Wireguard Troubleshooting on Freebox (France)

Hello all...
I need some help on how to troubleshoot a Wireguard VPN.
Some of you might remember I am creating a 2 site VPN with tablet access from internet.
I started by a lab environment illustrated as follows

TestLan2Lan791×548 47.1 KB

Everything was OK so I implemented FW4 as the only gateway on site1 & FW3 on site2 (before I tested FW3 on site 1 to test that the config was OK & it worked fine)

DemoLan2Lan887×601 50.3 KB

Site 1 works perfectly, I am able to connect from my tablet connected on 4G
On Site 2 I am unable to connect.

My internet boxes are from the same provider (Free) I checked the config on both of them they are similar.

How could I check live the arriving connection to see where it is blocked?

Thanks for any help.

tcpdump -i eth1 -vn udp port 51820 or whatever port is wireguard listening.

Replace 192.168.95.0/24 in the allowed IPs with the proper /32 peer address on each router.
Note that symmetric point-to-point connection is only possible when both peers have public IPs.
Otherwise is must be configured using client-server topology with unspecified client endpoint IP/port.
Also be aware that DDNS peers require a special watchdog script to periodically re-resolve them.

OK Thx for the hint, I'm a bit late as I made several tests.
I've tried to connect from the internet or from the network between my ISP box & the Openwrt pi, the behaviour is always the same (the example is incoming from internet)

root@fw:~# tcpdump -i eth1 -vn udp port 28041
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
04:14:00.312711 IP (tos 0x0, ttl 63, id 29042, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.96.28041 > a.b.c.d.28041: UDP, length 148
04:14:00.313606 IP (tos 0x0, ttl 62, id 29042, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.254.28041 > 192.168.97.96.28041: UDP, length 148
04:14:05.588439 IP (tos 0x0, ttl 63, id 2862, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.96.28041 > a.b.c.d.28041: UDP, length 148
04:14:05.589293 IP (tos 0x0, ttl 62, id 2862, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.254.28041 > 192.168.97.96.28041: UDP, length 148
04:14:10.753868 IP (tos 0x0, ttl 63, id 51807, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.96.28041 > a.b.c.d.28041: UDP, length 148
04:14:10.754699 IP (tos 0x0, ttl 62, id 51807, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.254.28041 > 192.168.97.96.28041: UDP, length 148

So it doesn't seem to be an ISP box problem... On the other side connection goes OK

root@ew:~# tcpdump -i eth1 -vn udp port 33901
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:28:21.197310 IP (tos 0x0, ttl 58, id 40744, offset 0, flags [none], proto UDP (17), length 176)
    x.y.z.t.40503 > 192.168.99.98.33901: UDP, length 148
11:28:21.200387 IP (tos 0x88, ttl 64, id 40242, offset 0, flags [none], proto UDP (17), length 120)
    192.168.99.98.33901 > x.y.z.t.40503: UDP, length 92
11:28:21.277417 IP (tos 0x0, ttl 58, id 3863, offset 0, flags [none], proto UDP (17), length 124)
    x.y.z.t.40503 > 192.168.99.98.33901: UDP, length 96
11:28:21.281567 IP (tos 0x0, ttl 64, id 40253, offset 0, flags [none], proto UDP (17), length 284)
    192.168.99.98.33901 > x.y.z.t.40503: UDP, length 256
11:28:21.284272 IP (tos 0x0, ttl 58, id 48927, offset 0, flags [none], proto UDP (17), length 124)
    x.y.z.t.40503 > 192.168.99.98.33901: UDP, length 96
11:28:21.285261 IP (tos 0x0, ttl 64, id 40254, offset 0, flags [none], proto UDP (17), length 140)
    192.168.99.98.33901 > x.y.z.t.40503: UDP, length 112
11:28:22.604218 IP (tos 0x0, ttl 58, id 12691, offset 0, flags [none], proto UDP (17), length 156)
    x.y.z.t.40503 > 192.168.99.98.33901: UDP, length 128
11:28:22.604218 IP (tos 0x0, ttl 58, id 47644, offset 0, flags [none], proto UDP (17), length 156)
    x.y.z.t.40503 > 192.168.99.98.33901: UDP, length 128

So now I'm a bit lost! Any ideas would help...

