Wireguard VPN (client on router) - no RX connection

Wireguard VPN client on router B (with OpenWrt) does not download RX data (tx works)

  1. Internet is delivered to router A (TP-Link) - IP: 192.168.0.1
  2. I have set up a Wireguard VPN server on Raspberry pi 4, connected via LAN to router A with IP: 192.168.0.100
  3. I have router B (with OpenWrt system) with its own subnet 192.168.2.1, connected via LAN to router A under IP: 192.168.0.104

Configuration on router A (tp-link IP: 192.168.0.1):

  1. I opened port 51820 to the IP address of the VPN server on Raspberry pi 4 (192.168.0.101)
  2. I don't know if it's necessary, but I created a static route for router B with Destination IP: 192.168.2.0 and Gateway 192.168.0.104

Configuration on router B (OpenWrt 192.168.2.1):

  1. I connected the Wireguard client and there is no internet
  2. Firewall rules for VPN done in the same way as WAN, or if I configured another VPN operator - e.g. Surfshark or NordVpn - it works for them.
  3. I did not open any ports or do a static route because it is a VPN client

Now the VPN client from the Raspberry server works on my computer or phone, but not on the B router - no RX data download.

  • The identical configuration of firewalls and others on router B allows, for example, the NordVpn or Surfsark interface to work but not work with Raspberry.

Since everything else works everywhere, it may be influenced by the fact that all data travels over the same Internet connection.

I have no idea how to get past this. Here all data:

Here Wireguard Client:

[Interface]
PrivateKey = 2HxxxkI=
Address = 10.yyy.2/24
DNS = 9.9.9.9, 149.112.112.112

[Peer]
PublicKey = p7xxxTQ=
PresharedKey = ZExxx4o=
Endpoint = 84.yyy.100:51820
AllowedIPs = 0.0.0.0/0, ::0/0

Here my server VPN configuration (from PIVPN -debug in Raspberry Pi):

=============================================
::::        Installation settings        ::::
PLAT=Raspbian
OSCN=bullseye
USING_UFW=0
pivpnforceipv6route=1
IPv4dev=eth0
IPv4addr=192.168.0.101/24
IPv4gw=192.168.0.1
install_user=xxx
install_home=/home/xxx
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=9.9.9.9
pivpnDNS2=149.112.112.112
pivpnHOST=REDACTED
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
INPUT_CHAIN_EDITEDv6=
FORWARD_CHAIN_EDITEDv6=
pivpnPROTO=udp
pivpnMTU=1420
pivpnDEV=wg0
pivpnNET=10.yyy.0
subnetClass=24
pivpnenableipv6=0
ALLOWED_IPS="0.0.0.0/0, ::0/0"
UNATTUPG=1
INSTALLED_PACKAGES=(dnsutils grepcidr bsdmainutils iptables-persistent wireguard-tools qrencode unattended-upgrades)


=============================================
::::  Server configuration shown below   ::::
[Interface]
PrivateKey = server_priv
Address = 10.yyy.1/24
MTU = 1420
ListenPort = 51820
### begin testClient ###
[Peer]
PublicKey = testClient_pub
PresharedKey = testClient_psk
AllowedIPs = 10.yyy.2/32
### end testClient###

=============================================
::::  Client configuration shown below   ::::
[Interface]
PrivateKey = testClient
Address = 10.yyy.2/24
DNS = 9.9.9.9, 149.112.112.112

[Peer]
PublicKey = server_pub
PresharedKey = testClient_psk
Endpoint = REDACTED:51820
AllowedIPs = 0.0.0.0/0, ::0/0


=============================================
::::            Self check               ::::
:: [OK] IP forwarding is enabled
:: [OK] Iptables MASQUERADE rule set
:: [OK] WireGuard is running
:: [OK] WireGuard is enabled
(it will automatically start on reboot)
:: [OK] WireGuard is listening on port 51820/udp
=============================================

Here my network configuration from router B with OpenWrt:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.xxx.1'
        option netmask '255.xxx.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fde8:xxx3::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        list dns '9.9.9.9'
        list dns '149.112.112.112'
        option auto '0'
        option private_key '2xxxkI='
        list addresses '10.yyy.2/24'

config wireguard_wg0
        option description 'something'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host '84.xxx.100'
        option public_key 'p7xxxTQ='

Here screens from firewall router B OpenWrt:

1 Router A - Forwarding and Static

5a Router B - Firewall 1

5b Router B - Firewall 2

If I understand this correctly, the wireguard server is on network 192.168.0.0/24 and you are trying to connect to it using the wan IP address of Router A.

