I am trying to setup a site to site wireguard VPN from Openwrt (nanopi R6s) to a ubiquiti edgerouter 4. Both sites show wireguard transferring but not completing the handshake. I have done the following so far and can't figure out what the problem is, can someone please help me out?
Both sites are setup with a dynamic dns
I have triple checked that the keys are entered correctly.
I am able to locally reach each site's wireguard interface.
I am able to ping each site via their public IP address.
I apologize as i'm new to openwrt. Please let me know if I can post anything else to help troubleshoot this.
*** = redacted info
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '***'
config device
option name 'eth2'
option macaddr '***'
config interface 'wan'
option device 'eth2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth2'
option proto 'dhcpv6'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth0'
config device
option name 'eth1'
option macaddr '***'
config device
option name 'eth0'
option macaddr '***'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.4.20.1'
config interface 'Wireguard'
option proto 'wireguard'
option private_key '***'
option listen_port '51820'
list addresses '10.0.0.2/30'
config wireguard_Wireguard
option description 'site 2'
option public_key '***'
option private_key '***'
list allowed_ips '10.0.0.0/30'
list allowed_ips '10.1.1.0/24'
option endpoint_host '***.duckdns.org'
option endpoint_port '51820'
/etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option synflood_protect '1'
option fullcone '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option fullcone4 '1'
option fullcone6 '1'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
option forward 'REJECT'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeAssistant443'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_ip '10.4.20.10'
option dest_port '443'
option reflection_src 'external'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeAssistant8123'
list proto 'tcp'
option src 'wan'
option src_dport '8123'
option dest_ip '10.4.20.10'
option dest_port '8123'
option reflection_src 'external'
config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Wireguard'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'vpn'
option dest 'wan'
config redirect
option dest 'vpn'
option target 'DNAT'
option name 'wg'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '10.0.0.2/30'
option dest_port '51820'
/etc/iproute2/rt_tables
# reserved values
#
128 prelocal
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
Thank you, I made your suggested change and restarted, but unfortunately I still have no handshake.
Is there a log somewhere that I can look at to see what is going on?
This is the firewall config on the edgerouter 4
IPv4 Firewall "WAN_IN":
Active on (eth0,IN)
rule action proto packets bytes
---- ------ ----- ------- -----
1 accept all 295016 54127437
condition - state RELATED,ESTABLISHED
2 drop all 0 0
condition - state INVALID
10000 drop all 0 0
--------------------------------------------------------------------------------
IPv4 Firewall "WAN_LOCAL":
Active on (eth0,LOCAL)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept all 73798 15657218
condition - state RELATED,ESTABLISHED
15 accept udp 8442 1485792
condition - udp dpt:51820
20 accept tcp 2512 131103
condition - dports http,420 LOG enabled
30 drop all 1289 83609
condition - state INVALID
10000 drop all 13219 763060
root@FriendlyWrt:~# wg show
interface: Wireguard
public key: ***
private key: (hidden)
listening port: 51820
peer: ***
endpoint: edgerouter.public.ip.address:51820
allowed ips: 10.0.0.0/30, 10.1.1.0/24
transfer: 0 B received, 3.04 KiB sent
These were the commands used to configure the edgrouter
wg genkey | tee /config/auth/wg.key | wg pubkey > wg.public
configure
set interfaces wireguard wg0 address 10.0.0.1/30
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips true
set interfaces wireguard wg0 peer *** r6s@duckdns.org:51820
set interfaces wireguard wg0 peer *** allowed-ips 10.0.0.0/30
set interfaces wireguard wg0 peer *** allowed-ips 10.4.20.0/24
set interfaces wireguard wg0 private-key /config/auth/wg.key
set firewall name WAN_LOCAL rule 15 action accept
set firewall name WAN_LOCAL rule 15 protocol udp
set firewall name WAN_LOCAL rule 15 description 'WireGuard'
set firewall name WAN_LOCAL rule 15 destination port 51820
commit
save
FriendlyWrt is not OpenWrt. it is a fork and it is quite different when compared against the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
I am pretty sure there is some nuanced difference in the way things work. I'd recommend that you ask in their forums. I can tell you that there are many threads that have been opened here in the OpenWrt forums around FriendlyWrt, and the problems cannot be solved using the standard methods that are known to work with official OpenWrt. Therefore, if they can confirm that operation is identical, it may still be in scope here. Otherwise, they should be able to help you solve the issue.
It looks like the firewall rule hasn't been hit so, if this were a standard OpenWRT install, I'd suggest either the traffic from the other device isn't reaching the router at all or it's being filtered out by another firewall rule first.
But, as @psherman says the first point of call should be with FriendlyWRT to find out if any nuances of their fork could be having an impact.