XXX.XXX obtained from 27.147.255.1, lease time 600
Sat Oct 1 18:09:44 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 48:f1:7f:08:f3:63
Tue Jan 1 00:00:00 2030 daemon.notice netifd: Network device 'wg_lan' link is down
This should be a traffic rule, not a redirect. It is unlikely that this would cause the interface to go down, though.
What is the output of wg show? If wg is not running, restart the interface and then issue the command again.
Thanks. I changed the traffic rule and redirect rule as you suggested.
wg show gives nothing when the interface is down.
I just noticed another thing from Systemlog is;
Sat Oct 1 18:09:44 2022 daemon.notice hostapd: wlan1: AP-STA-DISCONNECTED 48:f1:7f:08:f3:63
Tue Jan 1 00:00:00 2030 daemon.notice netifd: Network device 'wg_lan' link is down
Sat Oct 1 18:10:19 2022 daemon.info hostapd: wlan1: STA 48:f1:7f:08:f3:63 IEEE 802.11: authenticated
Tue Jan 1 00:00:00 2030 daemon.notice netifd: Network device 'wg_lan' link is down
when the wg_link goes down, I see incorrect timestamp. Maybe this is causing the issue?
list allowed ips should be 0.0.0.0/0?
No, not on this side.
The time is certainly an interesting issue.
If you restart the router and then try wg show, what do you see?
This is what I got.
public key: MY-PUBLIC-KEY
private key: (hidden)
listening port: 51821
peer: MY-PEER-KEY
preshared key: (hidden)
allowed ips: 10.0.5.2/32
persistent keepalive: every 25 seconds
Are you able to successfully connect to wireguard from your remote peer (at least when the service is running)? Does it show a handshake and is there expected connectivity?
Yes. I can connect to the server if the interface is running.
Did this work properly in the past and then stop working? Have you ever upgraded packages since you installed 22.03.0?
I only configured it 2 days back and since then it is acting like this 
What packages did you install? Did you use opkg upgrade or the LuCI upgrade packages button?