Wireguard VPN not routing traffic

Hello all.

WRT1900ACSv1 on 22.03

I am trying to build a WireGuard VPN server inside my Openwrt router. Followed step by step the tutorial at: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server and everything seems to be ok, interface up and running, assigned interface to LAN zone, allowed access to interface from WAN.

I create the tunnel on my Android phone as in WG manual.


I generate a private/public key for my peer and match the public one with the one in the WG peer configuration, fill the addresses with the one supported when setting the WG server (192.168.9.2/32 for peers, 192.168.9.1/24 for server), paste the WG server public key in the peer section, fill the public IP address and port exposed to access the WG server from internet and leave blank the allowed IPs field (should I add 0.0.0.0/0 or is it unnecessary?).

My public IP is a duckdns one, but it is up to date and resolves correctly.


I restart the VPN interface on each change.

01

But whenever I switch on the tunnel on my phone, my traffic is not going through the tunnel, as my public IP does not match my router public IP (it is the public IP from my carrier, as if I was not connected to the WG server). Plus, in the WG status from OpenWrt, there is not either data received/transmitted nor latest handshake.

I am behind my ISP router on bridge mode (VLAN id 20), does it affect somehow? I understand I do not have to redirect the traffic on my ISP router as it is on bridge mode (all ports exposed), I only have to create a rule to address petitions from WAN on port 51820 to the internal IP of my OpenWrt router with the WireGuard server running on the same port 51820.

Thanks in advance.

The Wireguard port forward is not needed, you can delete it. The firewall rule to Allow-Wireguard is enough.
Try to connect from the phone to have some hits on the firewall and post the following:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Thank you very much for the help.

Port forward deleted, Allow-wireguard untouched.

I have connected to the tunnel with the phone and this is my output from the command:

 "kernel": "5.10.138",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1900ACS",
        "board_name": "linksys,wrt1900acs",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.0",
                "revision": "r19685-512e76967f",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 22.03.0 r19685-512e76967f"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'X/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'
        option ipaddr '192.168.5.1'

config device
        option name 'wan'
        option macaddr 'XX:XX:XX:XX:XX:XX'

config interface 'wan'
        option proto 'dhcp'
        option device 'br-lan.20'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option device 'br-lan.20'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'wan:t'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'X='
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'X/64'

config wireguard_vpn
        option description 'peer1'
        option public_key 'X='
        list allowed_ips '192.168.9.2/32'
        option route_allowed_ips '1'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'
        list device 'tun+'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
11: br-lan.1@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue st                                                                                        ate UP qlen 1000
    inet 192.168.5.1/24 brd 192.168.5.255 scope global br-lan.1
       valid_lft forever preferred_lft forever
12: br-lan.20@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue s                                                                                        tate UP qlen 1000
    inet 100.110.195.141/16 brd 100.110.255.255 scope global br-lan.20
       valid_lft forever preferred_lft forever
20: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN ql                                                                                        en 1000
    inet 192.168.9.1/24 brd 192.168.9.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 100.110.0.1 dev br-lan.20  src 100.110.195.141
100.110.0.0/16 dev br-lan.20 scope link  src 100.110.195.141
192.168.5.0/24 dev br-lan.1 scope link  src 192.168.5.1
192.168.9.0/24 dev vpn scope link  src 192.168.9.1
192.168.9.2 dev vpn scope link
broadcast 100.110.0.0 dev br-lan.20 table local scope link  src 100.110.195.141
local 100.110.195.141 dev br-lan.20 table local scope host  src 100.110.195.141
broadcast 100.110.255.255 dev br-lan.20 table local scope link  src 100.110.195.                                                                                        141
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.5.0 dev br-lan.1 table local scope link  src 192.168.5.1
local 192.168.5.1 dev br-lan.1 table local scope host  src 192.168.5.1
broadcast 192.168.5.255 dev br-lan.1 table local scope link  src 192.168.5.1
broadcast 192.168.9.0 dev vpn table local scope link  src 192.168.9.1
local 192.168.9.1 dev vpn table local scope host  src 192.168.9.1
broadcast 192.168.9.255 dev vpn table local scope link  src 192.168.9.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

