WireGuard VPN on OpenWRT Raspberry Pi: Handshake but No Traffic

I am facing issues setting up a home WireGuard VPN. Here is my configuration:

  1. My OpenWRT Raspberry Pi is connected to my home router as a Wi-Fi client with the IP address 192.168.0.100/24.

  2. I have set up a WireGuard interface with the IP address 10.0.0.1/8.

  3. My home router is configured to forward port 51820 to 192.168.0.100 on port 51820.

For simplicity, I do not have a firewall set up.

The handshake with the peers takes place, but no traffic is flowing. How do I configure the Pi to resolve this issue?

EDIT: The following diagram represents my current topology and may aid in troubleshooting the issue more effectively.

image

You need the firewall for this to work.

Why a /8? I'd recommend a /24.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
  • ubus call system board:

    {
            "kernel": "6.6.35",
            "hostname": "OpenWrt",
            "system": "ARMv8 Processor rev 1",
            "model": "Raspberry Pi 5 Model B Rev 1.0",
            "board_name": "raspberrypi,5-model-b",
            "rootfs_type": "squashfs",
            "release": {
                    "distribution": "OpenWrt",
                    "version": "SNAPSHOT",
                    "revision": "r26748-0ed72c271b",
                    "target": "bcm27xx/bcm2712",
                    "description": "OpenWrt SNAPSHOT r26748-0ed72c271b"
            }
    }
    
  • cat /etc/config/network:

    config interface 'loopback'
            option device 'lo'
            option proto 'static'
            option ipaddr '127.0.0.1'
            option netmask '255.0.0.0'
    
    config globals 'globals'
            option ula_prefix 'fd9e:3c43:2ef::/48'
    
    config device
            option name 'br-lan'
            option type 'bridge'
            list ports 'eth0'
    
    config interface 'lan'
            option device 'br-lan'
            option proto 'static'
            option ipaddr '192.168.137.100'
            option netmask '255.255.255.0'
            option ip6assign '60'
            option gateway '192.168.137.1'
            list dns '1.1.1.1'
            list dns '8.8.8.8'
    
    config interface 'vpn'
            option proto 'wireguard'
            option private_key 'xxx'
            option listen_port '51820'
            list addresses '10.0.0.0/8'
    
    config wireguard_vpn
            option description 'aress31'
            option public_key 'xxx'
            option private_key 'xxx'
            option preshared_key 'xxx'
            option endpoint_host 'xxx'
            option persistent_keepalive '25'
            option route_allowed_ips '1'
    
    config interface 'wlan'
            option proto 'dhcp'
            option device 'phy0-sta0'
    
  • cat /etc/config/firewall:

    config defaults
            option input 'ACCEPT'
            option output 'ACCEPT'
            option forward 'ACCEPT'
            option synflood_protect '1'
    
  • cat /etc/config/wireless:

    config wifi-device 'radio0'
            option type 'mac80211'
            option path 'platform/axi/1001100000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
            option band '2g'
            option channel 'auto'
            option cell_density '0'
            option htmode 'HT20'
    
    config wifi-iface 'wifinet0'
            option device 'radio0'
            option mode 'sta'
            option ssid 'xxx'
            option bssid 'xxx'
            option encryption 'psk2'
            option key 'xxx'
            option network 'wlan'
    

You would be best served by simply starting over from scratch.

But a few things:

The address here is invalid. You've got the .0 address which is the network address, but not a valid host address. Further, you don't need a /8. I'd recommend a /24. So instead use 10.0.0.1/24

The peer needs an address in the form of the allowed_ips. Make it something inside the above subnet, so maybe 10.0.0.2/32. Usually the endpoint host should not be there, either, so remove that.

Remove the device from below:

Critically, you need the firewall (which is one reason to simply start over).

  • Add the wlan network to the lan firewall zone.
  • If your main router supports static routes, you can set one up and then simply add the wireguard network to the lan zone.
  • If static routes are not supported, you'll need to turn on masquerading on the lan zone and setup a new zone for the wireguard interface. Then, allow forwarding from the wg zone > lan zone.

Thank you for your response, @psherman. Your assistance is greatly appreciated. Here is a follow-up on the points you raised.

