Hi, I'm new to openwrt and I'm trying to setup a vpn connection using wireguard.
The client is an android phone tested over LTE.
The strange thing is, I can run ssh/http over wireguard just fine, but udp traffic does not come out of wg0 interface(checked with tcpdump), then I tried iperf and found some weird stuff.
with iperf3 -c {local_iperf_server} -u -l 500, when the packet size is smaller than mtu, nothing comes out of wg0, and no packet arrive at the iperf server, and ifconfig wg0 shows tx packet error count increase, if I do iperf3 -c {local_iperf_server} -u -l 2500, when packet size is larger than mtu, I can see packet from tcpdump saying "UDP, bad length 2500 > 1248", but the iperf server can receieve it.
I've been testing for days and honestly with my knowledge about network I don't know what's going on, any help is appreciated, Thanks!
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
Also post the WG config on the phone either screenshot or text.
Hi, Thanks for your reply! here is the output:
{
"kernel": "5.4.188",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "FriendlyElec NanoPi R4SE",
"board_name": "friendlyarm,nanopi-r4se",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"target": "rockchip/armv8",
"revision": "R22.3.13 (2022-07-21)",
"description": "OpenWrt "
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00::/64'
config interface 'lan'
option type 'bridge'
option _orig_ifname 'eth1'
option _orig_bridge 'true'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.30.1'
option ip6assign '64'
option ifname 'eth1 ztnfab5thw'
config device 'lan_eth1_dev'
option name 'eth1'
option macaddr (hidden)
config interface 'wan'
option ifname 'eth0'
option _orig_ifname 'eth0'
option _orig_bridge 'false'
option proto 'static'
option ipaddr '192.168.1.5'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
option broadcast '192.168.1.255'
option dns '192.168.1.1'
config device 'wan_eth0_dev'
option name 'eth0'
option macaddr (hidden)
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option sourcefilter '0'
option reqprefix 'auto'
config interface 'vpn0'
option ifname 'tun0'
option proto 'none'
config interface 'wg0'
option proto 'wireguard'
option private_key (hidden)
option listen_port '61000'
list addresses '192.168.30.211/24'
config wireguard_wg0
option public_key (hidden)
option persistent_keepalive '25'
option route_allowed_ips '1'
option preshared_key (hidden)
list allowed_ips '192.168.30.212'
config interface 'ipsec_server'
option ifname 'ipsec0'
option device 'ipsec0'
option proto 'static'
option ipaddr '192.168.100.1'
option netmask '255.255.255.0'
config route6
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '0'
option flow_offloading_hw '0'
option fullcone '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option log '1'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config include 'zerotier'
option type 'script'
option path '/etc/zerotier.start'
option reload '1'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule 'linkease'
option name 'linkease'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '8897'
config include 'adbyby'
option type 'script'
option path '/var/etc/adbyby.include'
option reload '1'
config rule 'adblock'
option name 'adblock'
option target 'DROP'
option src 'wan'
option proto 'tcp'
option dest_port '8118'
config include 'luci_app_ipsec_server'
option type 'script'
option path '/var/etc/ipsecvpn.include'
option reload '1'
config include 'socat'
option type 'script'
option path '/var/etc/socat.include'
option reload '1'
config include 'ssr_mudb_server'
option type 'script'
option path '/var/etc/ssr_mudb_server.include'
option reload '1'
config include 'gowebdav'
option type 'script'
option path '/var/etc/gowebdav.include'
option reload '1'
config include 'mia'
option type 'script'
option path '/etc/mia.include'
option reload '1'
config include 'openclash'
option type 'script'
option path '/var/etc/openclash.include'
option reload '1'
config rule 'openvpn'
option name 'openvpn'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp udp'
option dest_port '1194'
config include 'passwall'
option type 'script'
option path '/var/etc/passwall.include'
option reload '1'
config include 'passwall_server'
option type 'script'
option path '/var/etc/passwall_server.include'
option reload '1'
config include 'pptpd'
option type 'script'
option path '/etc/pptpd.include'
option reload '1'
config rule 'pptp'
option name 'pptp'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1723'
config rule 'gre'
option name 'gre'
option target 'ACCEPT'
option src 'wan'
option proto '47'
config include 'softethervpn'
option type 'script'
option path '/usr/share/softethervpn/firewall.include'
option reload '1'
config include 'shadowsocksr'
option type 'script'
option path '/var/etc/shadowsocksr.include'
option reload '1'
config include 'unblockneteasemusic'
option type 'script'
option path '/var/etc/unblockneteasemusic.include'
option reload '1'
config rule 'kms'
option name 'kms'
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '1688'
config include 'vssr'
option type 'script'
option path '/var/etc/vssr.include'
