Wireguard unable to make handshake with tun0 as default gateway

I have setup wireguard server with openvpn client on my openwrt x86 router (Firmware version : OpenWrt 21.02.0-rc3). Everything would work fine if I make the WAN as a default gateway with pull-filter ignore "redirect-gateway" in the .ovpn config file. The wireguard clients would connect to the router from outside and can access services on my network.

But I do not want to override default gateway. What I want is making tun0 as the default gateway on the router (removing pull-filter ignore "redirect-gateway" from the .ovpn file) and create policies in VPN and WAN Policy-Based Routing to selectively use WAN. If I do so, my wireguard clients could see the server and vice versa but no handshake is being made.

I can see my wireguard server transmitting and receiving data but no handshake.

Public Key: yyt-------------------------iSIhvX----------------Pqv0A=
Endpoint: 92.xxx.xxx.22:44000
Allowed IPs: 10.4.0.3/32
Persistent Keepalive: 25s
Latest Handshake: Never
Data Received: 4 KiB
Data Transmitted: 117 KiB

On the other side, on my phone for exemple data is being transmitted but rx : 0 Bytes in wireguard app.

Config :

root@Villa_US_OpenWRT:~# cat /etc/config/vpn-policy-routing

config policy
        option name 'wireguard'
        option proto 'udp'
        option chain 'OUTPUT'
        option src_port '51820'
        option interface 'wan'

config policy
        option interface 'wan'
        option name 'br-lan2_FR_via_wan'
        option src_addr '192.168.7.0/24'

config vpn-policy-routing 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option src_ipset '0'
        option dest_ipset '0'
        option resolver_ipset 'dnsmasq.ipset'
        option ipv6_enabled '0'
        option boot_timeout '30'
        option iptables_rule_option 'append'
        option procd_reload_delay '1'
        option webui_sorting '1'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list webui_supported_protocol 'all'
        option webui_enable_column '1'
        option webui_protocol_column '1'
        option webui_chain_column '1'
        option webui_show_ignore_target '1'
        option enabled '1'
        list supported_interface 'tun0'
        list ignored_interface 'vpnserver wgserver'
        list ignored_interface 'wg0'

config include
        option path '/etc/vpn-policy-routing.netflix.user'
        option enabled '0'

config include
        option path '/etc/vpn-policy-routing.aws.user'
        option enabled '0'

Firewall :

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config zone
	option name 'br_lan2_FR'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan2_FR'

config forwarding
	option src 'br_lan2_FR'
	option dest 'lan'

config forwarding
	option src 'br_lan2_FR'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'br_lan2_FR'

config zone
	option name 'br_IoT_US'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'IoT_US'
	option input 'REJECT'

config forwarding
	option src 'br_lan2_FR'
	option dest 'br_IoT_US'

config forwarding
	option src 'lan'
	option dest 'br_IoT_US'

config zone
	option name 'gateway_lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list subnet '192.168.1.0/24'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wan'

config forwarding
	option src 'gateway_lan'
	option dest 'br_IoT_US'

config forwarding
	option src 'gateway_lan'
	option dest 'br_lan2_FR'

config forwarding
	option src 'gateway_lan'
	option dest 'lan'

config forwarding
	option src 'br_lan2_FR'
	option dest 'gateway_lan'

config forwarding
	option src 'lan'
	option dest 'gateway_lan'

config zone
	option name 'nordvpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'tun0'

config forwarding
	option src 'br_IoT_US'
	option dest 'nordvpn'

config forwarding
	option src 'lan'
	option dest 'nordvpn'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'wan'

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'wireguard'
	option dest 'br_lan2_FR'

config forwarding
	option src 'wireguard'
	option dest 'gateway_lan'

config forwarding
	option src 'wireguard'
	option dest 'lan'

config forwarding
	option src 'wireguard'
	option dest 'wan'

config forwarding
	option src 'br_lan2_FR'
	option dest 'wireguard'

config forwarding
	option src 'gateway_lan'
	option dest 'wireguard'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config forwarding
	option src 'wireguard'
	option dest 'br_IoT_US'