In case it helps, this is the WG log from my phone since the connection is made:

09-13 14:05:37.610  5350  5374 I WireGuard/GoBackend: Bringing tunnel olivencia5vpn UP
09-13 14:05:37.611  5350  5374 D WireGuard/GoBackend: Requesting to start VpnService
09-13 14:05:37.835  5350  5374 D WireGuard/GoBackend: Go backend ef5c587
09-13 14:05:37.835  5350  5374 D WireGuard/GoBackend/olivencia5vpn: Attaching to interface tun0
09-13 14:05:37.836  5350  5374 D WireGuard/GoBackend/olivencia5vpn: UAPI: Updating private key
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 1 - started
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 1 - started
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 1 - started
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 3 - started
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 2 - started
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 2 - started
09-13 14:05:37.836  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 2 - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 3 - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: decryption worker 4 - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 3 - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: encryption worker 4 - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: handshake worker 4 - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: TUN reader - started
09-13 14:05:37.837  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: event worker - started
09-13 14:05:37.837  5350  5374 D WireGuard/GoBackend/olivencia5vpn: UAPI: Removing all peers
09-13 14:05:37.838  5350  5374 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - UAPI: Created
09-13 14:05:37.838  5350  5374 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - UAPI: Updating endpoint
09-13 14:05:37.834  5350  5350 I auditd  : type=1400 audit(0.0:7398): avc: denied { read } for comm="DefaultDispatch" name="somaxconn" dev="proc" ino=238827 scontext=u:r:untrusted_app:s0:c175,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.wireguard.android
09-13 14:05:37.834  5350  5350 W DefaultDispatch: type=1400 audit(0.0:7398): avc: denied { read } for name="somaxconn" dev="proc" ino=238827 scontext=u:r:untrusted_app:s0:c175,c256,c512,c768 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 app=com.wireguard.android
09-13 14:05:37.838  5350  5374 D WireGuard/GoBackend/olivencia5vpn: UDP bind has been updated
09-13 14:05:37.838  5350  5374 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - Starting
09-13 14:05:37.838  5350  5374 D WireGuard/GoBackend/olivencia5vpn: Interface state was Down, requested Up, now Up
09-13 14:05:37.838  5350  5374 D WireGuard/GoBackend/olivencia5vpn: Device started
09-13 14:05:37.838  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: receive incoming v6 - started
09-13 14:05:37.839  5350  5388 D WireGuard/GoBackend/olivencia5vpn: Routine: receive incoming v4 - started
09-13 14:05:37.839  5350  5529 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - Routine: sequential sender - started
09-13 14:05:37.839  5350  5388 D WireGuard/GoBackend/olivencia5vpn: peer(Bxel…xQH8) - Routine: sequential receiver - started
09-13 14:05:39.769  5350  5350 I menu_item_selected: [0,Preferencias]
09-13 14:05:39.778  5350  5350 I wm_on_top_resumed_lost_called: [107389342,com.wireguard.android.activity.MainActivity,topStateChangedWhenResumed]
09-13 14:05:39.780  5350  5350 I wm_on_paused_called: [107389342,com.wireguard.android.activity.MainActivity,performPause]
09-13 14:05:39.788  5350  5350 I wm_on_create_called: [161980604,com.wireguard.android.activity.SettingsActivity,performCreate]
09-13 14:05:39.814  5350  5350 I wm_on_start_called: [161980604,com.wireguard.android.activity.SettingsActivity,handleStartActivity]
09-13 14:05:39.815  5350  5350 I wm_on_resume_called: [161980604,com.wireguard.android.activity.SettingsActivity,RESUME_ACTIVITY]
09-13 14:05:39.819  5350  5350 I wm_on_top_resumed_gained_called: [161980604,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed]
09-13 14:05:40.258  5350  5398 D OpenGLRenderer: endAllActiveAnimators on 0xb400007a9462aa40 (RippleDrawable) with handle 0xb4000079a4673f00
09-13 14:05:40.262  5350  5350 I wm_on_stop_called: [107389342,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM]
09-13 14:05:40.690  5350  5350 I wm_on_top_resumed_lost_called: [161980604,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed]
09-13 14:05:40.691  5350  5350 I wm_on_paused_called: [161980604,com.wireguard.android.activity.SettingsActivity,performPause]
09-13 14:05:40.708  5350  5350 I wm_on_create_called: [33672610,com.wireguard.android.activity.LogViewerActivity,performCreate]
09-13 14:05:40.708  5350  5350 I wm_on_start_called: [33672610,com.wireguard.android.activity.LogViewerActivity,handleStartActivity]
09-13 14:05:40.709  5350  5350 I wm_on_resume_called: [33672610,com.wireguard.android.activity.LogViewerActivity,RESUME_ACTIVITY]
09-13 14:05:40.713  5350  5350 I wm_on_top_resumed_gained_called: [33672610,com.wireguard.android.activity.LogViewerActivity,topStateChangedWhenResumed]
09-13 14:05:41.135  5350  5350 I wm_on_stop_called: [161980604,com.wireguard.android.activity.SettingsActivity,STOP_ACTIVITY_ITEM]
09-13 14:05:41.152  5350  5398 D OpenGLRenderer: endAllActiveAnimators on 0xb400007a9481e5a0 (RippleDrawable) with handle 0xb4000079a46729a0

