I’ve hit a wall with a weird Wireguard issue. I’m trying to connect my phone (over cell) to my home router using wireguard and it will not connect.

  • The keys are all correct.
  • The IPs are all correct.
  • The ports are open on the firewall.
  • My router has a public IP, no CGNAT.

The router is opnsense, I have a tcpdump session going and when I attempt a connection from the phone I see 0 packets on that port. I am able to ping the router and reach the web server sitting behind it from the phone.

I have a VPS that I configured WG on and the phone connects fine to that. I also tested configuring the VPS to connect to my home router and that also works fine.

I’m really at a loss as to where to go next.

Edit 2: I completely blew out the config on both sides and rebuilt it from scratch, using a different UDP port, and it all appears to be working now. Thanks for everyone’s help in tracking this down.

Edit: It was requested I provide my configs.

opnsense:

####################################################
# Interface settings, not used by `wg`             #
# Only used for reference and detection of changes #
# in the configuration                             #
####################################################
# Address =  172.31.254.1/24
# DNS =
# MTU =
# disableroutes = 0
# gateway =

[Interface]
PrivateKey = 
ListenPort = 51821

[Peer]
# friendly_name = note20
PublicKey = 
AllowedIPs = 172.31.254.100/32

Android:

[Interface]
Address = 172.31.254.100/32
PrivateKey = 

[Peer]
AllowedIPs = 0.0.0.0/32
Endpoint = :51821
PublicKey = 
  • taaz@biglemmowski.win
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    11 months ago

    Yeah I would probably try if the phone can actually access anything on that port.

    On router: netcat -vvvl 0.0.0.0 51820
    On phone: http://router_ip:51820

    The browser will fail opening it but on router you should see the first incoming HTTP GET packet.
    Or one could run a local shell on the phone (assuming android) and try netcat too.

    (or this http server one liner python3 -m http.server can be used instead of netcat)

    • I have an network tools app that lets me test arbitrary ports and I do see those packets on a tcpdump, but this app (and you’re suggestions above) are all TCP while Wireguard listens on UDP. I haven’t come up with a way to test UDP from the phone yet.

      • taaz@biglemmowski.win
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        11 months ago

        Netcat can do UDP with -u flag, to get netcat on the phone (android) you could try local shell (Connect Bot app can do it) and try calling the local netcat (nc, though it’s a simple busybox implementation so it might not have all the features). Not sure if it would let you send udp just like that.

      • nightrunner@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        They call it a tcpdump but Wireshark analyzes all network traffic. You can use the udp.port == 51820

        Do you have a laptop? Probably more tools and easier to test from there.