WireGuard Setup Troubleshooting (Successful Handshake - No Internet)

Hi everyone,

I am having a bit of an issue with configuring a WireGuard VPN tunnel and need some help with troubleshooting ideas.

I created the diagram bellow for some additional clarity. I have two routers, one MikroTik for my home environment and a Gl.iNet Beryl AX for traveling.

The MikroTik router is set up as a WireGuard server and sits at home. The Beryl is a WireGuard client and is the one I will be using as a travel router that I carry with me and connect to whatever local WiFi I am able to get (hotels, coffee shops, restaurants, etc.).

All this seemed to work fine after the initial setup and I was able to use the VPN to connect to my home network as well as route all traffic through the home network too. Something, however, changed and now I am able to connect to the server, but am not able to reach the internet. I can see that the handshake is successful inside the WireGuard Server, but when I try to reach any website, the request times out.

I have also configured my phone as a client and the phone has no problem connecting to the WireGuard Server and browsing the internet. This leads me to believe that the underlying problem is not with the Server (MikroTik), but with the travel router.

At first I thought it might be a DNS resolver issue, but, while I am connected to the VPN, I also cannot ping anything using an IP as well. TCP dump didn’t yield any results either. Cannot see any errors there. I’m pasting the relevant parts of the dump bellow too.

Fri May 19 20:02:05 2023 daemon.notice netifd: Interface 'wgclient' is setting up now
Fri May 19 20:02:05 2023 daemon.info dnsmasq[13031]: exiting on receipt of SIGTERM
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:05 2023 user.warn : skip line without '=' Default
Fri May 19 20:02:05 2023 user.warn : skip line without '='
Fri May 19 20:02:06 2023 user.notice wireguard-debug: USER=root ifname=wgclient ACTION=KEYPAIR-CREATED SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: Connected to system UBus
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: started, version 2.85 cachesize 150
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: DNS service limited to local subnets
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: UBus support enabled: connected to system bus
Fri May 19 20:02:09 2023 daemon.info dnsmasq-dhcp[14686]: DHCP, IP range 192.168.9.100 -- 192.168.9.249, lease time 12h
Fri May 19 20:02:09 2023 daemon.info dnsmasq-dhcp[14686]: DHCP, IP range 192.168.8.100 -- 192.168.8.249, lease time 12h
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain test
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain onion
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain localhost
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain local
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain invalid
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain bind
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using nameserver 127.0.0.1#5453
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: using only locally-known addresses for domain lan
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: read /etc/hosts - 4 addresses
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: read /tmp/hosts/dhcp.cfg01411c - 3 addresses
Fri May 19 20:02:09 2023 daemon.info dnsmasq-dhcp[14686]: read /etc/ethers - 0 addresses
Fri May 19 20:02:09 2023 daemon.notice netifd: Interface 'wgclient' is now up
Fri May 19 20:02:09 2023 daemon.notice netifd: Network device 'wgclient' link is up
Fri May 19 20:02:09 2023 daemon.info dnsmasq[14686]: exiting on receipt of SIGTERM
Fri May 19 20:02:09 2023 user.notice mwan3[14746]: Execute ifup event on interface wgclient (wgclient)
Fri May 19 20:02:09 2023 user.notice mwan3[14746]: Starting tracker on interface wgclient (wgclient)
Fri May 19 20:02:10 2023 user.info mwan3rtmon[7438]: Detect rtchange event.
Fri May 19 20:02:11 2023 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: Connected to system UBus
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: started, version 2.85 cachesize 150
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: DNS service limited to local subnets
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: UBus support enabled: connected to system bus
Fri May 19 20:02:12 2023 daemon.warn dnsmasq[15562]: warning: ignoring resolv-file flag because no-resolv is set
Fri May 19 20:02:12 2023 daemon.info dnsmasq-dhcp[15562]: DHCP, IP range 192.168.9.100 -- 192.168.9.249, lease time 12h
Fri May 19 20:02:12 2023 daemon.info dnsmasq-dhcp[15562]: DHCP, IP range 192.168.8.100 -- 192.168.8.249, lease time 12h
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain test
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain onion
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain localhost
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain local
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain invalid
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain bind
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using nameserver 127.0.0.1#5453
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: using only locally-known addresses for domain lan
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: read /etc/hosts - 4 addresses
Fri May 19 20:02:12 2023 daemon.info dnsmasq[15562]: read /tmp/hosts/dhcp.cfg01411c - 3 addresses
Fri May 19 20:02:12 2023 daemon.info dnsmasq-dhcp[15562]: read /etc/ethers - 0 addresses
Fri May 19 20:02:12 2023 user.notice wgclient-up: env value:T_J_A1_1=object T_J_V_ifname=string USER=root ifname=wgclient ACTION=KEYPAIR-CREATED SHLVL=2 J_V_keep=1 T_J_V_ipaddr=array HOME=/ T_J_T2_mask=string HOTPLUG_TYPE=wireguard T_J_V_interface=string J_A1_1=J_T2 J_V_ifname=wgclient T_J_V_link_up=boolean T_J_T2_ipaddr=string LOGNAME=root DEVICENAME= T_J_V_action=int K_J_A1= 1 J_V_ipaddr=J_A1 TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin J_T2_mask=24 CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up keep ipaddr interface J_V_link_up=1 J_T2_ipaddr=192.168.32.2 J_V_action=0 N_J_V_link_up=link-up PROTO_IPADDR=192.168.32.2/24// T_J_V_keep=boolean PWD=/ JSON_CUR=J_V K_J_T2= ipaddr mask CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_8404 group_1370 group_4337 group_1834 peer_7007 peer_9741 CONFIG_cfg030f15_ports=
Fri May 19 20:02:12 2023 user.notice wireguard-debug: USER=root ifname=wgclient ACTION=KEYPAIR-CREATED SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/