Change the endpoint to 192.168.0.101 to see if you will get a successful handshake.

1 Like

Still no RX data :frowning:

wireguard server is on network 192.168.0.0/24 and this network is network of Router A.
On router B trying make a client Wireguard.
I'm trying connect to wireguard server (on network 192.168.0.0/24) by router B which connect to router A by WAN (in router B) and LAN (in router A).

Connections similar to the picture below:

You still need to use the 192.168.0.101 as endpoint_host in the router B configuration. Then run tcpdump on VPN server to verify that you receive the packets. If there is no response, then something is wrong with the IP addresses of the peer or the keys.

1 Like

Ok, done (but still no RX data)

Here Link to all tasks, need more line`s?

@raspbBerry:~ $ sudo tcpdump -i eth0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:22:28.473480 IP 192.168.0.101.ssh > 192.168.0.102.59510: Flags [P.], seq 1058768746:1058768878, ack 2443994000, win 501, length 132
12:22:28.473669 IP 192.168.0.101.ssh > 192.168.0.102.59510: Flags [P.], seq 132:232, ack 1, win 501, length 100
12:22:28.475040 IP 192.168.0.102.59510 > 192.168.0.101.ssh: Flags [.], ack 232, win 4096, length 0
12:22:28.546726 IP 192.168.0.101.43417 > 192.168.0.1.domain: 24707+ PTR? 101.0.168.192.in-addr.arpa. (44)
12:22:28.558015 IP 192.168.0.1.domain > 192.168.0.101.43417: 24707 NXDomain* 0/1/0 (99)
12:22:28.558298 IP 192.168.0.101.51608 > 192.168.0.1.domain: 26574+ PTR? 102.0.168.192.in-addr.arpa. (44)
12:22:28.574835 IP 192.168.0.1.domain > 192.168.0.101.51608: 26574 NXDomain* 0/1/0 (99)
12:22:28.575203 IP 192.168.0.101.ssh > 192.168.0.102.59510: Flags [P.], seq 232:404, ack 1, win 501, length 172
12:22:28.575302 IP 192.168.0.101.ssh > 192.168.0.102.59510: Flags [P.], seq 404:552, ack 1, win 501, length 148
12:22:28.575386 IP 192.168.0.101.ssh > 192.168.0.102.59510: Flags [P.], seq 552:692, ack 1, win 501, length 140
12:22:28.577600 IP 192.168.0.102.59510 > 192.168.0.101.ssh: Flags [.], ack 692, win 4100, length 0
12:22:28.649291 IP 192.168.0.101.56201 > 192.168.0.1.domain: 47209+ PTR? 1.0.168.192.in-addr.arpa. (42)
12:22:28.659313 IP 192.168.0.1.domain > 192.168.0.101.56201: 47209 NXDomain* 0/1/0 (97)
948 packets captured
956 packets received by filter
0 packets dropped by kernel

