My big trouble with Wireguard (Pls help me bevor I need a therapists!)

hello friends,
I ve Wireguard running on my Raspi 4 4GB and only get a connection after a period of time and / or many tries. This makes me crazy and I cannot find a solution or reason for this. I am willed to pay money for someone who could help me with my problem. Thx!

Here is my configuration:

"sudo wg show" shows:

pi@raspi4B:~ $ sudo wg show
interface: wghub
public key: lzN.....lo=
private key: (hidden)
listening port: 9050

peer: zvYN.....zc=
preshared key: (hidden)
endpoint: 92.72.93.140:1024
allowed ips: 10.162.155.10/32
transfer: 148 B received, 239.29 KiB sent

"sudo wg show" some tries later:

peer: zvYNz...........zc=
preshared key: (hidden)
endpoint: 46.114.137.225:45486
allowed ips: 10.162.155.10/32
latest handshake: 1 minute, 33 seconds ago
transfer: 540 B received, 291.20 KiB sent

"ifconfig" shows RX / TX errors for unknown reasons:

pi@raspi4B:~/Desktop $ ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether dc:a6:32:59:8e:d1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 7895925 bytes 881522742 (840.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7895925 bytes 881522742 (840.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wghub: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1280
inet 10.162.155.1 netmask 255.255.255.0 destination 10.162.155.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 253795 bytes 38836964 (37.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 541205 bytes 609448960 (581.2 MiB)
TX errors 4115536 dropped 14096 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.60 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::6607:9bc6:c3dd:e988 prefixlen 64 scopeid 0x20<link>
ether dc:a6:32:59:8e:d2 txqueuelen 1000 (Ethernet)
RX packets 2076133 bytes 749185744 (714.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12920394 bytes 1736667843 (1.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

On my Raspi the Wireguard config "wghub.conf":

[Interface]
Address = 10.162.155.1/24
ListenPort = 9050
PrivateKey = ME7.........M=
SaveConfig = false
MTU = 1280
PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o wlan0 -j TCPMSS --clam$
PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o wlan0 -j TCPMSS --cla$
PostUp = iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
PostDown = iptables -t nat -D POSTROUTING -o wlan0 -j MASQUERADE
PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o wlan0 -j TCPMSS --cl$
PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o wlan0 -j TCPMSS --c$
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
# 10: 10 > wgclient_10.conf

[Peer]
PublicKey = zvYN........c=
PresharedKey = pB5.......W0=
AllowedIPs = 10.162.155.10/32

The mobil phone is config:

image691×1050 47.4 KB

The mobil phone application protocol shows:

......
02-26 00:09:29.041  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:09:34.758  1242  2286 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:09:34.758  1242  2286 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:09:40.518  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:09:40.518  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:09:46.279  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:09:46.280  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:09:51.320  1242  9421 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:09:51.320  1242  9421 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:09:57.167  1242  2286 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:09:57.167  1242  2286 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:10:02.992  1242  2286 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake initiation
02-26 00:10:02.997  1242  9421 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:10:02.997  1242  9421 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:10:08.011  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Handshake did not complete after 5 seconds, retrying (try 2)
02-26 00:10:08.011  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake initiation
02-26 00:10:08.650  1242  9421 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:10:08.650  1242  9421 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:10:09.818  1242  1242 I am_on_restart_called: [0,com.wireguard.android.activity.MainActivity,performRestartActivity]
02-26 00:10:09.832  1242  1242 I am_on_start_called: [0,com.wireguard.android.activity.MainActivity,handleStartActivity]
02-26 00:10:09.834  1242  1242 I am_on_resume_called: [0,com.wireguard.android.activity.MainActivity,RESUME_ACTIVITY]
02-26 00:10:11.867  1242  1242 I menu_item_selected: [0,Einstellungen]
02-26 00:10:11.895  1242  1242 I am_on_paused_called: [0,com.wireguard.android.activity.MainActivity,performPause]
02-26 00:10:11.902  1242  1242 W ActivityThread: handleWindowVisibility: no activity for token android.os.BinderProxy@87932c8
02-26 00:10:11.932  1242  1242 I am_on_create_called: [0,com.wireguard.android.activity.SettingsActivity,performCreate]
02-26 00:10:11.970  1242  1242 I am_on_start_called: [0,com.wireguard.android.activity.SettingsActivity,handleStartActivity]
02-26 00:10:11.971  1242  1242 I am_on_resume_called: [0,com.wireguard.android.activity.SettingsActivity,RESUME_ACTIVITY]
02-26 00:10:11.977  1242  1308 W WireGuard/RootShell: Root check did not return correct UID: null
02-26 00:10:12.489  1242  1242 I am_on_stop_called: [0,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM]
02-26 00:10:13.034  1242  1427 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Handshake did not complete after 5 seconds, retrying (try 2)
02-26 00:10:13.726  1242  1471 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake initiation
02-26 00:10:13.731  1242  1242 I am_on_paused_called: [0,com.wireguard.android.activity.SettingsActivity,performPause]
02-26 00:10:13.755  1242  1242 W ActivityThread: handleWindowVisibility: no activity for token android.os.BinderProxy@1ac191f
02-26 00:10:13.763  1242  1471 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Received handshake initiation
02-26 00:10:13.763  1242  1471 D WireGuard/GoBackend/raspi4-jens: peer(lzN5…shlo) - Sending handshake response
02-26 00:10:13.775  1242  1242 I am_on_create_called: [0,com.wireguard.android.activity.LogViewerActivity,performCreate]
02-26 00:10:13.777  1242  1242 I am_on_start_called: [0,com.wireguard.android.activity.LogViewerActivity,handleStartActivity]
02-26 00:10:13.777  1242  1242 I am_on_resume_called: [0,com.wireguard.android.activity.LogViewerActivity,RESUME_ACTIVITY]
02-26 00:10:14.270  1242  1242 I am_on_stop_called: [0,com.wireguard.android.activity.SettingsActivity,STOP_ACTIVITY_ITEM]

