I’ve hit a wall with a weird Wireguard issue. I’m trying to connect my phone (over cell) to my home router using wireguard and it will not connect.

  • The keys are all correct.
  • The IPs are all correct.
  • The ports are open on the firewall.
  • My router has a public IP, no CGNAT.

The router is opnsense, I have a tcpdump session going and when I attempt a connection from the phone I see 0 packets on that port. I am able to ping the router and reach the web server sitting behind it from the phone.

I have a VPS that I configured WG on and the phone connects fine to that. I also tested configuring the VPS to connect to my home router and that also works fine.

I’m really at a loss as to where to go next.

Edit 2: I completely blew out the config on both sides and rebuilt it from scratch, using a different UDP port, and it all appears to be working now. Thanks for everyone’s help in tracking this down.

Edit: It was requested I provide my configs.

opnsense:

####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  172.31.254.1/24
# DNS =
# MTU =
# disableroutes = 0
# gateway =

[Interface]
PrivateKey = 
ListenPort = 51821

[Peer]
# friendly_name = note20
PublicKey = 
AllowedIPs = 172.31.254.100/32

Android:

[Interface]
Address = 172.31.254.100/32
PrivateKey = 

[Peer]
AllowedIPs = 0.0.0.0/32
Endpoint = :51821
PublicKey =
  • Revv@lemmy.blahaj.zoneEnglish
    4·
    11 months ago

    One issue I’ve had in some networks is that wg will connect, but not receive any traffic from the network. You can try to set up a static route for your wg subnet pointing at your wg server’s local IP.

    No idea if that’s your issue though.

  • baascus@programming.devEnglish
    2·
    11 months ago

    I’ve encountered a similar issue with WireGuard on my iOS and macOS devices. On iOS, I need to first connect to the VPN, then disable and re-enable both Wi-Fi and cellular data before the traffic begins flowing through the tunnel. On macOS, the process involves connecting the tunnel and toggling Wi-Fi off and on. It seems like I have to reset the network connection on the device after establishing the tunnel to get it working. I’m also using OPNsense with the WireGuard plugin.

    Sounds like it may be the same issue so I hope that this helps!

  • taaz@biglemmowski.winEnglish
    2·
    11 months ago

    This probably does not apply for you but don’t try sending wg over port 53, learned the hard way some routers simply won’t pass non-dns packets there.

    <del>Otherwise considering you are able to access VPS stuff from phone but not the router connected to the same VPS then I would check

    • if forwarding is enabled on the vps
    • if you can’t see any packets on the router side then it sounds like a routing issue at the vps</del>

    E: I am too baked and assumed you are trying to have the VPS as a central hop point.

  • ikidd@lemmy.worldEnglish
    1·
    11 months ago

    Show the conf file for your ubuntu endpoint, and maybe a screenshot of the server/peer on the opnsense server. Redact keys and endpoint hostnames.

  • nightrunner@lemmy.worldEnglish
    1·
    11 months ago

    Did you setup a NAT on the firewall? You have to setup a static NAT on the interface that your Public IP sits on and to the private IP address of your VPS (you are using a private network space from one of the other interfaces on your FW right?).

    Make sure that the policy that you create with the NAT includes UDP 51820 (unless you changed the default port) People often mistake using TCP which is a different protocol. If that doesn’t work, then look at the traffic on your FW

    • nightrunner@lemmy.worldEnglish
      1·
      11 months ago

      Meant to say if you still get stuck, run Wireshark on your FW and your VPS and run a tcp dump and filter the traffic to see where the data stops.

      You can also use traceroute to your public IP on the port 51820 and check your connectivity or even curl: -v http:////publicip:51820

  • stown@sedd.itEnglish
    1·
    11 months ago

    The allowed IP’s for your peer should be 0.0.0.0/0 NOT /32. (That literally means that only IP 0.0.0.0 is allowed). I’m pretty sure that’s your problem since 0.0.0.0 is not a valid IP that anyone is assigned.

    • 𝓢𝓮𝓮𝓙𝓪𝔂𝓔𝓶𝓶@lemmy.procrastinati.orgOPEnglish
      1·
      11 months ago

      Well, that was a silly mistake. Thanks for noticing it. I rebuilt the client side several times yesterday, so I can’t say for certain I made that typo each time, but it’s possible.

      I just blew out the whole thing, both sides, and rebuilt it from scratch using a different UDP port and it’s all working now.

  • Decronym@lemmy.decronym.xyzBEnglish
    1·
    11 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    IP Internet Protocol
    NAT Network Address Translation
    TCP Transmission Control Protocol, most often over IP
    UDP User Datagram Protocol, for real-time communications
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)

    [Thread #366 for this sub, first seen 20th Dec 2023, 02:45] [FAQ] [Full list] [Contact] [Source code]