Thx Vladislav,
Both peers do have a public address (this is why I changed it to a fake one) & by the way the config is using the dns name & it does resolve correctly. The DNS name has been provided by my ISP when I got a fixed IP.

Packet-wise it seems to work fine. There is one incoming packet from the mobile user and the response comes back. That should rule out the misconfiguration of keys.
However there is something wrong with the addresses.
May I ask, this capture was on the Freebox or on the fw3 on the right?

Thx for your answer…
Actually the capture was on the openwrt as I do not have ssh access to the Freebox.
I’ll make a schéma if the actual configuration to be a bit more clear.

The first dump looks odd as it seems like the responses are coming not from the remote VPN endpoint, but from the upstream router on the same local subnet.
Further troubleshooting is problematic due to lack of status information and runtime configuration.

OK to be clear this is the actual schema:

OW2 Demo1454×1046 213 KB

When I connected from my iPhone (on top of the schema 4G mode) to fw4 (left side)

fw4:~# tcpdump -i eth1 -vn udp port 33901
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:07:25.704835 IP (tos 0x20, ttl 58, id 23298, offset 0, flags [none], proto UDP (17), length 176)
    37.166.199.100.62503 > 192.168.99.98.33901: UDP, length 148
14:07:25.707821 IP (tos 0x88, ttl 64, id 15143, offset 0, flags [none], proto UDP (17), length 120)
    192.168.99.98.33901 > 37.166.199.100.62503: UDP, length 92
14:07:25.738581 IP (tos 0x20, ttl 58, id 51508, offset 0, flags [none], proto UDP (17), length 124)
    37.166.199.100.62503 > 192.168.99.98.33901: UDP, length 96
14:07:25.739005 IP (tos 0x0, ttl 64, id 15149, offset 0, flags [none], proto UDP (17), length 140)
    192.168.99.98.33901 > 37.166.199.100.62503: UDP, length 112
14:07:25.744658 IP (tos 0x20, ttl 58, id 58767, offset 0, flags [none], proto UDP (17), length 124)
    37.166.199.100.62503 > 192.168.99.98.33901: UDP, length 96
14:07:25.748537 IP (tos 0x0, ttl 64, id 15150, offset 0, flags [none], proto UDP (17), length 284)
    192.168.99.98.33901 > 37.166.199.100.62503: UDP, length 256
14:07:27.145228 IP (tos 0x20, ttl 58, id 27952, offset 0, flags [none], proto UDP (17), length 156)
    37.166.199.100.62503 > 192.168.99.98.33901: UDP, length 128
14:07:27.146554 IP (tos 0x20, ttl 58, id 22533, offset 0, flags [none], proto UDP (17), length 156)
    37.166.199.100.62503 > 192.168.99.98.33901: UDP, length 128
14:07:27.149976 IP (tos 0x0, ttl 64, id 15298, offset 0, flags [none], proto UDP (17), length 220)
    192.168.99.98.33901 > 37.166.199.100.62503: UDP, length 192
14:07:27.151167 IP (tos 0x0, ttl 64, id 15299, offset 0, flags [none], proto UDP (17), length 220)
    192.168.99.98.33901 > 37.166.199.100.62503: UDP, length 192

Everything works perfectly...

I'll go to the 2nd site this afternoon to capture the same tcpdump & post it here after

On the 2nd site

My iPhone address obviously changed to 37.166.192.86

ow3:~# tcpdump -i eth1 -vn udp port 27254
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:25:22.699962 IP (tos 0x20, ttl 58, id 34294, offset 0, flags [none], proto UDP (17), length 176)
    37.166.192.86.52532 > 192.168.97.96.27254: UDP, length 148
09:25:27.976356 IP (tos 0x20, ttl 58, id 28741, offset 0, flags [none], proto UDP (17), length 176)
    37.166.192.86.52532 > 192.168.97.96.27254: UDP, length 148
09:25:33.149947 IP (tos 0x20, ttl 58, id 53596, offset 0, flags [none], proto UDP (17), length 176)
    37.166.192.86.52532 > 192.168.97.96.27254: UDP, length 148

I don't see any replies from the OpenWRT... Maybe the keys are wrong?

