[Solved] Wireguard - No handshake

Started by Arno, November 13, 2024, 09:01:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 13, 2024, 09:01:20 PM Last Edit: November 17, 2024, 07:20:37 PM by Arno
Hi everyone,

Using a public wifi I'm trying to connect to my home LAN.

In the logs of OPNsense (via Graylog) I see some incoming packets on WAN port 51820 (pass).

There are no firewall rules on the wireguard interface.
There is one rule on Wireguard (Group): Any IPv4 to one private subnet (/24).

Why is there no handshake when I connect from my Linux Mint laptop?
The public wifi isn't the problem I think. There are incoming packets on OPNsense.
November 13, 2024, 09:24:42 PM #1
Wireguard not working are most of the time 3 things:

- Pakets from client do not reach the server or vice versa
- The Client is not added to the correct wireguard server in the configuration
- The public/private keys are wrong
Hardware:
DEC740
November 14, 2024, 05:08:23 PM #2
Where in the OPNsense logs can I check those 3 cases?

The packets reach the OPN server. In the logs I see correct source and destination IP address and port 51820/udp (pass).
'Laptop' is a peer of the only wireguard instance (and is enabled).

VPN - Wireguard - Logfile is empty.
VPN - Wireguard - Satus - Handshake is empty.

If the keys are wrong, shouldn't there be at least a log message?
November 14, 2024, 05:48:13 PM #3 Last Edit: November 14, 2024, 05:52:26 PM by Monviech (Cedrik)
No, wireguard doesnt log anything per design. You have to guess these three things until it works.

If you want a protocol that logs actual errors, use IPsec.

Wireguard is designed to be non chatty with little emissions.

When the wireguard server does not respond, it either does not have your peer configured to the endpoint (thus doesnt know of it), doesn't receive the handshake paket of your peer, or the keys are wrong.

That makes it far simpler to troubleshoot than the chatty logging ipsec that can have 1000 different errors. :)
Hardware:
DEC740
November 14, 2024, 07:12:56 PM #4
Quote from: Monviech (Cedrik) on November 14, 2024, 05:48:13 PM
No, wireguard doesnt log anything per design.
...
That's not quite true. When compiling Wireguard from source you can specify "Debugging checks and verbose messages" and then the package will output debugging information. The package in the repository is just compiled without this option, that's all.
November 14, 2024, 07:21:24 PM #5
Im unsure if Debug logs meant for software developement emit anything useful for the actual users of the software.

https://www.wireguard.com/quickstart/

I mean you are right, it states here you can enable things like dynamic debugging in the linux kernel.

But if these messages would hold anything of value for the user, why would projects like this exist?

https://github.com/nikaro/wirelogd

I havent myself tested wireguard log emissions though, have you any experience in it and can tell me if they have useful information like for example ipsec or openvpn logs?
Hardware:
DEC740
November 14, 2024, 09:49:05 PM #6
Quote from: Monviech (Cedrik) on November 14, 2024, 05:48:13 PM
No, wireguard doesnt log anything per design.
Didn't knew that. Thanks.

Recreated my 'Laptop' peer. It now shows on the wireguard widget. Offline for now. Not tested with public wifi yet.
Also created an extra firewall rule on Wireguard (Group) to monitor outbound wireguard traffic (51820/udp).

In my 'Laptop' peer I left Endpoint and port empty. Is this correct?

I will report back when I have tested from public wifi.
November 14, 2024, 09:57:51 PM #7
Yeah that is correct since your peer is dynamic. Wireguard will auto populate that dynamically when it receives a matching handshake for that peer.

Good luck with testing. :)
Hardware:
DEC740
November 15, 2024, 11:06:08 PM #8
No handshake yet.

When connecting from public wifi to OPNsense 'required key missing' (or similar, this is a translation) was shown on my laptop (wg client).
Have to debug a lot (routes, metric, dns, allowed ip's).

Today I came across the 'wg watch' command.
To be continued. Debug suggestions welcome.
November 16, 2024, 02:55:10 AM #9
How did you configure the Client profile?
Did you use the generator or did you do it manually?

Cause if you see the client hitting the WAN and the WAN is Permitting INbound then per them messages you say appear there is a strong suggestion the problem is with the keys.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
November 17, 2024, 07:19:38 PM #10
Quote
How did you configure the Client profile?
Oops....  :-[
In the client profile I used the public key of my laptop.....for the OPNsense peer.

Got a handshake  :). Can't ping anything yet.
That's for another time.
This is solved for now. Thanks!
November 18, 2024, 11:32:06 AM #11
Hehe no worries this happens often. Is always good to keep watch on what "debug" message you get like the
Quoterequired key missing

Anyway glad you fixed it. Please mark your Topic with [SOLVED].

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
November 22, 2024, 09:50:49 PM #12
Quote from: Monviech (Cedrik) on November 14, 2024, 07:21:24 PM

I havent myself tested wireguard log emissions though, have you any experience in it and can tell me if they have useful information like for example ipsec or openvpn logs?
I don't know how detailed the logs are, but there is an option to enable them when copying.
Print
Go Up Pages1
User actions