I have a wg-server set up. Here's the relevant bit from /etc/config/network:
config interface 'wan_isp'
option proto 'dhcp'
option metric '10'
option device 'eth1.20'
config interface 'wg_server'
option proto 'wireguard'
option private_key '***'
list addresses '10.60.60.1'
option listen_port '51820'
config device
option name 'wg_server'
option acceptlocal '1'
option ipv6 '0'
config wireguard_wg_server
option description 'z-flip-4'
option public_key '***'
option private_key '***'
option preshared_key '***'
option route_allowed_ips '1'
list allowed_ips '10.60.60.10'
option persistent_keepalive '25'
Here's the bit from /etc/config/firewall:
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option fullcone4 '1'
option fullcone6 '1'
option masq '1'
option mtu_fix '1'
list network 'wan_isp'
config rule
option name 'Allow-WireGuard'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '51820'
wg-clients are on two VPSs and on Android phones.
when I initiate the connection while my phone is connected to wifi (local network) it connects to wg-server and works.
when a client outside my network (e.g., 46.6.) tries connecting (current IP is 213.195. ) - the handshake fails.
fail it looks like this (wireshark/tcpdump)
:
success looks like this (192.168.11.100 is my phone inside LAN):
Any ideas about what's wrong?
bogorad:
(current IP is 213.195. )
I noticed your IP is an IR ISP. See these quotes from your fellow country persons:
I'm from Iran . government closed more of protocol like PPTP L2TP IKEV2 Wireguard Kerio , ....
None of the protocols work or connect .
just SSH working .
2 Likes
egc
May 29, 2023, 4:54pm
3
WireGuard is easy to detect so if that is blocked then nothing you can do (there is an obfuscation package which if compiled might work)
If it is not blocked then maybe you do not have the WG interface added to the LAN zone to open up the firewall?
Furthermore the list addresses are lacking the net mask not sure how much of a problem that is.
1 Like
noticed your IP is an IR ISP.
nope, I'm in Spain, my ISP (for both fiber and mobile) is Pepephone, and it definitely does not block wireguard.
2 Likes
tcpdump clearly shows packets coming in.
egc
May 29, 2023, 6:44pm
6
Have you added the WG interface to the LAN zone to open up the firewall?
I'm not sure if the metric could be responsible for this... do you have multiple wan connections? Why do you have a metric assigned here?
Make the address explicitly a /24 (10.60.60.1/24)
remove the following:
make the allowed IPs explicitly a /32 (10.60.60.10/32)
I'm not sure if the fullcone options may play into the issue, but I'd recommend removing them unless there is a reason you need them here:
If those things don't fix the problem, let's see your entire configuration (network and firewall files, as well as the remote peer config).
2 Likes
certainly:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg_server'
list network 'docker70'
I was experimenting with mwan3, it's an artefact. I'll try removing it, and trying all the other ideas.
Thank you!
Got it to work following the advice from a friend. Turns out, my ISP changed something in their network configuration, and the default MTU was no longer working reliably. Changed it to 1200 and now it works.
1 Like
system
June 12, 2023, 2:17pm
12
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