Thanks again.

On OpenWrt:

  1. Remove route allowed IPs from peer.

On phone:

  1. Add DNS server/servidores.
  2. Change netmask to /24 -> 192.168.9.2/24
  3. Add allowed IPs (permitidas) 0.0.0.0/0 (or a smaller prefix if you don't want to push everything via vpn).
1 Like

The netmask on the phone setup is fine. The issue is going to be the lack of allowed IPs (and potentially DNS server once traffic is actually flowing).

1 Like

Thank you again.

  1. Removed "route allowed IPs" from WG peers tab
  2. Added "8.8.8.8" as DNS (tried also "192.168.9.1" which is my local router IP when accessed through WG if I am not mistaken)
  3. Changed netmask from "192.168.9.2/32" o "192.168.9.2/24"
  4. Added "0.0.0.0/0" as allowed IP

Restarted WG interface and tried to do the tunnel, but I only see Bytes of tx going up on WG client, and rx always at 0 Bytes. And on WG status tab on OpenWrt both tx/rx at 0 Bytes. No handshake is made between the server and the peer.

It seems my router is innaccesible from the outside, as if my ISP router (in bridge mode and therefore with firewall disabled, technically) is interfering with the tunnel. But if I ping my duckdns address, it gets correctly answered.

Is your wan IP public or private (starts with 192.168 or 10. or 172.16-31.) ? You can see the wan IP on luci dashboard or ifstatus wan| grep "address"
Are there any hits on the firewall rules? nft list ruleset

1 Like

Is that your public IP? If so you're on CG-NAT. This will stop you being able to make external connections to your router.

3 Likes

Yes you have CG-NAT. That is a deal killer here. Possible workarounds are:

  • Ask if the ISP can configure your line with a real public IPv4. If they can do that there may be an additional cost.
  • Consider IPv6. Most ISPs that offer IPv6 don't NAT it.
  • Use a "cloud" VPN service that has servers to negotiate a connection from behind NAT. Examples are Zerotier and Tailscale.

One of the ISP's routers is answering the ping. It isn't reaching your house.

3 Likes

Why do you have such a problem with wireguard??

The op is behind carrier grade nat. OpenVPN will not work either.

1 Like

OK, public IP should be in any case.

1 Like

Thank you.

I have checked I am on CG-Nat, I will contact my ISP to get out of it.

I will let you know if the WG server works from then on.

Regards.

EDIT: Asked to ISP this morning, it will be effective in 24h. I will reboot tomorrow for the changes to take effect and let us see if WG works from then on

1 Like

That was it.

Got public WAN IP this morning and everything works flawlessly.

Thank you so much.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.