Wireguard - weird problem with endpoint

Hi all!

I have a problem time to time a wireguard client on a openwrt router behind router.

I have setup a interface WG and than, on the peer side I put ddns of the wireguard server that I want to connect.

When the router bring the ip of the ddns - for example 91.23.45.67 it's everything ok and works great!

image956×295 9.58 KB

But when I loose connection, I can see that the openwrt router has reboot, and some how, instead appear the ip of the ddns, appears the ip that is given to the router that I am behind like this

image920×244 9.85 KB

don't know what to do

please help...

sounds like you might have a ddns update conflict. The DDNS client should only update from the device that is acting as the 'server' and it should be updating against its actual wan IP.

Where is the DDNS client running? Have you verified that it is the only client and that it is properly configured?

the first sreenshot, it's the real ip of the ddns (wireguard server) that I don't control. However, when appears the local ip, I try to ping the ddns and give me the real ip, not my local ip of 10.10.10.150...

This is your local IP??

Let's take a look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

root@USG3p:~# ubus call system board
{
        "kernel": "6.6.73",
        "hostname": "USG3p",
        "system": "UBNT_USG (CN5020p1.1-500-SCP)",
        "model": "Ubiquiti UniFi Security Gateway",
        "board_name": "ubnt,usg",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "octeon/generic",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdba:10e6:d2c::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'
	list ports 'eth4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.75.87.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'WG0'
	option proto 'wireguard'
	option private_key 'WL7Y**************EI6cp5zv3o='
	option listen_port '31231'
	list addresses '10.93.21.6/32'
	list dns '1.1.1.1'
	list dns '8.8.8.8'

config wireguard_WG0
	option description 'wgpeter'
	option public_key 'ZHoTEYkcFN**************VbEuctRaVyM='
	list allowed_ips '10.93.21.0/24'
	list allowed_ips '10.57.78.0/24'
	option route_allowed_ips '1'
	option endpoint_host 'wgpeter***.duckdns.org'
	option endpoint_port '31231'
	option persistent_keepalive '25'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'WG0'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config redirect
	option dest 'vpn'
	option target 'DNAT'
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option src_dport '31231'
	option dest_ip '10.93.21.6/32'
	option dest_port '31231'

config forwarding
	option src 'vpn'
	option dest 'lan'

root@USG3p:~# wg show
interface: WG0
  public key: SCLSvu8******************X9kfDWrTFk=
  private key: (hidden)
  listening port: 31231

peer: ZHoTEYkcFN***********************Cf+VbEuctRaVyM=
  endpoint: 90.001.001.191:31231
  allowed ips: 10.93.21.0/24, 10.57.78.0/24
  latest handshake: 1 minute, 36 seconds ago
  transfer: 10.58 MiB received, 3.19 MiB sent
  persistent keepalive: every 25 seconds

The address you referenced earlier 10.10.10.150 does not appear anywhere in your configurations (nor does anything that subnet). Was that one made up, or is that an address that actually displays in the endpoint field?

Also, is the remote endpoint actively establishing a connection to your device (i.e. is your device listening for inbound connections from the remote side), or are you exclusively initiating the connection to the remote peer?

the 10.10.10.150 is the ip given from the router that it’s on the front of my router

The weird thing, it’s why appears on the place of the ip of wgpeter****.duckdns.org ?!?!?!?

I don’t control the wireguard server… but when appears the correct real ip of wgpeter*****.duckdns.org everything works, but I need to do a lot of reboots until appears.

image1002×585 33.6 KB

I still can't understand why appears time to time, my "wan" ip. I know that appears my wan ip, when I don't have vpn connection

power off during 5 minutes and here we go again

image995×850 25.3 KB

By default, WireGuard does not re-resolve peers, even if the endpoint goes down. Are you running wireguard-watchdog?