If I connect from the laptop on 192.168.97.40 it seems that I have the same behaviour...

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:35:34.441697 IP (tos 0x0, ttl 64, id 6412, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.50.27254 > 192.168.97.96.27254: UDP, length 148
09:35:39.715255 IP (tos 0x0, ttl 64, id 54677, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.50.27254 > 192.168.97.96.27254: UDP, length 148
09:35:44.878190 IP (tos 0x0, ttl 64, id 689, offset 0, flags [none], proto UDP (17), length 176)
    192.168.97.50.27254 > 192.168.97.96.27254: UDP, length 148

I'll immediately check the keys...

That is a valid explanation.

All the keys are correct... Still the same behaviour... If it didn't work on the other side I would say that there is a bug... I don't see where the problem can be!
All the keys are OK and still the same...

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

Here it goes...

fw3:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> head -n -0 /etc/firewall.user; \
> iptables-save -c; ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
	"kernel": "4.14.221",
	"hostname": "fw3",
	"model": "Raspberry Pi 3 Model B Rev 1.2",
	"board_name": "raspberrypi,3-model-b",
	"release": {
		"distribution": "OpenWrt",
		"version": "19.07.7",
		"revision": "r11306-c4a6851c72",
		"target": "brcm2708/bcm2710",
		"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
	}
}
package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option ipaddr '192.168.96.253'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option delegate '0'

config interface 'wg0'
	option proto 'wireguard'
	option delegate '0'
	option private_key 'PrivateKey='
	option listen_port '30000'

config wireguard_wg0
	option description 'fw4'
	option route_allowed_ips '1'
	list allowed_ips '192.168.98.0/24'
	list allowed_ips '192.168.95.0/24'
	option preshared_key 'PSkeyWG0='
	option endpoint_port '30000'
	option endpoint_host 'public.ip.address'
	option public_key 'PublicKeyFW4='

config interface 'wg1'
	option proto 'wireguard'
	option listen_port '27254'
	option private_key 'PrivateKey='
	option delegate '0'

config wireguard_wg1
	option public_key 'PublicKey iPhone='
	option description 'iPhone'
	list allowed_ips '192.168.95.120'
	option preshared_key 'PS Key iPhone='
	option route_allowed_ips '1'
	option endpoint_port '27254'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option localservice '0'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option start '10'
	option limit '40'
	list dhcp_option '3, 192.168.96.253'
	list dhcp_option '4, 192.168.96.253'
	option leasetime '6h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option mac 'PI2 Mac'
	option dns '1'
	option ip '192.168.96.98'
	option name 'pi2'

config domain
	option name 'fw3'
	option ip '192.168.96.253'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0 wg1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option dest_port '65535'
	option src 'wan'
	option family 'ipv4'
	option target 'ACCEPT'
	option name 'Allow WG Tunnel'
	list proto 'udp'

