Wireguard VPN no RX packets only TX traffic

edizco · February 5, 2023, 10:16am

I am only getting TX trafic and no RX traffic on my wireshark vpn config, Here is my config

trendy · February 5, 2023, 12:35pm

What is the output of wg show ?

psherman · February 5, 2023, 7:40pm

let's see your configs in text form...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

blackraiin · February 7, 2023, 3:51am

following ...

lleachii · February 7, 2023, 2:51pm

Is this related to the topic?

In the future, if you want to follow a thread - FYI you can simply press a button at the bottom and change your follow prefrences:

edizco · February 7, 2023, 6:12pm

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdd1:9186:d9fb::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.2'
	option gateway '192.168.1.2'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'GHzE+L8***
	list addresses '10.14.0.2/16'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_WG0
	option public_key 'DpMfulan****
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host 'us-chi.prod.surfshark.com'
	option endpoint_port '51820'

psherman · February 7, 2023, 6:36pm

What is upstream of this OpenWrt device? is it a modem/ont, or is it a router (or combo unit with routing functions)? If it is a router, that would mean that the wan has an RFC1918 address on it, so we need to know what that is if it is indeed not a public IP.

We also need to see the firewall file.

What is the output of

wg show

Not related to your problem, but these can be deleted as they don't do anything.

Also, I'd recommend removing the gateway here -- just delete the line. It is not necessary and may cause problems.

edizco · February 7, 2023, 6:49pm

Thank you for replying quickly I removed the gateway and the dns server like you said so but now i cannot access the router and ssh just doesnt give any response.

psherman · February 7, 2023, 6:51pm

That's highly unusual... did you change things in the firewall, dropbear, or uhttpd configurations?

What is the toplogy of your network (can you make a quick diagram, complete with the IP addresses of all infrastructure devices)?

You may need to use failsafe mode to regain access and fix the problems

edizco · February 7, 2023, 7:05pm

This is a quick diagram of my home network, I restarted my router and now the gateway works but the changes I made reverted should I try to remove the gateway again.
wg show spit out this command

root@OpenWrt:~# wg show
interface: WG0
  public key: CO7rMlv2u*****
  private key: (hidden)
  listening port: 52691

peer: DpMfulanF/M*****
  endpoint: 143.24****
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 4.05 KiB sent

psherman · February 7, 2023, 7:14pm

Thank you.

How is the OpenWrt device connected -- is it using a lan port or wan port?

The gateway should be removed, unless you are using the lan port on the OpenWrt device to conenct to the modem/router combo unit... if that's the case, the gateway should be 192.168.1.1

this indicates that there is no handshake, so something is wrong... it could be the gateway issue, but we'll get there.

edizco · February 7, 2023, 7:30pm

Thank you, removing the gateway solved the no packets recieved issue but now I cannot access any websites even though I am getting packets sent and recieved. I also cannot ssh into the router because I can only access the router using openwrt.lan.

psherman · February 7, 2023, 7:31pm

It would be most helpful if you could answer the questions I asked previously what port is being used. Also, we need to see the firewall file.

edizco · February 7, 2023, 7:36pm

Yes sorry the wan port is being used to provide internet and the lan port is connected to my computer and this is my firewall configuration.

psherman · February 7, 2023, 7:37pm

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

edizco · February 7, 2023, 7:42pm

I cannot ssh into the router as when I removed the gateway I could only access the router via openwrt.lan and when I add the gateway I get no packets recieved.

psherman · February 7, 2023, 7:47pm

How are you trying to access the router? from the OpenWrt lan port or the upstream network?

I think your problem is related to your lan interface definition -- it conflicts with the upstream network.
You need to change it to another subnet.... the address on your lan can be any RFC1918 address that doesn't conflict with the 192.168.1.0/24 network. So change your OpenWrt lan IP to 192.168.2.1 (as an example).

edizco · February 7, 2023, 8:07pm

I changed the ip to a non used one but now I can only access certain websites like google and YouTube but other websites won’t load. These websites won’t load in incognito either so I’m very confused.

psherman · February 7, 2023, 8:09pm

try the following ping tests from your computer:

192.168.2.1
192.168.1.1
139.59.210.197
forum.openwrt.org

What are the results.

edizco · February 7, 2023, 8:21pm

Microsoft Windows [Version 10.0.19045.2486]
(c) Microsoft Corporation. All rights reserved.

C:\Users\emert>ping 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64
Reply from 192.168.2.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Users\emert>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.
Reply from 192.168.2.1: Destination port unreachable.

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\Users\emert>ping 139.59.210.197

Pinging 139.59.210.197 with 32 bytes of data:
Reply from 139.59.210.197: bytes=32 time=316ms TTL=47
Reply from 139.59.210.197: bytes=32 time=313ms TTL=47
Reply from 139.59.210.197: bytes=32 time=317ms TTL=47
Reply from 139.59.210.197: bytes=32 time=325ms TTL=47

Ping statistics for 139.59.210.197:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 313ms, Maximum = 325ms, Average = 317ms

C:\Users\emert>ping forum.openwrt.org

Pinging forum.openwrt.org [139.59.210.197] with 32 bytes of data:
Reply from 139.59.210.197: bytes=32 time=323ms TTL=47
Reply from 139.59.210.197: bytes=32 time=319ms TTL=47
Reply from 139.59.210.197: bytes=32 time=296ms TTL=47
Request timed out.

Ping statistics for 139.59.210.197:
    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
    Minimum = 296ms, Maximum = 323ms, Average = 312ms

C:\Users\emert>