I don't think I'm running wireguard-watchdog...

after 3 reboots, the WG came online again

before 3 reboot

/etc/config$ wg show
interface: WG0
  public key: SCLSvu8/oYhz***************KX9kfDWrTFk=
  private key: (hidden)
  listening port: 31231

peer: ZHoTEYkcFN****************tRaVyM=
  endpoint: 10.10.10.115:31231
  allowed ips: 10.93.21.0/24, 10.57.78.0/24
  transfer: 6.21 KiB received, 4.01 KiB sent
  persistent keepalive: every 25 seconds

after 3 reboots

  /etc/config$ wg show
interface: WG0
  public key: SCLSvu8/oY********************9kfDWrTFk=
  private key: (hidden)
  listening port: 31231

peer: ZHoTEYkcFN*************************tRaVyM=
  endpoint: 9*.***.***.191:31231
  allowed ips: 10.93.21.0/24, 10.57.78.0/24
  latest handshake: 1 minute, 42 seconds ago
  transfer: 16.37 KiB received, 13.48 KiB sent
  persistent keepalive: every 25 seconds

image973×252 12.6 KB

If you're just connecting as a client peer to a remote server (unless I misunderstood the whole thread), what is this rule for? What is listening on 10.93.21.6? Isn't the peer on the same device?

And in that case you don't need option listen_port '31231'.

Also a network diagram with IPs and ranges would help.

Your screenshots are difficult to interpret and are having the opposite effect from what you intend them to.

Well, something is causing WireGuard to re-resolve a host, WireGuard is well known not to do that on its own. Are you running PBR (I'm having a déjà-lu)?

it's a simple unifi security gateway that I have upload openwrt just to plug a printer and connect to a wireguard tunnel, so I can print remotely... nothing more

You say you do not control the server but the VPN traffic is not Masqueraded:

that can only work if the server side knows your subnet and has that as Allowed IPs

A typical client has option input 'REJECT' if you trust the other side then no problem.

A typical client has no listen port and also does not open up a port, so what is the ratio behind this?
Or is it actually a site-to-site setup where the other side also can initiate a connection?

Maybe it is not related to your problem but ti is an atypical setup for a simple client

If the endpoint is wrong did you check that the DDNS actual resolves to the correct address?

When the endpoint it's 10.10.10.115, I ssh to openwrt router and ping the wgpeter****.duckdns.org and start pinging...

All the weird thing it's why if I reboot 2/3 times in a row, why change from my wan ip to the correct ip of the ddns...

You really need to start addressing the questions from all of the above posts, if you expect actionable advice. Otherwise we're going in circles with you rebooting the router and seeing random IP changes.

I run the command to set the ddns of my endpoint

  wg set WG0 peer ZHoTEYkc************************RaVyM= endpoint wgpeter******.duckdns.org:31231

ifdown WG0
ifup WG0

  root@USG3p:~# wg show
interface: WG0
  public key: SCLSvu8/oYhz7Sh********************X9kfDWrTFk=
  private key: (hidden)
  listening port: 31231

peer: ZHoTEYkc*****************VbEuctRaVyM=
  endpoint: 9*.***.***.191:31231
  allowed ips: 10.93.21.0/24, 10.57.78.0/24
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds

but after a few seconds come again the local wan ip

root@USG3p:~# wg show
interface: WG0
  public key: SCLS*********************fDWrTFk=
  private key: (hidden)
  listening port: 31231

peer: ZHoTE************************tRaVyM=
  endpoint: 10.10.10.115:31231
  allowed ips: 10.93.21.0/24, 10.57.78.0/24
  transfer: 2.17 KiB received, 2.21 KiB sent
  persistent keepalive: every 25 seconds

Again, that's curious because it can not happen on its own. WireGuard, once it resolves a peer's host, hangs on to that IP for better or worse. Something on your system is prodding WireGuard, and it seems in a wrong way.

Did you set up that system from scratch using an image downloaded from openwrt.org proper, or did you install a preconfigured image from somewhere else?

was a plain image downloaded from image firmware selector of openwrt.org

I just create WG interface add peer and use the credentials of the wireguard server I want to connect to... just a tweak on firewall to allow connectiofrom subnet and nothing more