config rule
	option src 'wan'
	option name 'Allow WG VPN'
	option family 'ipv4'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '52783'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Generated by iptables-save v1.8.3 on Thu Dec  2 11:24:51 2021
*nat
:PREROUTING ACCEPT [1489:251715]
:INPUT ACCEPT [615:48145]
:OUTPUT ACCEPT [567:41929]
:POSTROUTING ACCEPT [10:2517]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[1489:251715] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[1009:222078] -A PREROUTING -i eth0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wg1 -m comment --comment "!fw3" -j zone_lan_prerouting
[480:29637] -A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
[1395:234632] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[7:2296] -A POSTROUTING -o eth0 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o wg1 -m comment --comment "!fw3" -j zone_lan_postrouting
[1385:232115] -A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
[7:2296] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[1009:222078] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[1385:232115] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[1385:232115] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[480:29637] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
COMMIT
# Completed on Thu Dec  2 11:24:51 2021
# Generated by iptables-save v1.8.3 on Thu Dec  2 11:24:51 2021
*mangle
:PREROUTING ACCEPT [38460:22021495]
:INPUT ACCEPT [3739:430113]
:FORWARD ACCEPT [34708:21587502]
:OUTPUT ACCEPT [5394:1595885]
:POSTROUTING ACCEPT [40019:23176859]
[234:14948] -A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[231:13708] -A FORWARD -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Thu Dec  2 11:24:51 2021
# Generated by iptables-save v1.8.3 on Thu Dec  2 11:24:51 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[334:49627] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[3405:380486] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[2266:295652] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[410:19252] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[647:57251] -A INPUT -i eth0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wg1 -m comment --comment "!fw3" -j zone_lan_input
[492:27583] -A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
[34708:21587502] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[33991:21315327] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[717:272175] -A FORWARD -i eth0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wg1 -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[334:49627] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[5064:1547234] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[4473:1503334] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[9:2952] -A OUTPUT -o eth0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wg1 -m comment --comment "!fw3" -j zone_lan_output
[582:40948] -A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
[417:19917] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[34:4616] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[410:19252] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[9:2952] -A zone_lan_dest_ACCEPT -o eth0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o wg1 -m comment --comment "!fw3" -j ACCEPT
[717:272175] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[717:272175] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[647:57251] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[647:57251] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[9:2952] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[9:2952] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[647:57251] -A zone_lan_src_ACCEPT -i eth0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i wg1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[83:6528] -A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[1216:306595] -A zone_wan_dest_ACCEPT -o eth1 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[492:27583] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 65535 -m comment --comment "!fw3: Allow WG Tunnel" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 52783 -m comment --comment "!fw3: Allow WG VPN" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[41:3050] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[451:24533] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[582:40948] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[582:40948] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[451:24533] -A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Thu Dec  2 11:24:51 2021
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.96.253/24 brd 192.168.96.255 scope global eth0
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet 192.168.97.96/24 brd 192.168.97.255 scope global eth1
       valid_lft forever preferred_lft forever
default via 192.168.97.254 dev eth1 proto static src 192.168.97.96 
82.65.165.186 via 192.168.97.254 dev eth1 proto static 
192.168.95.0/24 dev wg0 proto static scope link 
192.168.95.120 dev wg1 proto static scope link 
192.168.96.0/24 dev eth0 proto kernel scope link src 192.168.96.253 
192.168.97.0/24 dev eth1 proto kernel scope link src 192.168.97.96 
192.168.98.0/24 dev wg0 proto static scope link 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 192.168.96.0 dev eth0 table local proto kernel scope link src 192.168.96.253 
local 192.168.96.253 dev eth0 table local proto kernel scope host src 192.168.96.253 
broadcast 192.168.96.255 dev eth0 table local proto kernel scope link src 192.168.96.253 
broadcast 192.168.97.0 dev eth1 table local proto kernel scope link src 192.168.97.96 
local 192.168.97.96 dev eth1 table local proto kernel scope host src 192.168.97.96 
broadcast 192.168.97.255 dev eth1 table local proto kernel scope link src 192.168.97.96 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Feb 15  2021 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Dec  2 10:20 /tmp/resolv.conf
-rw-r--r--    1 root     root            43 Dec  2 10:20 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.97.254
head: /tmp/resolv.*/*: No such file or directory

& BtW thx for your involvement on my case...

I suppose you are trying to connect to wg1.
wg1 interface doesn't have an IP, use one with the proper mask.
In iPhone peer configuration add /32 in the allowed_ips and remove the endpoint_port.

Thx, I will not be able to go to the 2nd site before Monday, but asap I will check & keep you posted.

Thx again

Also just to be safe, I would re-install all keys, private, public, and preshared.

Hello to all...

I have been quite busy so I didn't have time to dig on this. Finally I left site .98 configured as it seemed to be working fine. I took everything needed for site .96 and flew to the 2nd location... Obviously it didn't work better. But then I started digging & I realized that in the Firewall Traffic rules I had messed up with the ports, so I corrected the entries & everything works like a charm...
Thx to all of you who have helped me on this, I now have a secure site-2-site network very happy.

Last thing will be to upgrade the openwrt versions specifically on the Raspberry pi4 as it is a Snapshot install & I need to do a from scratch new one

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.