Wireguard Struggles

Hi,

I followed the wiki page for configuring the wireguard client but cannot handshake with my wireguard server.

I ran wg-keygen to generate private and public keys

My wireguard.config looks like this..

[provider_wireguard]

Type = WireGuard

Name = vpn-home

Host = vpn.mydomain.com

WireGuard.Address = 192.168.9.5/24

WireGuard.PrivateKey = [client private key from /storage/.cache/wireguard/privatekey]

WireGuard.PublicKey = [wireguard server public key]

WireGuard.DNS = 192.168.9.1

WireGuard.AllowedIPs = 0.0.0.0/0

WireGuard.EndpointPort = 51820

WireGuard.PersistentKeepalive = 25

My wireguard server peer config for this libreelec client:

public key = [client public key from /storage/.cache/wireguard/publickey]

allowed IPs = 192.168.9.5/32

persistent keep alive = 25

connmanctl services shows the service listed and I can connect. My wireguard server shows the client public IP address and random port (as I didn't specify WireGuard.ListenPort) but no handshake.

I cannot ping 192.168.9.1 (IP of wireguard gw/server) and cannot ping anything else as 0.0.0.0 is default route

If I run connmanctl disconnect myvpn then I can get to the internet again

The config looks good to me comparing with other wireguard clients connected to the same wireguard server but there must be something missing/wrong

Any ideas please?

Quote from chewitt

If the server is using some random port and not listening on 51820 how do you expect client and server to connect?

NB: ConnMan will create the connection and wg0 interface regardless of what you put in the files (as long as the content is syntactically valid) but the ends need to have basic connectivity else the data doesn't flow.

the server is running on port 51820 - I'm referring to the optional WireGuard.ListenPort which is the client port. Anyway I've tried specifying it as port 51820 and also leaving it out (random port) - makes no difference. My wireguard server sees the client IP with either a random port or port 51820 but there's no handshake.

The fact there's no handshake is usually down to the keys somehow - have I put keys in the wrong place?

Quote from chewitt

Host needs to be an IP address, not an FQDN, may be the issue.

This is actually it! Thanks!!

With vpn disconnected I can ping my fqdn and my wg server shows the incoming connection (without handshake) so I've so idea why it doesn't work with the fqdn - maybe something specific to how connman works?

Quote from chewitt

WireGuard itself only operates on IPs (NIC interfaces can have an IP, but not an FQDN) hence in the current ConnMan-VPN implementation this is also a hard requirement. The wg-quick script that some WireGuard implementations use to create and tear-down WireGard interfaces has the advantage of being able to resolve an FQDN to an IP address before creating the interface. I haven't tried wg-quick on LE for aeons but it probably works, or you can create your own up/down scripts for systemd to make connections if you like; WireGuard support is in the kernel and making connections is not tied to ConnMan. The advantage of using ConnMan (and reason our default support uses it) is you can see and enable/disable connections using the LE settings add-on in the Kodi GUI.

thank you for all the info and for sorting me out. I hope someone else also benefits from this info