I overlooked this detail, and I have now set the vpn interface to 10.0.0.1/8. Using a class A network is a personal preference for me.

Note: Even after making this change, my vpn is still not working.

I have configured the peer with 10.0.0.2/32, which is within the 10.0.0.1/8 network. Note that the peer configuration was generated via LuCI, and I intentionally did not explicitly set allowed_ips, opting to use a wildcard instead. This allows for addresses to be configured directly from the client configuration.

I am new to OpenWrt, so please excuse this basic question, but what difference does it make to attach a device to my wlan interface or not?

Since my OpenWRT router is behind my home router on a trusted NATted network, I prefer not to set up a firewall to avoid further complicating my already problematic setup.

If the above step is absolutely necessary, I would appreciate assistance with the setup and an explanation of its effects so I can understand the details. For reference, here are my current IP routes:

root@OpenWrt:~# ip route
default via 192.168.0.1 dev phy0-sta0  src 192.168.0.100
10.0.0.0/8 dev vpn scope link  src 10.0.0.1
10.0.0.2 dev vpn scope link
PUBLIC_IP via 192.168.137.1 dev br-lan
192.168.0.0/24 dev phy0-sta0 scope link  src 192.168.0.100
192.168.137.0/24 dev br-lan scope link  src 192.168.137.100

I'm pretty sure that's not a supported configuration. What's the output of wg at the console?

I might be mistaken, but the helper messages suggest that it is optional, as shown below:

Optional. IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel.

Note: As mentioned in my previous post, I set the IP addresses of the peers directly in their configuration file, rather than on the /etc/config/network. Also not setting allowed_ips automatically translates to allowing all (*).

The requested output for wg:

root@OpenWrt:~# wg
interface: vpn
  public key: REDACTED
  private key: (hidden)
  listening port: 51820

peer: REDACTED
  preshared key: (hidden)
  endpoint: REDACTED:59042
  allowed ips: 10.0.0.2/32
  transfer: 740 B received, 13.02 KiB sent
  persistent keepalive: every 25 seconds

As in a file on the other device? There's no files on the Pi4 which configures the allowed ip for the peer as 10.0.0.2/32?

I've never seen a working configuration where the allowed_ips has been left blank. I'm not really sure why the helper suggests it's an optional entry.

Edit: having found the commit where the change was made, it appears that leaving the allowed_ip blank will allow handshakes to occur and keepalive packets to be exchange. But it seems to imply that for anything else there is a need to populate the allowed_ips, either in /etc/config/network or by some dynamic method.

2 Likes

classfull addressing is a thing of the past. And there is no reason to use a subnet that can accommodate 16M hosts. This is highly likely to cause you problems down the road when you're on remote networks.

As @krazeh has already stated, this is not valid for normal operation. It might work (although untested) if you setup static routes accordingly, but that obviates any advantage of having a 'client' side driven IP address.

The wireless devices should not be referenced in /etc/config/network. Instead, they only need to exist within /etc/config/wireless where you connect an SSID (in this case in sta mode) to the network.

Does your upstream router support static routes?

1 Like

Yes, it doesn't have to be in the router configuration; it is part of the client/peer configuration, which is why it is optional. See:

Was that peer added before or after the configuration files you posted in the 3rd post?

As I understand the process, the peer address should've been transcribed over to the allowed ips within the OpenWRT config.

I don't believe it is optional if you want traffic to flow.
That said, this is a good opportunity to test... the results of the test will confirm or refute my assertion.

With that in mind, though, let's get everything working first. Please take our advice to add the allowed_ips accordingly since we know incontrovertibly that it will work. Once your complete configuration is proven functional, then you can remove the allowed_ips and see what happens and if there is a way to make the tunnel work in the absense of the allowed_ips.

