WireGuard Setup

Routers
,
1

For the life of me i cant get Wireguard to work on my Phone! I read the instruction everything seems to be setup fine but client (iphone) does not want to connect!

Here are the logs;

2025-01-17 08:16:22.431237: [APP] startActivation: Entering (tunnel: myhometunnel)
2025-01-17 08:16:22.436690: [APP] startActivation: Starting tunnel
2025-01-17 08:16:22.438017: [APP] startActivation: Success
2025-01-17 08:16:22.447428: [APP] Tunnel 'myhometunnel' connection status changed to 'connecting'
2025-01-17 08:16:22.540417: [NET] App version: 1.0.16 (27)
2025-01-17 08:16:22.540516: [NET] Starting tunnel from the app
2025-01-17 08:16:22.988746: [NET] DNS64: mapped 216.123.104.11 to itself.
2025-01-17 08:16:22.990562: [NET] Attaching to interface
2025-01-17 08:16:22.991254: [NET] UAPI: Updating private key
2025-01-17 08:16:22.991797: [NET] UAPI: Removing all peers
2025-01-17 08:16:22.991996: [NET] Routine: decryption worker 3 - started
2025-01-17 08:16:22.992157: [NET] Routine: encryption worker 1 - started
2025-01-17 08:16:22.992471: [NET] peer(vPJI…CVF4) - UAPI: Created
2025-01-17 08:16:22.992757: [NET] peer(vPJI…CVF4) - UAPI: Updating preshared key
2025-01-17 08:16:22.992855: [NET] peer(vPJI…CVF4) - UAPI: Updating endpoint
2025-01-17 08:16:22.993039: [NET] peer(vPJI…CVF4) - UAPI: Updating persistent keepalive interval
2025-01-17 08:16:22.993078: [NET] peer(vPJI…CVF4) - UAPI: Removing all allowedips
2025-01-17 08:16:22.993122: [NET] peer(vPJI…CVF4) - UAPI: Adding allowedip
2025-01-17 08:16:22.994126: [NET] UDP bind has been updated
2025-01-17 08:16:22.994229: [NET] peer(vPJI…CVF4) - Starting
2025-01-17 08:16:22.994334: [NET] peer(vPJI…CVF4) - Sending keepalive packet
2025-01-17 08:16:22.994402: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:22.994451: [NET] Routine: decryption worker 2 - started
2025-01-17 08:16:22.994569: [NET] Routine: handshake worker 1 - started
2025-01-17 08:16:22.995773: [NET] Interface state was Down, requested Up, now Up
2025-01-17 08:16:22.995850: [NET] Device started
2025-01-17 08:16:22.995963: [NET] Routine: decryption worker 1 - started
2025-01-17 08:16:22.996046: [NET] Routine: handshake worker 2 - started
2025-01-17 08:16:22.996054: [NET] Tunnel interface is utun3
2025-01-17 08:16:22.996111: [NET] Routine: encryption worker 3 - started
2025-01-17 08:16:22.997989: [NET] Network change detected with satisfied route and interface order [en0, pdp_ip0]
2025-01-17 08:16:22.998409: [APP] Tunnel 'myhometunnel' connection status changed to 'connected'
2025-01-17 08:16:22.998868: [NET] DNS64: mapped 216.123.104.11 to itself.
2025-01-17 08:16:22.999019: [NET] peer(vPJI…CVF4) - UAPI: Updating endpoint
2025-01-17 08:16:22.999152: [NET] Network change detected with satisfied route and interface order [en0, utun3, pdp_ip0]
2025-01-17 08:16:22.999569: [NET] DNS64: mapped 216.123.104.11 to itself.
2025-01-17 08:16:22.999664: [NET] peer(vPJI…CVF4) - UAPI: Updating endpoint
2025-01-17 08:16:22.999840: [NET] Routine: decryption worker 6 - started
2025-01-17 08:16:22.999842: [NET] Routine: encryption worker 2 - started
2025-01-17 08:16:22.999876: [NET] Routine: handshake worker 4 - started
2025-01-17 08:16:22.999937: [NET] Routine: encryption worker 5 - started
2025-01-17 08:16:22.999975: [NET] Routine: handshake worker 3 - started
2025-01-17 08:16:23.000017: [NET] Routine: encryption worker 4 - started
2025-01-17 08:16:23.000036: [NET] Routine: decryption worker 5 - started
2025-01-17 08:16:23.001573: [NET] Routine: receive incoming v4 - started
2025-01-17 08:16:23.001696: [NET] Routine: handshake worker 6 - started
2025-01-17 08:16:23.001763: [NET] Routine: TUN reader - started
2025-01-17 08:16:23.001841: [NET] Routine: event worker - started
2025-01-17 08:16:23.006444: [NET] Routine: receive incoming v4 - stopped
2025-01-17 08:16:23.006549: [NET] Routine: handshake worker 5 - started
2025-01-17 08:16:23.006567: [NET] Routine: decryption worker 4 - started
2025-01-17 08:16:23.007825: [NET] peer(vPJI…CVF4) - Routine: sequential sender - started
2025-01-17 08:16:23.007889: [NET] Routine: receive incoming v6 - started
2025-01-17 08:16:23.008727: [NET] Routine: encryption worker 6 - started
2025-01-17 08:16:23.009048: [NET] Routine: receive incoming v6 - stopped
2025-01-17 08:16:23.009855: [NET] UDP bind has been updated
2025-01-17 08:16:23.009895: [NET] peer(vPJI…CVF4) - Routine: sequential receiver - started
2025-01-17 08:16:23.012143: [NET] Routine: receive incoming v4 - started
2025-01-17 08:16:23.012375: [NET] Routine: receive incoming v4 - stopped
2025-01-17 08:16:23.012792: [NET] Routine: receive incoming v6 - started
2025-01-17 08:16:23.012880: [NET] Routine: receive incoming v6 - stopped
2025-01-17 08:16:23.013148: [NET] UDP bind has been updated
2025-01-17 08:16:23.013189: [NET] Routine: receive incoming v6 - started
2025-01-17 08:16:23.013271: [NET] Routine: receive incoming v4 - started
2025-01-17 08:16:23.074403: [NET] Network change detected with satisfied route and interface order [en0, utun3, pdp_ip0]
2025-01-17 08:16:23.074908: [NET] DNS64: mapped 216.123.104.11 to itself.
2025-01-17 08:16:23.075050: [NET] peer(vPJI…CVF4) - UAPI: Updating endpoint
2025-01-17 08:16:23.075363: [NET] Routine: receive incoming v4 - stopped
2025-01-17 08:16:23.075423: [NET] Routine: receive incoming v6 - stopped
2025-01-17 08:16:23.075636: [NET] UDP bind has been updated
2025-01-17 08:16:23.075644: [NET] Routine: receive incoming v4 - started
2025-01-17 08:16:23.076173: [NET] Routine: receive incoming v6 - started
2025-01-17 08:16:27.437857: [APP] Status update notification timeout for tunnel 'myhometunnel'. Tunnel status is now 'connected'.
2025-01-17 08:16:28.162255: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:16:28.162545: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:33.219323: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:38.318129: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:16:38.318494: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:43.470010: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:16:43.470367: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:48.546610: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:16:48.546986: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:53.767345: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:16:53.767669: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:16:58.801636: [NET] peer(vPJI…CVF4) - Handshakem  did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:16:58.801907: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:17:04.127778: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:17:04.128139: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:17:09.306980: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 3)
2025-01-17 08:17:09.307337: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:17:14.328736: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:17:14.329120: [NET] peer(vPJI…CVF4) - Sending handshake initiation
2025-01-17 08:17:19.402657: [NET] peer(vPJI…CVF4) - Handshake did not complete after 5 seconds, retrying (try 2)
2025-01-17 08:17:19.403024: [NET] peer(vPJI…CVF4) - Sending handshake initiation

