Wireguard - Unconfigured interface address showing up

I am trying to setup a WRT3200ACM as a wireguard client and am having issues getting the wg0 interface to recieve any packets. I have a WRT1900 that is the wireguard server and have successfully connected a separate client (a GLNET travel router which is openwrt based, although it seems they use their own wireguard setup and not the generic openwrt one) but cannot get this one to connect. I suspected it had something to do with the routes setup (or lack thereof). In looking through my configs i noticed something odd when i read the output of ifconfig (fyi there is no wan interface connected when i ran this)

br-lan    Link encap:Ethernet  HWaddr 26:F5:A2:2F:6E:00  
          inet addr:192.168.50.1  Bcast:192.168.50.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:747 errors:0 dropped:0 overruns:0 frame:0
          TX packets:679 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:65104 (63.5 KiB)  TX bytes:98449 (96.1 KiB)

eth0      Link encap:Ethernet  HWaddr 26:F5:A2:2F:6E:00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:797 errors:0 dropped:0 overruns:0 frame:0
          TX packets:680 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:84127 (82.1 KiB)  TX bytes:102212 (99.8 KiB)
          Interrupt:37 

eth0.1    Link encap:Ethernet  HWaddr 26:F5:A2:2F:6E:00  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:797 errors:0 dropped:0 overruns:0 frame:0
          TX packets:680 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:69781 (68.1 KiB)  TX bytes:99492 (97.1 KiB)

eth1      Link encap:Ethernet  HWaddr 24:F5:A2:2F:6E:00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:532 
          RX bytes:0 (0.0 B)  TX bytes:4498 (4.3 KiB)
          Interrupt:36 

eth1.2    Link encap:Ethernet  HWaddr 24:F5:A2:2F:6E:00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:4446 (4.3 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:65 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4428 (4.3 KiB)  TX bytes:4428 (4.3 KiB)


That 192.168.1.1 address on eth0.1 should not be there if my reasoning is correct.
Here is my /etc/config/network:


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.50.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1.2'
	option proto 'dhcp'

config interface 'vpn'
	option proto 'none'
	option ifname 'tun0'
	option auto '1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '16990'
	list addresses '10.200.0.3'
	option enabled '1'
	option force_link '1'

config wireguard_wg0
	option public_key 'QMARoHrAyHac54SG8M+V0marGHRlDv/Z4zTgL8Xbymg='
	option persistent_keepalive '25'
	option endpoint_host '12.34.56.78'
	option endpoint_port '16990'
	list allowed_ips '0.0.0.0'
	list allowed_ips '10.200.0.3/32'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'


Since my bigger issue is with the wireguard client setup i will go ahead and post my firewall config as well but the address on the eth0.1 interface is what really confuses me

config defaults
	option syn_flood '1'
	option tcp_syncookies '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option disable_ipv6 '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option network 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wg'
	option network 'wg0'
	option input 'REJECT'
	option mtu_fix '1'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option network 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config forwarding
	option src 'vpn'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'lan'
	option src 'wg'

config forwarding
	option dest 'wan'
	option src 'wg'

config forwarding
	option dest 'wg'
	option src 'lan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'wan - router ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option limit '60/min'
	option limit_burst '100'
	option enabled '1'

config rule
	option name 'Allow-Ping'
	option src 'wg'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'wan - luci'
	option src 'wan'
	option proto 'tcp'
	option dest_port '16970'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'tcp'
	option src 'wan'
	option dest_port '16969'
	option name 'wan ssh'

config include
	option path '/etc/firewall.user'


You have not specified the netmask.

There is no point allowing itself from the peer.

Again you forgot the mask, add /0
Regarding the firewall you could group the interfaces lan, wg0 and tun0 under LAN zone, if all of them are part of the LAN. Or group tun0 under WAN, if it provides connection to the internet.

For that IP run grep -r '192.168.1.1' /etc/ to see where is it coming from.

  • You seem to have a far-end VPN for the Internet (0.0.0.0/0), did you make a firewall rule on that device to accept the UDP encrypted traffic from WAN (udp/16990)?
  • You list yourself as having a listening port of 16990 too; that's usually incorrect if you're the "client."
  • 0.0.0.0 is missing the CIDR prefix /0
  • list allowed_ips '10.200.0.3/32' - this IP is included in 0.0.0.0/0
  • Not sure why you have force link 1.
  • Not sure why the option enabled is there.
  • Your list addresses '10.200.0.3' does not include a CIDR prefix for the size of the subnet.

Thank you for the replies. First, the random 192.168.1.1 address showing up on eth0.1 that was my initial issue... pretty sure it is a bug in the last stable build, seems to be specific to openwrt 18.06 because the issue was present with default configs with a repo as well as a custom built image. As soon as I built/flashed an image from trunk the issue disappeared.

Now back to the wireguard issue, I did not specify a netmask because I saw that particular example on Mulvad or one of the big VPN providers set-up guides. This is also where the "force link" option came from. I am not using any of their services bc I am running my own "server" but I have tried what I thought would work before the above options as well about every rational combo I can think of without success so I thought i would try what they had (although admittedly I cannot see their server config) . I tried /24 and /32 on client ips as well as 0.0.0.0/0 and 0.0.0.0/1 for allowed ips. The GLNET travel router (CLIENT1) has been connected almost continuously without issue. That should't affect anything should it (i.e. two clients connecting at the same time)? Since it is openwrt based I would just copy it or disconnect it to troubleshoot but unfortunately a co-worker is currently using it out of town to access our company lan, which has been working solid now for a few days.

Here is a up-to-date list of all configs with suggestions. Please let me know if i still have something wrong because we still have no Rx packets on the client.

