Weird Wireguard issues I could use some help with.

Submitted ⁨⁨11⁩ ⁨months⁩ ago⁩ by ⁨SeeJayEmm@lemmy.procrastinati.org⁩ to ⁨selfhosted@lemmy.world⁩

I’ve hit a wall with a weird Wireguard issue. I’m trying to connect my phone (over cell) to my home router using wireguard and it will not connect.

The keys are all correct.
The IPs are all correct.
The ports are open on the firewall.
My router has a public IP, no CGNAT.

The router is opnsense, I have a tcpdump session going and when I attempt a connection from the phone I see 0 packets on that port. I am able to ping the router and reach the web server sitting behind it from the phone.

I have a VPS that I configured WG on and the phone connects fine to that. I also tested configuring the VPS to connect to my home router and that also works fine.

I’m really at a loss as to where to go next.

Thanks

source

Comments

Sort:hotnew top

stown@sedd.it ⁨11⁩ ⁨months⁩ ago
This may be a routing/firewall issue. In the firewall section for your Wireguard interface what rules do you have set? Also, the allowed IP’s for your peer should be 0.0.0.0/0 NOT /32. (That literally means that only IP 0.0.0.0 is allowed).

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  Well, that was a silly mistake. Thanks for noticing it. I rebuilt the client side several times yesterday, so I can’t say for certain I made that typo each time, but it’s possible.
  
  I just blew out the whole thing, both sides, and rebuilt it from scratch using a different UDP port and it’s all working now.
  
  source
revv@lemmy.blahaj.zone ⁨11⁩ ⁨months⁩ ago
One issue I’ve had in some networks is that wg will connect, but not receive any traffic from the network. You can try to set up a static route for your wg subnet pointing at your wg server’s local IP.

No idea if that’s your issue though.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  It definitely not connecting. I get no handshake stats on either side and my tcpdump shows 0 packets to try and even initiate the tunnel.
  
  source
vzq@lemmy.blahaj.zone ⁨11⁩ ⁨months⁩ ago
Test if you can get UDP to your server. Some mobile providers block UDP to residential ranges because of DDOS concerns.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  I did configure the VPS to be a client to the opn router and that was able to connect just fine. What I really need is a way to arbitrarily test UDP from the phone, and/or a way to actually do a packet dump on it to see if anything is going out.
  
  source
lemming741@lemmy.world ⁨11⁩ ⁨months⁩ ago
Have you been down the MTU rabbit hole? The wg-quick helper scripts are supposed to find the best MTU but I’ve found cases (tethering) where I had to adjust. Too big an MTU and you could silently drop packets.

Are you virtualizing opnsense? I am, and the wg plugins and config felt foreign to me it was easier to virtualize a wg endpoint.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  
  Have you been down the MTU rabbit hole?
  
  No. I’m going to look into that and do some testing today. Perhaps there’s something wonky between my mobile and home ISPs in that regard.
  
  source
hungover_pilot@lemmy.world ⁨11⁩ ⁨months⁩ ago
If your VPS can connect to your home router as a client it sounds like your wireguard server on opnsense is working correctly.

Might be a problem with your phones WG config. Have you tried taking the client .conf file from your VPS and loading it onto your phone to test a working config file?

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  I didn’t think the wg-quick conf is compatible but I’ll look into that in the am.
  
  source
  - lemming741@lemmy.world ⁨11⁩ ⁨months⁩ ago
    For the love of all that is holy
    
    At least change the interface IP. I multiboot my laptop and when I copied a wg.conf being lazy, the server basically ignored the newer client. I had to boot back into the OG OS and add a peer. I’m still learning wg but don’t count on clones interfaces working.
    
    source
    -> View More Comments
ikidd@lemmy.world ⁨11⁩ ⁨months⁩ ago
Show the conf file for your ubuntu endpoint, and maybe a screenshot of the server/peer on the opnsense server. Redact keys and endpoint hostnames.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  I’ll have to do that in the morning.
  
  source
taaz@biglemmowski.win ⁨11⁩ ⁨months⁩ ago
Thus probably does not apply for you but don’t try sending wg over port 53, learned the hard way some routers simply won’t pass non-dns packets there.

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  My backup plan is to route the traffic through the VPS to the home network. I was hoping to avoid that hop.
  
  source
baascus@programming.dev ⁨11⁩ ⁨months⁩ ago
I’ve encountered a similar issue with WireGuard on my iOS and macOS devices. On iOS, I need to first connect to the VPN, then disable and re-enable both Wi-Fi and cellular data before the traffic begins flowing through the tunnel. On macOS, the process involves connecting the tunnel and toggling Wi-Fi off and on. It seems like I have to reset the network connection on the device after establishing the tunnel to get it working. I’m also using OPNsense with the WireGuard plugin.

Sounds like it may be the same issue so I hope that this helps!

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  I’ll give it a try, thanks.
  
  source
nightrunner@lemmy.world ⁨11⁩ ⁨months⁩ ago
Did you setup a NAT on the firewall? You have to setup a static NAT on the interface that your Public IP sits on and to the private IP address of your VPS (you are using a private network space from one of the other interfaces on your FW right?).

Make sure that the policy that you create with the NAT includes UDP 51820 (unless you changed the default port) People often mistake using TCP which is a different protocol. If that doesn’t work, then look at the traffic on your FW

source
- SeeJayEmm@lemmy.procrastinati.org ⁨11⁩ ⁨months⁩ ago
  There’s some confusion here. I’m running wireguard on my opnsense router and I’m trying to connect my Android phone to it.
  
  I just used the VPS to help troubleshoot to show other clients can connect to opnsense AND the phone can connect to other servers but the phone and opn won’t talk.
  
  I know this screams config issue. I’ve gone over it and rebuilt it multiple times. I can’t find anything wrong. Someone else asked to see configs so I’ll post those tomorrow.
  
  source
  - stown@sedd.it ⁨11⁩ ⁨months⁩ ago
    It is a config issue. Allowed IPs for your client should be 0.0.0.0/0 not 0.0.0.0/32
    
    source
- nightrunner@lemmy.world ⁨11⁩ ⁨months⁩ ago
  Meant to say if you still get stuck, run Wireshark on your FW and your VPS and run a tcp dump and filter the traffic to see where the data stops.
  
  You can also use traceroute to your public IP on the port 51820 and check your connectivity or even curl: -v //publicip:51820
  
  source
  - taaz@biglemmowski.win ⁨11⁩ ⁨months⁩ ago
    Yeah I would probably try if the phone can actually access anything on that port.
    
    On router: netcat -vvvl 0.0.0.0 51820
    On phone: http://router_ip:51820
    
    The browser will fail opening it but on router you should see the first incoming HTTP GET packet.
    Or one could run a local shell on the phone (assuming android) and try netcat too.
    
    source
    -> View More Comments
Decronym@lemmy.decronym.xyz ⁨11⁩ ⁨months⁩ ago
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters

IP Internet Protocol

VPN Virtual Private Network

VPS Virtual Private Server (opposed to shared hosting)

[Thread #366 for this sub, first seen 20th Dec 2023, 02:45] [FAQ] [Full list] [Contact] [Source code]

source

Fewer Letters	More Letters
IP	Internet Protocol
VPN	Virtual Private Network
VPS	Virtual Private Server (opposed to shared hosting)