Wireguard Installation Problem

Trying out DietPi for use with WireGuard today. Installed a fresh installation of DietPi on my RPi4 and booted up, everything was normal. Let the image do it’s thing and update everything to latest.

Installed WireGuard through the DietPi software installation stuff.
Set the server IP to use to XXXXXX.duckdns.org, which points to my public IP.
Left the port as default 51820.
Rebooted once installation was done (it forced me).

Trying to set it up on my iPhone, I ran the command

grep -v '^#' /etc/wireguard/wg0-client.conf | qrencode -t ansiutf8

to generate a QR code and I added it to my iPhone. Went onto my Orbi system and enabled PortForwarding for the default port number 51820. Disabled uPnP (people had problems with that). Rebooted router.

Connected does not work. Tries to connect, fails, tries to connect, fails, again and again.

Did a DNS lookup on my duckdns URL → correctly points to my public IP

Then made sure wireguard was running → running

wg show

shows that the interface wg0 is in fact running on port 51820.

Then ran

nmap -sT -O localhost

, the results show that only ports 22, 53, and 80 are open. Running

nc -zv 192.168.1.XX 51820

on another local system fails with connection refused, which means that port 51820 is in fact not open.

Why is the port not open? I rebooted WireGuard and DietPi multiple times, nothing. Any thoughts?

EDIT:
Running

ss -lun 'sport = :51820'

does in fact show that the port is open, but the state is UNCONN. If this is the case, my port forward should be working but it is not? And also why can’t I see the port on my other local machines?

Hi,
question for the port forwarding. Did you forward UDP or TCP? Because it should be UDP for VPN usage.

Regarding the port. I quickly checked it on my WireGuard installation and it doesn’t show the listen port 51820 at all. Even my installation is working quite well and I can access my system from outside world. So I assume this is a normal behavior.

I found a similar question on the web

https://www.reddit.com/r/WireGuard/comments/crxeid/wireguard_doesnt_seem_to_openlisten_on_port_gcp/

Yeah I made an edit regarding the open port part - I do see the listening activity with a certain command, so that is definitely working. Any other idea on why I cannot connect?

for testing purposes, pls can you connect your iPhone to your local network and change on your iPhone within WireGuard App the Endpoint to YourLocalWireGuardIP:51820 . There we can check if it’s working without any DDNS service in between.

Finally a success! I was able to do as you said and now I’m connected to the VPN. What’s the next step?

so everything is working as expected at least locally. Next step would be to find out why your DDNS and port forwarding is not working probably. OK lets switch to your external internet IP. It can be find out various ways. An easy one is to open following web page on your preferred browser.

checkip.synology.com

This will tell you your external IP address. Pls go back to your iPhone and enter the IP as endpoint :51820. Once done disconnect from local network and switch on your mobile network connection. Try to connect to WireGuard.

Done, but errored out. Checked app logs and it just keeps retrying a handshake connection. Does that mean the router is not correctly port forwarded?

yes indeed. That would be the logical conclusion. pls try to check if you are going to forward port 51820 UDP (not TCP) correctly to your DietPi device.

My router had the option between TCP/UDP, UDP, or TCP. The default selected that I had was TCP/UDP. I just changed it to UDP. Would this have been causing the errors? Just tested ago, still not connecting after changing to UDP only

probably. change it to UDP and try to connect

Still nothing.

are you able to perform some network traffic collection on your router, to see what is happening and why thinks are not forwarded?

I tried looking at the logs, but there is nothing there. I’ve started posting on Netgear forums as well for issues on port forwarding with my router.

ok let’ see what is coming back, at least how to discover/record the traffic

I have installed and configured Wireguard on my Rpi3.
Duck DNS is also configured.

I have generated confirm for client and import this configuration on my android phone.

On my router (Huawei B818) on Virtual Server I have forwarded Port 80, 22 and 51820 to DietPi.

When I’m connected over Wireguard I don’t have internet on my phone and no connection to DietPi.

What can be the issue?

Hi,

why did you forward 80 and 22? Especially 22 will open your system for SSH access to the internet. If possible something you should avoid. Some for 80. This will allow unencrypted HTTP access to a web server. If you plan to access a web server, I recommend to open 80+443, activate HTTPS and force a redirect on the web server from HTTP > HTTPS

on port 51820, do you forward TCP or UDP? because WireGuard VPN traffic is UDP.

Do you see any handshake on your WireGuard Server is you run wg command?

You’ll need to enable forwarding on the RPi as well as NAT outgoing traffic to the router. I presume that the configuration on the Android is set to forward everything already to the WG server.