"ifconfig" on working conditions:

wghub: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1280
inet 10.162.155.1 netmask 255.255.255.0 destination 10.162.155.1
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 19476 bytes 2115236 (2.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 52275 bytes 55092168 (52.5 MiB)
TX errors 1320572 dropped 5085 overruns 0 carrier 0 collisions 0

"sudo wg show" on working conditions:

pi@raspi4B:~ $ sudo wg show
interface: wghub
public key: lzN..........lo=
private key: (hidden)
listening port: 9050

peer: zvYN............zc=
preshared key: (hidden)
endpoint: 46.114.136.62:19048
allowed ips: 10.162.155.10/32
latest handshake: 26 seconds ago
transfer: 7.46 MiB received, 241.78 MiB sent

My routing:
. "xxxxxxxx.mooo.com" (to resolve my IP from hostname for Router 1)
Router 1 IP: 192.168.2.1 connected to Router 2
Router 2 has static IP:192.169.2.103 at Router 1 and UDP port 9050 Wireguard is forwarded
Router 2 Network: 192.168.0.1 and UDP port 9050 is forwarded to Raspi
Raspi hast static IP 192.168.0.60 (wlan0)

What I ve tried to fix the issues but did not help:

• Wireguard reinstallation
• htop to check raspi for overload
• stopped Node Red on raspi to see if it causes trouble
• replaced Router 1 and 2 with another vendor / model
• many different Wireguard configuration stuff
• changed external IP addresses form connection of my mobil phone devices (provider)
• changed mobile phone and provider
• changed external IP address from internet service provider
• hostname (xxxxx.mooo.com) resolves IP like it should (ping tests)
• stuff I forgot to list here

Other facts:

• Raspi works nice and responsable when using VNC Viewer / Node Red Dashboard...aso
• In the case I get a VPN connection it works nice and as expected (tested 1h+)
• lsmod shows all Wireguard modules running (compared to a person not having my problems)
• I am no Linux and network freak.

I guess it has to do with the rasp / software since I changed replaced nearly all other stuff.

Please help me !!

Does this relate to Node-red at all?

I found wireguard easy to get working on a Raspberry Pi by installing PiVPN.

No, its just kind of related to the use of Node Red with a VPN. I was not sure to post in here but this forum has always been a niche place of help an open for many questions.

EDIT: I tried the installation by using PiVPN (thx for the hint) but it does not solve anything.

So it looks as though the wg connection can't transmit any data (or at least has a lot of errors when doing so).

And the endpoint has moved.

The 1st address belongs to vodafone-ip.de and the 2nd address belongs to telefonica.de. So it would seem to me as though the connection jumped from one WAN connection to a different one? Maybe that's what causes the connection to fail to transmit data?

Thanx for your answer.
In germany we have internet service providers which offers a random dynamic IP every time you (re)connect the internet. The different IPs are a result of that. vodafone-ip.de is part of the company telefonica.de and share / mix their reserved IP address ranges for these purpose. Getting that different IPs is correct because I reconnect my internet a lot for testing's (related to that problem). Because of getting dynamic IPs here in germany we have to use "dyn dns service providers" where the modem / router tells the IP address to this service who is offering an hostname dissolve the dynamic IP.

I always get confused as to who owns whom. Here in the UK I thought that Telefonica is part of O2 which has just merged with Virgin Media to create VMO2. I only know that because they just won our replacement mobile phone contract at work.

I've not used Wireguard I'm afraid and my Pi's have never been accessible from the Internet except via something like NGROK or Cloudflare WARP.

I used to use wireguard to access my node-red machine from the outside web. Can't do that now (ISP issues) so I switched to Zerotier. Have not yet got as far as using PiHole over it but I presume it's possible.

Actually it's easier to set up than wireguard, no port forwarding required.

I finally found the a solution / reason:
My Xiaomi router AX3600 had QoS (traffic limit settings) switched on without changing entering settings to the devices. - Just the switch was on. Since I switched it of it ran flowless and all is fine with wire guard.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.