.ovpn

client
dev tun
proto udp
remote 92.xxx.xxx.6 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

route 192.168.20.0 255.255.255.0 192.168.1.1
route 192.168.60.0 255.255.255.0 192.168.1.1
route 192.168.30.0 255.255.255.0 192.168.1.1

remote-cert-tls server

auth-user-pass /etc/openvpn/456.auth
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
.................................................................1QBvRIuQuBuvUkfhx1FEwhwZigrcxXu
MP+QgM54kezgziJUaZcOM2zF3lvrwMvXDMfNeIoJABv9ljw969xQ8czQCU5lMVmA
37ltv5Ec9U5hZuwk/9QO1Z+d/r6Jx0mlurS8gnCAKJgwa3kyZw6e4FZ8mYL4vpRR
hPdvRTWCMJkeB4yBHyhxUmTRgJHm6YR3D6hcFAc9cQcTEl/I60tMdz33G6m0O42s
Qt/+AR3YCY/RusW.........Bn3An1CRz8h0S
PApL8PytggYKeQmRhl499+6jLxcZ2IegLfqq41dzIjwHwTMplg+1pKIOVojpWA==
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>

-----BEGIN OpenVPN Static key V1-----
e685bdaf659a25a200e2b9e39e51ff03
0fc72cf1ce07232bd8b2be5e6c670143
f519ae1.........
9427e7b372d348d352dc4c85e18cd4b9
3f8a56ddb2e64eb67adfc9b337157ff4
-----END OpenVPN Static key V1-----
</tls-auth>

It's problematic to conntrack outgoing UDP.
Disable gateway redirection in the VPN client profile.
Create a policy to route your LAN traffic to the VPN client.

1 Like

Hello,

Thank you for the reply.

It's problematic to conntrack outgoing UDP.

Meaning it is not solvable ?

Disable gateway redirection in the VPN client profile.
Create a policy to route your LAN traffic to the VPN client.

If I put pull-filter ignore redirect-gateway in the client .ovpn the default gateway is overridden. I want to leave tun0 as the default gateway.

My case :

After setting up openvpn client on my router, tun0 becomes the default gateway. I want this to remain.

If I disable gateway redirection in the VPN client profile by adding pull-filter ignore redirect-gateway , wan becomes the default gateway in VPN-PBR. I don't wan this.

But if I don't disable gateway redirection, my wireguard clients cannot make handshake to my router wireguard server.

I think you got it backwards: the redirect-gateway directive received from the OpenVPN server does override your default gateway which was set by your WAN connection, and the pull-filter ignore redirect-gateway directive prevents that overriding.

Regarding your issue, here is an idea (disclaimer: I do not have such use a case and cannot test; there may be simpler ways such as the reversal suggested by vgaetera):

  1. DCSP mark/tag locally generated Wireguard packets using iptables (see if that slightly old thread can help).
  2. Specify that DSCP tag in VPN and WAN Policy-Based Routing for your WAN interface (in the DSCP Tagging section).

Even if you disable gateway redirection, LAN clients will use VPN as the default gateway:
https://openwrt.org/docs/guide-user/network/routing/examples/pbr_app

Hello Fiouz and vgaetera,

I Think I misspoke.

I think you got it backwards: the redirect-gateway directive received from the OpenVPN server does override your default gateway which was set by your WAN connection, and the pull-filter ignore redirect-gateway directive prevents that overriding.

I know. I want the router to keep what the 'redirect-gateway' has implemented from the OpenVPN server (i.e. everything go through the VPN except the policy I setup in VPN-PBR to use WAN).
But when I do so, my Wireguard clients can't make handshake.

If I disable redirect-gateway , the default gateway will be WAN which I do not want.

Even if you disable gateway redirection, LAN clients will use VPN as the default gateway

Yes That's true, but not the router itself when it initiates traffic to the internet.

To sum up :

  • WAN as default gateway, Wireguard clients can make handshake and everything works well.

  • TUN0 as default gateway, Wireguard clients cannot make handshake.

I'm afraid this is the only feasible way in this case.
You typically don't need to worry about the router's own gateway other than its DNS traffic.
And you can make the VPN client create static routes to DNS servers, so DNS will also go to VPN.

vgaetera, I did all that stuff. I'm not worried about DNS leaks, I have set up DHCP option on the interface and added no-resolv.