How do i go troubleshoot this further?

2

Can you confirm the configuration on your client device appears correct also? Which instruction did you follow? Was it in our help center?

3

i used the instruction from the help center to setup! for the client config, i just scanned the QR code! here are screenshots
One thing i noticed on the client when i view the config when VPN is not enabled it is showing endpoint name in: ddns but when it is active is showing Peer Endpoint IPv6. Not sure if that helps;

wireguard-setup1- Alta
wireguard-setup1- Alta430×473 20.8 KB

wireguard-setup2- Alta
wireguard-setup2- Alta428×705 32.5 KB

Screenshot 2025-01-17 at 08.50.32
Screenshot 2025-01-17 at 08.50.321170×2532 217 KB

Screenshot 2025-01-17 at 08.49.07
Screenshot 2025-01-17 at 08.49.071170×2532 221 KB

4

I don’t understand what you’re stating here. Can you screenshot the two different states?

Also, could you try a different browser when viewing the QR code from your desktop or laptop?

5

sure i will try different browser:

Look at the two client config screenshot i posted above and look for EndPoint line when VPN/tunnel it is in active state vs inactive state the Endpoint Line changes ddns to IPv6 address! maybe just a nuance but that is noticed on the client configuration on my phone! Make sense?

6

My brain did not register these two screenshots the first time around, woops! I see what you mean now.

When you activate the tunnel, you see the IPv6 instead of the ddns.

7

OK tried another browser (firefox) scanned QR code same result! When i download the config manually it looks good to me!

[Interface]
PrivateKey = ID+K3jnXdwW2gMYz4c2YDK+KrcIB1223541554vdGY=
Address = 172.16.87.2/24
DNS = 1.1.1.1,8.8.8.8

[Peer]
PublicKey = vPJIGDm7j12365455859NmYI4cYIgXfjECVF4=
AllowedIPs = 0.0.0.0/0
Endpoint = blahblahblha.ddns.manage.alta.inc:51820
PersistentKeepalive = 15
PresharedKey = CjKUUSIa1v/IP1123654854hVcelZchRvdm6cg=

I will try to find another client to test as well!