option reload '1'
config include 'wrtbwmon'
option type 'script'
option path '/etc/wrtbwmon.include'
option reload '1'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option name 'SSH'
option dest_port '60022'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option dest_port '61000'
option name 'Wireguard'
config zone 'ipsecserver'
option name 'ipsecserver'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'ipsec_server'
config rule
option target 'ACCEPT'
option src 'wan'
option dest_port '9993'
option name 'Zerotier'
option proto 'tcp udp'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
option forward 'ACCEPT'
config forwarding
option dest 'lan'
option src 'wg'
config forwarding
option dest 'wg'
option src 'lan'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
[ -n "$(command -v ip6tables)" ] && ip6tables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 53
[ -n "$(command -v ip6tables)" ] && ip6tables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -I POSTROUTING -i br-lan -o eth0 -j MASQUERADE
ip6tables -t nat -I POSTROUTING -i br-lan -o eth0 -j MASQUERADE
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.1.5/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.30.1/24 brd 192.168.30.255 scope global br-lan
valid_lft forever preferred_lft forever
35: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 192.168.30.211/24 brd 192.168.30.255 scope global wg0
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev eth0 proto static
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5
192.168.30.0/24 dev br-lan proto kernel scope link src 192.168.30.1
192.168.30.0/24 dev wg0 proto kernel scope link src 192.168.30.211
192.168.30.212 dev wg0 proto static scope link
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth0 table local proto kernel scope link src 192.168.1.5
local 192.168.1.5 dev eth0 table local proto kernel scope host src 192.168.1.5
broadcast 192.168.1.255 dev eth0 table local proto kernel scope link src 192.168.1.5
broadcast 192.168.30.0 dev br-lan table local proto kernel scope link src 192.168.30.1
broadcast 192.168.30.0 dev wg0 table local proto kernel scope link src 192.168.30.211
local 192.168.30.1 dev br-lan table local proto kernel scope host src 192.168.30.1
local 192.168.30.211 dev wg0 table local proto kernel scope host src 192.168.30.211
broadcast 192.168.30.255 dev br-lan table local proto kernel scope link src 192.168.30.1
broadcast 192.168.30.255 dev wg0 table local proto kernel scope link src 192.168.30.211
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
You have 18 firewall scripts loading!?!? 
Wow...you do realize that we can't see any of them, correct?
I'm not sure, most of the firewall entries comes pre-installed with the device so I just left them alone, should I just go disable those scripts? Looks like not all the "include" sections has related entries in luci web ui.
This suggests you are not using an official version of OpenWrt.... if you want to continue using the existing firmware, you should ask on the support channels/forums for the vendor's firmware. However, we can help you here if you install an official version of OpenWrt (I'm not sure if the R4S image works with your R4SE device... so you should check that first)
1 Like
Is there a way to tell if I can use the official image other than install it and see? Thanks!
Maybe Google has some answers... or the search on this forum.
Based on what the seller said, it's only difference with the R4S is it has mac address in its hardware, does it mean I can use the R4S image directly?
I found this post that talked about R4SE, need some time to read it entirely, but looks like it's not easy to just install R4S image on R4SE.
I don’t know the answers here. I’d suggest further reading.
You may be lucky and fix the problem, which is IP conflict as you are using the same subnet in lan and wireguard. Wireguard is layer 3, you cannot bridge it with the lan. Change the addresses of Wireguard from 192.168.30.X into something else, for example 192.168.33.X
If that doesn't help we cannot do much more.
2 Likes
Thanks! I'll try a different subnet setup.
btw so is it not possible to have wireguard and local lan in the same subnet so that some application that rely on e.g. lan scanning can work?
Yes and no. Not Wireguard itself, no - as it's a Layer 3 VPN.
You could use Wireguard to establish an Ethernet-over-IP tunnel for example.
Hi, I tried the different subnet setup and sadly it has the identical problem.
so wg server(the router) is now 192.168.31.1 and client is 192.168.31.100, and 192.168.30.188 is a machine in lan at the server side
iperf3 -c 192.168.31.1 -u works
iperf3 -c 192.168.30.188 -u doesn't work
iperf3 -c 192.168.30.188 -u -R works (?)
and I tried
client side socat - udp-sendto:192.168.30.188:6789
lan side socat udp-recefrom:6789 stdout
which it worked, so I'm confused.
But anyway I didn't get moonlight to work over this setup, it connects but cannot take input.
Make sure the firewall is allowing the traffic in OpenWrt zones.
Also if there is any host firewall on the servers, set it to allow the incoming traffic from other networks.