1 Like

The vpn is still not working. Here is the updated configuration for your review:

  • cat /etc/config/firewall:

    config defaults
            option input 'ACCEPT'
            option output 'ACCEPT'
            option forward 'ACCEPT'
            option synflood_protect '1'
    
  • cat /etc/config/network:

    config interface 'loopback'
            option device 'lo'
            option proto 'static'
            option ipaddr '127.0.0.1'
            option netmask '255.0.0.0'
    
    config globals 'globals'
            option ula_prefix 'fd9e:3c43:2ef::/48'
    
    config device
            option name 'br-lan'
            option type 'bridge'
            list ports 'eth0'
    
    config interface 'lan'
            option device 'br-lan'
            option proto 'static'
            option ipaddr '192.168.137.100'
            option netmask '255.255.255.0'
            option ip6assign '60'
            option gateway '192.168.137.1'
            list dns '1.1.1.1'
            list dns '8.8.8.8'
    
    config interface 'vpn'
            option proto 'wireguard'
            option private_key 'REDACTED'
            option listen_port '51820'
            list addresses '10.0.0.1/8'
    
    config wireguard_vpn
            option description 'aress31'
            option public_key 'REDACTED'
            option private_key 'REDACTED'
            option preshared_key 'REDACTED'
            option endpoint_host 'REDACTED'
            option persistent_keepalive '25'
            option route_allowed_ips '1'
            list allowed_ips '10.0.0.2/32'
    
    config interface 'wlan'
            option proto 'dhcp'
    
  • cat /etc/config/wireless:

    config wifi-device 'radio0'
            option type 'mac80211'
            option path 'platform/axi/1001100000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
            option band '2g'
            option channel 'auto'
            option cell_density '0'
            option htmode 'HT20'
    
    config wifi-iface 'wifinet0'
            option device 'radio0'
            option mode 'sta'
            option ssid 'REDACTED'
            option bssid 'REDACTED'
            option encryption 'psk2'
            option key 'REDACTED'
            option network 'wlan'
    
  • ip route:

    10.0.0.0/8 dev vpn scope link  src 10.0.0.1
    10.0.0.2 dev vpn scope link
    PUBLIC_IP via 192.168.137.1 dev br-lan
    192.168.0.0/24 dev phy0-sta0 scope link  src 192.168.0.100
    192.168.137.0/24 dev br-lan scope link  src 192.168.137.100
    

Out of curiosity, do you know why it is like that? On a low level, what difference does it make to reference phy0-sta0 as an interface device or not?

Unfortunately, it doesn't. It is a subpar ISP router—specifically, a Virgin Media Hub 3.0. It only supports port forwarding, which I have already set up to forward UDP port 51820 to 192.168.0.100/24, as shown in the topology diagram in my initial post.

Additionally, for further assistance, please review this excerpt from tcpdump when attempting to connect a client to my non-functional vpn:

root@OpenWrt:~# tcpdump -i any udp port 51820 -vvv -c 10
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
20:20:10.865466 br-lan Out IP (tos 0x88, ttl 64, id 43445, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xc603!] UDP, length 148
20:20:10.865473 eth0  Out IP (tos 0x88, ttl 64, id 43445, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xc603!] UDP, length 148
20:20:10.908410 phy0-sta0 In  IP (tos 0x88, ttl 61, id 43445, offset 0, flags [none], proto UDP (17), length 176)
    REDACTED.virginm.net.62364 > 192.168.0.100.51820: [udp sum ok] UDP, length 148
20:20:16.065438 br-lan Out IP (tos 0x88, ttl 64, id 43737, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xc6c4!] UDP, length 148
20:20:16.065442 eth0  Out IP (tos 0x88, ttl 64, id 43737, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xc6c4!] UDP, length 148
20:20:21.825429 br-lan Out IP (tos 0x88, ttl 64, id 44223, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xa1c8!] UDP, length 148
20:20:21.825432 eth0  Out IP (tos 0x88, ttl 64, id 44223, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xa1c8!] UDP, length 148
20:20:26.945426 br-lan Out IP (tos 0x88, ttl 64, id 44478, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xe88c!] UDP, length 148
20:20:26.945429 eth0  Out IP (tos 0x88, ttl 64, id 44478, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0xe88c!] UDP, length 148
20:20:32.705427 br-lan Out IP (tos 0x88, ttl 64, id 45000, offset 0, flags [none], proto UDP (17), length 176)
    OpenWrt.lan.51820 > REDACTED.virginm.net.51820: [bad udp cksum 0xa90c -> 0x3f65!] UDP, length 148
10 packets captured
11 packets received by filter
0 packets dropped by kernel

Note: OpenWrt.lan is 192.168.0.100/24.