SERVER

/etc/config/network (relevant parts)

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'privatekey'
	option listen_port '16990'
	list addresses '10.200.0.1/24'

config wireguard_wg0
	option public_key 'pubkey'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.200.0.2/24'

config wireguard_wg0
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'Colorado WRT'
	option public_key 'pubkey'
	list allowed_ips '10.200.0.3/24'

config route
	option interface 'wg0'
	option target '10.200.0.0'
	option netmask '255.255.255.0'

/etc/config/firewall (relevant parts)

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wg'
	option network 'wg0'
	option input 'REJECT'
	option mtu_fix '1'

config forwarding
	option dest 'lan'
	option src 'wg'

config forwarding
	option dest 'wan'
	option src 'wg'

config forwarding
	option dest 'wg'
	option src 'lan'

config rule
	option name 'wan - wireguard server'
	option src 'wan'
	option proto 'tcpudp'
	option dest_port '16990'
	option target 'ACCEPT'

config rule
    option name 'wg - router ping'
    option src 'wg'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'
    option enabled '1'

CLIENT

/etc/config/network (relevant parts)

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'privatekey'
        list addresses '10.200.0.3/24'
       
config wireguard_wg0
        option public_key 'publickey'
        option endpoint_port '16990'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        option endpoint_host '75.24.60.73'
        list allowed_ips '0.0.0.0/0'

/etc/config/firewall (relevent parts)

config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'wg'
        option input 'REJECT'
        option network 'wg0'
        option mtu_fix '1'

config forwarding
        option dest 'lan'
        option src 'wg'

config forwarding
        option dest 'wan'
        option src 'wg'

config forwarding
        option dest 'wg'
        option src 'lan'

On server:

Not needed

Must be /32

Not needed.

For firewall, you can add wg0 interface in LAN zone. You trust those clients, so no need to make things more complicated. Erase zone wg.

Client wireguard configuration is fine. Here you can also delete wg zone in firewall and assign wg0 interface in lan zone.

1 Like

Ok thanks trendy i will try your suggestions. I may not remove the wg firewall zone on the server until the guy using the glnet wireguard client returns from his trip. It is working for him right now so i am afraid to rock the boat too much... guess i could always make backups of the current configs and try it out when he is offline. I will take the zone off the second client i am having issues with as well as change the netmasks and remove the server route as directed. Right now i am having to use the mobile hotspot on my iphone to simulate a incoming connection not on our lan, but would it be possible to still connect to wireguard directly from our lan? I know this serves no practical purpose but it would help troubleshooting to see if there is another issue with the handshake between the server/client to eliminate that possibility. e.g. temporarily set "endpoint host" on the client to the routers lan address (10.0.20.1) and have the client's wan port connected to a lan port on the server

There is no conflict of networks, so I think it will work.

1 Like

Thanks, after reading your suggestions and playing with the settings (not to mention a reboot) it is now working with one caveat. I changed my setup a little because the only goal I originally had was to make resources on our company lan available to coworkers out of the office; so routing all traffic over the tunnel was unnecessary. I changed the routes to only route traffic to our lan over the vpn and it works, but only if masquerading is enabled on the wg0 interface. I have read on several threads that this is unnecessary but without it i cannot ping our company dns server. Here is my up-to-date config. Any suggestions? (I really prefer to keep the wg0 interface in its own firewall zone.) I would not care and just be happy that it works however I am concerned how being behind nat will affect Windows Active Directory plus the whole idea behind us moving to wireguard is I am shooting for the best possible performance so that people can hopefully access databases with large data transfer over the tunnel and it not be prohibitively slow, to the point of having to use RDP (what we are using now).

Server

/etc/config/network (relevant parts)

config interface 'lan'
        option ifname 'eth0.10'
        option proto 'static'
        option ipaddr '10.0.20.1'
        option netmask '255.255.254.0'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'privatekey'
	option listen_port '16990'
	list addresses '10.200.0.1/24'

config wireguard_wg0
	option persistent_keepalive '25'
	option description 'Colorado WRT'
	option public_key 'pubkey'
	list allowed_ips '10.200.0.3/32'

/etc/config/firewall (relevant parts)

config zone
	option forward 'REJECT'
	option output 'ACCEPT'
	option name 'wg'
	option network 'wg0'
	option input 'REJECT'
	
config forwarding
	option dest 'lan'
	option src 'wg'

config forwarding
	option dest 'wan'
	option src 'wg'

config forwarding
	option dest 'wg'
	option src 'lan'

config rule
	option name 'wan - wireguard server'
	option src 'wan'
	option proto 'tcpudp'
	option dest_port '16990'
	option target 'ACCEPT'

config rule
    option name 'wg - router ping'
    option src 'wg'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'ACCEPT'
    option enabled '1'


Client



/etc/config/network (relevant parts)

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key privkey'
        list addresses '10.200.0.3/24'

config wireguard_wg0
        option public_key 'pubkey'
        option endpoint_port '16990'
        option route_allowed_ips '1'
        option endpoint_host '55.55.55.55'
        list allowed_ips '10.0.20.0/23'
        list allowed_ips '10.200.0.1/24'
        option persistent_keepalive '25'

You need NAT because you have not allowed nor routed the LAN IPs of the client.
Add these in server:

config wireguard_wg0
	option persistent_keepalive '25'
	option description 'Colorado WRT'
	option public_key 'pubkey'
	list allowed_ips '192.168.50.0/24'
	list allowed_ips '10.200.0.3/32'
        option route_allowed_ips '1'

On client:
change list allowed_ips '10.200.0.1/24' into 10.200.0.1/32 if you want to communicate only with the head office, or 10.200.0.0/24 if you plan to add more branches or teleworkers.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.