Can’t find a reason for it to work after the initial config and to suddenly stop working a day later.

Any help would be greatly appreciated!

Not sure why the diagram is not visible, so I am pasting a link to it:

https://imgur.com/o5A5gMS

Some things you can do to troubleshoot:

• Enable Wireguard debug on the “server”

  modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

  Also see here: Four Ways to View WireGuard Logs | Pro Custodibus

• tcpdump on the server and verify traffic is coming into the server while generating traffic on your “client”

• Ensure that ipv4_forwarding is enabled on the “server”

  net.ipv4.ip_forward = 1 to /etc/sysctl.conf to persist the setting between system restarts. Use sysctl -w net.ipv4.ip_forward=1 to enable IP forwarding immediately without having to reboot.

• Run Wireshark on the “client” and verify traffic is moving between the wg interface/Internet interface accordingly

• Make sure your AllowedIPs is correct

Same problem here I installed wireguard on My Ubuntu server but I also can’t access internet after connecting it

Had the same problem. I found out the user endpoint don’t update if your public ip change on the server side

Hi! Thanks for your reply, will try to do what you’re suggesting. The strange thing is that it seems the server itself is configured correctly. The problem might lie with the client.

)
But there is no internet, I cannot connect to anything and the connection times out whenever I try. At first it was working, but something changed and I am unable to use it successfully now.

IPv4 forwarding is enabled as well.

I will try and enable debug on the server to see if there would be any useful information present that might help with this.

I’ll also try running wireshark on the client to verify that the traffic is moving between the interfaces as expected.

Thanks for the suggestions and your time.

I added the travel router range (192.168.8.0/24) to the peer configuration “Allowed Addresses” on the MikroTik and now it works. Not sure why it was working at first without that.
Was that range supposed to be there from the start? My understanding is that all traffic should be going through the WireGuard network, but maybe I’m wrong.

So, to summarize: The peer configuration inside the MikroTik now has two “Allowed Addresses”:

192.168.8.0/24 - Travel Router Network
192.168.32.2/24 - Client IP address of the device in the WireGuard network.

This fixed the issue and I am able to connect to the internet and to my home network without a problem. Not sure if that is the correct way to do it though, but it works.

Strike that… The change didn’t really work long-term. Something changed again and I have no access to the internet once more.

I got the same issue on my phone as well. I tried to go through the last steps in my last comment where I added the travel router range to the Allowed Addresses list. It turns out that adding this range didn’t actually do the trick. Hitting apply to the configuration to “refresh” it is what helps.

As an example, I just clicked “Apply” to the client configuration of the travel router and was able to browse the internet successfully. Exactly the same happened for the phone.

Even before that, I see that the handshakes are successful for both peers and are every 2 min, but if I don’t click apply, even though the connection is established I cannot use the internet.

Not sure what’s really going on. Any ideas? Maybe the configuration is not being persisted?

You mean if the server (in my case mikrotik router with wireguard) Public IP changes, this change is not propagated to the user endpoints (like the travel router and mobile phone)?

Did you find a solution to that problem?

Exactly! I simply use ddns address (in my case ducksdns) on user endpoints so it’s always pointing at my public ip

It was, with a ddns. Changed it to static again to test if that was causing the problem, but the issues continue.

I narrowed it down a bit further. If I just use one, for example just the travel router, it seems to work fine. The moment I try to connect with the other decide, in this example the phone, the config of the other peer or both inside the mikrotik partially breaks and I need to hit Apply to reapply the settings and that fixes it.

Still can’t figure what might be causing such odd behavior though…