On Pi:

sudo tcpdump -nnvvti any udp and port 51820

Then on router B:

ifup wg0; sleep 3; wg show
1 Like
root@zzz:~# ifup wg0; sleep 3; wg show
interface: wg0
  public key: 4kxxxulw=
  private key: (hidden)
  listening port: 56330

peer: p7xxx1TQ=
  endpoint: 192.168.0.101:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 148 B sent

root@zzz:~# ifup wg0; sleep 3; wg show
interface: wg0
  public key: 4kxxxHulw=
  private key: (hidden)
  listening port: 59486

peer: p7xxx1TQ=
  endpoint: 192.168.0.101:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 148 B sent
root@zzz:~#
raspbBerry:~ $ sudo tcpdump -nnvvti any udp and port 51820
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
eth0  In  IP (tos 0x88, ttl 64, id 37279, offset 0, flags [none], proto UDP (17), length 176)
    192.168.0.104.56330 > 192.168.0.101.51820: [udp sum ok] UDP, length 148
eth0  Out IP (tos 0x88, ttl 64, id 36276, offset 0, flags [none], proto UDP (17), length 120)
    192.168.0.101.51820 > 192.168.0.104.56330: [bad udp cksum 0x8293 -> 0x86a9!] UDP, length 92
eth0  In  IP (tos 0x88, ttl 64, id 37313, offset 0, flags [none], proto UDP (17), length 176)
    192.168.0.104.56330 > 192.168.0.101.51820: [udp sum ok] UDP, length 148
eth0  Out IP (tos 0x88, ttl 64, id 36635, offset 0, flags [none], proto UDP (17), length 120)
    192.168.0.101.51820 > 192.168.0.104.56330: [bad udp cksum 0x8293 -> 0x37a4!] UDP, length 92
eth0  In  IP (tos 0x88, ttl 64, id 37343, offset 0, flags [none], proto UDP (17), length 176)
    192.168.0.104.59486 > 192.168.0.101.51820: [udp sum ok] UDP, length 148
eth0  Out IP (tos 0x88, ttl 64, id 36974, offset 0, flags [none], proto UDP (17), length 120)
    192.168.0.101.51820 > 192.168.0.104.59486: [bad udp cksum 0x8293 -> 0xa7e0!] UDP, length 92
eth0  In  IP (tos 0x88, ttl 64, id 37837, offset 0, flags [none], proto UDP (17), length 176)
    192.168.0.104.59486 > 192.168.0.101.51820: [udp sum ok] UDP, length 148
eth0  Out IP (tos 0x88, ttl 64, id 37934, offset 0, flags [none], proto UDP (17), length 120)
    192.168.0.101.51820 > 192.168.0.104.59486: [bad udp cksum 0x8293 -> 0x115d!] UDP, length 92
eth0  In  IP (tos 0x88, ttl 64, id 37853, offset 0, flags [none], proto UDP (17), length 176)
    192.168.0.104.59486 > 192.168.0.101.51820: [udp sum ok] UDP, length 148
eth0  Out IP (tos 0x88, ttl 64, id 38811, offset 0, flags [none], proto UDP (17), length 120)
    192.168.0.101.51820 > 192.168.0.104.59486: [bad udp cksum 0x8293 -> 0x821f!] UDP, length 92
eth0  In  IP (tos 0x88, ttl 64, id 38085, offset 0, flags [none], proto UDP (17), length 176)
    192.168.0.104.59486 > 192.168.0.101.51820: [udp sum ok] UDP, length 148
eth0  Out IP (tos 0x88, ttl 64, id 39207, offset 0, flags [none], proto UDP (17), length 120)
    192.168.0.101.51820 > 192.168.0.104.59486: [bad udp cksum 0x8293 -> 0x136d!] UDP, length 92
12 packets captured
13 packets received by filter
0 packets dropped by kernel
raspbBerry:~ $

There appears to be two-way communication, but no handshake.
Recheck the keys as @trendy suggested above.

1 Like

It works!!! All I had to do was change endpoint Peer IP to: 192.168.0.101 - as you wrote earlier.
I just didn't reset the router after changing the IP, my bad, sorry.
Thank you !

By the way, with the same configuration, if instead of router A, I will connected Raspberry server VPN to the LAN of router B (and would had a subnet, e.g. 192.168.2.30) - then:

  • would I also have to change the Wireguard client endpoint on router B to 192.168.2.30?
  • 51820 Port forwarding on router B? and just all ?

Both endpoints must be correct and reachable. Then it will work.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.