WireGuard doesn't connect

mwarrior · June 13, 2024, 2:16pm

Router: GL-AR300M (NOR) running v4.3.11
Setup: Home OpenWRT on RPi <---Fibre--->Internet <---LTE---> Mobile Phone <---USB---> AT300M <---Ethernet---> Laptop

Out of the box (flashed to latest fimrware), and have set up WiFi and tested it works as a router (it does) but now I want to get a connection back to my home network via WireGuard and it just doesn't connect....

Wireguard Client configured as:

[Interface]
Address = 10.10.1.20/32
ListenPort = 51821
PrivateKey = REDACTED
DNS = 192.168.1.1
MTU = 1400

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = REDACTED:51821
PersistentKeepalive = 25
PublicKey = REDACTED

When I try to connect (it works fine from the WG client on my phone), I get this in the log:

Thu Jun 13 14:24:25 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Thu Jun 13 14:26:15 2024 user.notice wireguard-debug: USER=root ifname=wgclient ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section safe_mode_lan (safe_mode_lan) is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section safe_mode_guest (safe_mode_guest) is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section safe_mode_mark (safe_mode_mark) is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section safe_mode_mark_save (safe_mode_mark_save) option 'extra' is not supported by fw4
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section safe_mode_mark_save (safe_mode_mark_save) is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section safe_mode_mark_drop (safe_mode_mark_drop) is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section @forwarding[0] is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section @forwarding[1] is disabled, ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section nat6 option 'reload' is not supported by fw4
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section vpn_server_policy option 'reload' is not supported by fw4
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section gls2s option 'reload' is not supported by fw4
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section gls2s specifies unreachable path '/var/etc/gls2s.include', ignoring section
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Section glblock option 'reload' is not supported by fw4
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Automatically including '/usr/share/nftables.d/chain-pre/forward_guest/01-forward_bypass_domain.nft'
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Automatically including '/usr/share/nftables.d/chain-pre/forward_lan/01-forward_bypass_domain.nft'
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Automatically including '/usr/share/nftables.d/chain-pre/mangle_output/01-process_mark.nft'
Thu Jun 13 14:26:17 2024 daemon.notice netifd: wgclient (28596): [!] Automatically including '/usr/share/nftables.d/chain-post/mangle_output/out_conn_mark_restore.nft'
Thu Jun 13 14:26:18 2024 daemon.notice netifd: wgclient (28596): DROP all opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 match-set GL_MAC_BLOCK src
Thu Jun 13 14:26:19 2024 daemon.notice netifd: wgclient (28596): Failed to parse json data: unexpected character
Thu Jun 13 14:26:19 2024 daemon.notice netifd: wgclient (28596): uci: Entry not found
Thu Jun 13 14:26:19 2024 daemon.notice netifd: wgclient (28596): cat: can't open '/tmp/run/wg_resolved_ip': No such file or directory
Thu Jun 13 14:26:19 2024 daemon.notice netifd: Interface 'wgclient' is now down
Thu Jun 13 14:26:19 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Thu Jun 13 14:26:21 2024 user.notice mwan3[28698]: Execute ifdown event on interface wgclient (unknown)
Thu Jun 13 14:26:25 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

wg show gives me back:

interface: wgclient
public key: REDACTED
private key: (hidden)
listening port: 51821
fwmark: 0x8000

peer: REDACTED
endpoint: REDACTED:51821
allowed ips: 0.0.0.0/0
transfer: 0 B received, 1.16 KiB sent
persistent keepalive: every 25 seconds

and yes, 51821 is set up as a port forward in my OpenWRT router.

I also notice the wgclient interface in Luci says "Unsupported protocol type" - don't know if this is normal though.

What am I doing wrong here!?

admon · June 13, 2024, 2:18pm

Hi,

please read How to troubleshoot WireGuard and check if it might already fix your problem.

That's normal.

mwarrior · June 13, 2024, 2:41pm

Thanks for the quick reply - yes I'd already read that (and a couple of threads that look similar to my problem) but nothing there fixed it. I checked the troubleshooting guide again just in case there was anything I'd missed and I don't think there is. So, I'm still a bit stuck

mwarrior · June 13, 2024, 4:41pm

Looking into it a bit further, I think it won't work on the LTE connection - looks like it's CGNAT

It doesn't work if I put WG on my laptop and tether directly through the phone either...going to try some more things when I'm out on the road...

admon · June 13, 2024, 4:47pm

Yup, basically spoken: LTE, StarLink & 5G are always CGNAT - no way to run a server there.

mwarrior · June 13, 2024, 8:23pm

Well that wasn't actually the problem, because I'm trying to run as a client at the LTE (GL-net) end. What happened was...

... I set up new peers in OpenWRT at the server end...

...and forgot to restart the interface to apply the changes.

Do I feel stupid, or what!