WireGuard VPN (on local device, not on router) fails

[Corey Vidal]

I originally wrote this as a reply to a thread, but I have a message at the top of my screen that I can't reply to threads more than 6 months old. So here's a new thread on it, but it's based on a small thread/problem that @TinMan11 ran in to last year.



Hi. I wanted to resurrect this from the dead. 14 hours of troubleshooting today has led me here.

I have an RT-AC88U running Asuswrt-Merlin version 384.19, and I'm having the exact same trouble described above.

Looking through WireGuard's logs, when a new WireGuard connection is made, at 3 minutes it tries for a handshake, and when it doesn't make one, it kills itself at 4 minutes:

[warning] Abandoning connection, last handshake at "4 min 5 sec" ago exceeds limit of "4 min 0 sec"

I disabled any AiProtection-related option as well as NAT acceleration (under LAN -> Switch) as recommended by @RMerlin, but that, unfortunately, didn't solve it.
However, @TinMan11's suggestion of setting UDP Timeout Assured to 1 second (in Tools > Other Settings) actually does solve it. The only problem being that I can't leave that set to 1 second, cause it would just ruin so many other things.

Is there any newer suggestion for this? WireGuard is fully supported with the latest release of Ubuntu (20.10), and I can only imagine more and more people having this problem.

 

[SomeWhereOverTheRainBow]

I originally wrote this as a reply to a thread, but I have a message at the top of my screen that I can't reply to threads more than 6 months old. So here's a new thread on it, but it's based on a small thread/problem that @TinMan11 ran in to last year.



Hi. I wanted to resurrect this from the dead. 14 hours of troubleshooting today has led me here.

I have an RT-AC88U running Asuswrt-Merlin version 384.19, and I'm having the exact same trouble described above.

Looking through WireGuard's logs, when a new WireGuard connection is made, at 3 minutes it tries for a handshake, and when it doesn't make one, it kills itself at 4 minutes:

[warning] Abandoning connection, last handshake at "4 min 5 sec" ago exceeds limit of "4 min 0 sec"

I disabled any AiProtection-related option as well as NAT acceleration (under LAN -> Switch) as recommended by @RMerlin, but that, unfortunately, didn't solve it.
However, @TinMan11's suggestion of setting UDP Timeout Assured to 1 second (in Tools > Other Settings) actually does solve it. The only problem being that I can't leave that set to 1 second, cause it would just ruin so many other things.

Is there any newer suggestion for this? WireGuard is fully supported with the latest release of Ubuntu (20.10), and I can only imagine more and more people having this problem.

I don't know if this helps, but I have a wireguard connection configured on one of my local devices. The way I am able to connect to it remotely is through portforwarding to the local address of the device. For the IPV6 connection, I just made a fire wall rule allowing ipv6 traffic to the same port. I did not have to turn off any router features to achieve a successful connection. i hope this helps.

 

[Corey Vidal]

@SomeWhereOverTheRainBow OK, perhaps you could help me with this? I'm forwarding port 51820 on my router to that device. That's the port WireGuard uses, right?
I couldn't figure out how to change my router's firewall settings. But I did try completely disabling the firewall to test, and it didn't seem to make a difference.
I'm not using ipv6.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow OK, perhaps you could help me with this? I'm forwarding port 51820 on my router to that device. That's the port WireGuard uses, right?
I couldn't figure out how to change my router's firewall settings. But I did try completely disabling the firewall to test, and it didn't seem to make a difference.
I'm not using ipv6.

it would help if you could maybe screenshot or post an example of both the peer file and the server file ( make sure you redact your private keys.). The reason why is because i want to verify you have the proper routes and addressing assignments listed within the configuration files.

 

[Corey Vidal]

it would help if you could maybe screenshot or post an example of both the peer file and the server file ( make sure you redact your private keys.). The reason why is because i want to verify you have the proper routes and addressing assignments listed within the configuration files.

Interesting. OK so, I'm using Private Internet Access VPN with WireGuard. So, I'm only inputting my PIA credentials, and then connecting to whatever region I choose.

Whatever thing you're describing is what's making Googling this so difficult. I guess a lot of people use WireGuard on both ends of a connection? Between a client and a server both under their control? That's not my use-case.

 

[ColinTaylor]

OK so, I'm using Private Internet Access VPN with WireGuard.

So this is completely different than the situation described in the other thread. In that thread he had a remote client that was connecting to a WireGuard server running on his LAN. Hence the need to forward ports.

You appear to just be using a WireGuard client on a PC connecting to one of PIA's servers. What operating system and client are you using? Is there any help about this on PIA's website?