8

i also facing the same issue, i can setup the profile and can establish connect from my iphone wireguard app to route10 wireguard.

but i noticed that the Data received is very very low, like in Bytes, where as the Data sent in is in 10-20KB.

so i have tested with my other router (Flint2)Wireguard server with the same ISP and i am able to connect my iphone and able to connect to my home network via 5G network.

did i miss a config somewhere(DDNS?keys? ip? vlan?)? as i follow this guide https://help.alta.inc/hc/en-us/articles/32440809238171-Configuring-WireGuard-Remote-User-VPN-on-Route10 . My route10 is on 1.3v .

using the Wan2 port to connect to my 2.5GB ISP (not sure if wan port makes any differences?)

Thanks.

9

Could you clarify if this means that you tested the throughput with a speedtest tool and the result was in bytes and kilobytes?

10

Hi @Alta-Josh , thanks for getting back to me. Not sure if it needs more time or it work after I reboot again. WireGuard is working now.

Sorry for not being clear on the data provided. I have attached a screenshot of the WireGuard of my iPhone. I was pointing to the data send and receive in my WireGuard page. Now it looks way better. Just could get it working last night . Try to troubleshoot till 2am but was not getting any results. Could be doing something wrong hahaha.

Did some Speedtest on my desktops n iPhone. It is working I can access my nas on 5G too.

Desktop 1 on isp 2 - 2.5gb plan
Speedtest without WireGuard on
Download:1.6gb , Upload: 1gb

Speedtest with WireGuard on(WireGuard is running in my Route10 using my primary ISP 2.5gb plan)
Download: 824MB, upload:222mb - desktop with 2.5gb NIc
Download:477MB , upload:157MB- iPhone 13pro max just beside the wireless wifi6 router.

Have swap my setup around to test with my other WireGuard that is running on the other router and I get around same speed(890MB Down,280MB Up. could be my ISP is sharing with all other home user and other isp Bandwidth, As it got the almost the same result when running on each isp. it just wont go any higher. when running teaming on both ISP. the speed is 4GB down, 900MB Up.

IMG_6749
IMG_67491284×2778 218 KB

11

Hi,

I don’t want to open a new thread because my problem is related to this one.
I also configured Wireguard, scanned the QR on my phone and… it didn’t work, I checked whether an exception for the Wireguard server port was added to the firewall and it wasn’t there. I would like to emphasize that I did not restart the device, after manually adding an exception for the Wirteguard server port, the connection worked. Now the questions :slight_smile: :

  1. Is this normal? If so and you need to add an exception manually, it may be worth adding this information to the Wireguard Setup manual.
  2. If this is not normal and you need to restart the Router after enabling Wireguard, I would also add such information to the Configuration Instructions.
    2.1 If turning on the Wireguard Server should add an exception to the firewall and as we can see it does not - then we probably have a bug.
    Controller: Local version 1.0t
    Router: 1.3v

Thank you for your attention

1 Like
12

A new thread would be warranted, since there may be no issue in this thread at all for yours to be related to. However, I can split that out on your behalf if we determine that to be the case, so no worries.

Can you consistently reproduce this issue? Please confirm your WireGuard client config (from downloading it or the QR code) appears correct first. Second, could you try scanning the code from a different web browser? I had a brief issue with a chromium-based browser, but it has since been resolved by the browser.

How was it that you created the firewall rule manually? What does that rule look like? Finally, how did you check for the WireGuard exception in the first place?

13

ok,

I used different browsers, arc, Chrome, firefox and zen, and they looked ok after scanning or downloading the .conf file, they were correct (i.e. the same every time)
Can I reproduce the problem? Yes and no. I can if I delete this rule from Firewall → Filter

{6BCE6160-5585-41BF-9210-183BC92EF87F}
{6BCE6160-5585-41BF-9210-183BC92EF87F}359×590 25.7 KB

I created the rule manually and the connection was established, apart from adding the rule I did not make any changes. I did it based on my previous Mikrotik but rather for testing, because I did not know if the exception for the port used by Wireguard was created automatically, hence my questions in the previous post.

if there are any ambiguities, please let me know. We know that my English is not very clear :smiley:

2 Likes
14

Hi,

I have one more question regarding the Wireguard server configuration. Why is some strange address xxxx.mylocalcontroler.ddns.manage.alta.inc inserted in the Endpoint instead of the simple IP address of the WAN port?

have a good day

15

This allows for the domain to resolve at your IP, even if you have a dynamic address that may change such as when resetting or sometimes rebooting your modem. Most providers charge an extra fee for static addresses, or reserve them for business class packages.

I’m still investigating a way to reproduce your issue above.

1 Like
16

Also facing this issue. Still unable to connect even after the additional firewall rule. Have yet to restart the router.

17

Can you open a new thread describing the details of your issue? This one has become entangled, making your report unclear.

18

@Alta-Josh May I confirmed that the router 10 will monitor our dynamic public ip from time to time and update the ddns at Alta?

19

Hi @Alta-Josh

I understand, I would like to propose the option of choosing to use the ddns service or the ip address from the wan port for people who have a static address.

20

FYI - Solution to my original thread! it looks like i messed up private key field somewhat in the WireGuard setup section. In the logs i was able to see it
" Key is not the correct length or format" error and updated the key with the correct format. Now I am able to connect it.

Thank you for the help!

2 Likes