I'd strongly recommend getting a replacement device that meets your requirements and can run OpenWRT. Then put the virgin media hub into bridge mode and use it solely as a modem.

I'll say this again because I want it to be very clear... a /8 is not only unnecessary (why do you need a subnet that coves 16M addresses), but also very likely to cause problems when you are on remote networks. If the remote network uses a subnet that is in this very large /8 space, your WG connection will not work at all. Keeping it to a /24 makes this a lot less likely to be an issue.

The firewall is still missing a lot of stuff.

I don't know the history behind it, but the phy numbering changes from platform to platform and can also change in other situations, so it should only be specified as part of the wireless file.

Thus why you need your firewall.

Add this to the firewall file:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'wlan'
	list network 'lan'

config zone
	option name 'van'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn'

Make sure the firewall is enabled by running /etc/init.d/firewall enable and then restart your device. Try again once it has fully booted.

That is a valid point that I will take into consideration once I can get this set up and working.

I have copied the configuration you provided, but unfortunately, it is still not working. However, the WireGuard Status view now displays the following:

The peer's endpoint is now set to the IP address of br-lan, which also serves as the gateway for internet connectivity, along with wlan.

Any idea where we might be going wrong? :thinking:

Let's see the latest configs

cat /etc/config/network
cat /etc/config/firewall
wg show

And also the remote peer's configuration.

  • cat /etc/config/network:

    config interface 'loopback'
            option device 'lo'
            option proto 'static'
            option ipaddr '127.0.0.1'
            option netmask '255.0.0.0'
    
    config globals 'globals'
            option ula_prefix 'fd9e:3c43:2ef::/48'
    
    config device
            option name 'br-lan'
            option type 'bridge'
            list ports 'eth0'
    
    config interface 'lan'
            option device 'br-lan'
            option proto 'static'
            option ipaddr '192.168.137.100'
            option netmask '255.255.255.0'
            option ip6assign '60'
            option gateway '192.168.137.1'
            list dns '1.1.1.1'
            list dns '8.8.8.8'
    
    config interface 'vpn'
            option proto 'wireguard'
            option private_key 'REDACTED'
            option listen_port '51820'
            list addresses '10.0.0.1/8'
    
    config wireguard_vpn
            option description 'aress31'
            option public_key 'REDACTED'
            option private_key 'REDACTED'
            option preshared_key 'REDACTED'
            option endpoint_host 'REDACTED'
            option persistent_keepalive '25'
            option route_allowed_ips '1'
            list allowed_ips '10.0.0.2/32'
    
    config interface 'wlan'
            option proto 'dhcp'
    
  • cat /etc/config/firewall:

    config defaults
            option input 'ACCEPT'
            option output 'ACCEPT'
            option forward 'ACCEPT'
            option synflood_protect '1'
      
    config zone
            option name 'lan'
            option input 'ACCEPT'
            option output 'ACCEPT'
            option forward 'ACCEPT'
            option masq '1'
            list network 'lan'
            list network 'wlan'
      
    config zone
            option name 'van'
            option input 'ACCEPT'
            option output 'ACCEPT'
            option forward 'ACCEPT'
            list network 'vpn'
    
  • wg show:

    interface: vpn
      public key: REDACTED
      private key: (hidden)
      listening port: 51820
    
    peer: REDACTED
      preshared key: (hidden)
      endpoint: PUBLIC_IP:51820
      allowed ips: 10.0.0.2/32
      transfer: 0 B received, 4.62 KiB sent
      persistent keepalive: every 25 seconds
    

How about the remote peer?

I am not sure if this is what you were requesting, but here it is:

[Interface]
PrivateKey = REDACTED
Address = 10.0.0.2/32
# ListenPort not defined
DNS = 192.168.137.100

[Peer]
PublicKey = REDACTED
PresharedKey = REDACTED
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = REDACTED:51820
PersistentKeepAlive = 25