Wireguard handshake fails - Asus Merlin 384.9

[TinMan11]

Hope someone can help with this. Wireguard doesn't seem to be able to renegotiate it's handshake.

Let me be clear, I am not looking to run Wireguard on my router!

Current setup

Asus RT-AC3100 running Asus Merlin 384.9
Latest Wireguard running on Ubuntu 18.04.2 virtual machine completely up to date.
Port 51820 forwarded to virtual machine.
Router UDP and TCP connection parameters are set to defaults. (screenshot #1)
Wireguard set for split tunnel. AllowedIPs set to 192.168.X.X/24

Connection #1
Works and everything is great for 3 minutes.
After 3 minutes, all connections to remote LAN fail.
I can confirm the initial port and connection as well as the random port wireguard selects for handshake renegotiation. (screenshot #2)

When everything fails, manually disconnect and reconnect.
Again, everything works great for 3 minutes.
Check "Active Connections" on router and still see old connection info (#1) along with new connection info. (screenshot #3)

Repeat.

I have tested this on the official Mac client, Android app on both a Pixel 2 XL and Pixel Slate (ChromeOS), and the unofficial Tunsafe client.


Please help!

 

[RMerlin]

Just in case they would be interfering, disable any AiProtection-related option as well as NAT acceleration (under LAN -> Switch). See if it makes any difference.

 

[TinMan11]

Hi @RMerlin , thank you for the response.

Do you mean under LAN->"Switch Control"?
I see the following:
Jumbo Frames - currently disabled
NAT Acceleration - currently Auto
Spanning-Tree Protocol - currently enabled
Bond/Link aggregation - currently disabled

So far the only thing I've noticed that makes any difference is setting the UDP Timeout Assured to 1 second. This causes the connection at 3 minutes to "pause" for a second then the re-negotiation succeeds afterwards.

 

[TinMan11]

So setting the NAT acceleration to disabled seems to have fixed it.

 

[TinMan11]

@RMerlin thank you for your help with this.

One last follow-up question; what are the ramifications to leaving NAT acceleration turned off?

 

[ColinTaylor]

One last follow-up question; what are the ramifications to leaving NAT acceleration turned off?

Without NAT acceleration your maximum WAN to LAN transfer speed will be limited by your router's CPU. I don't have an RT-AC3100 but I'd guess the maximum transfer speed will now be about 300Mbps.

 

[TinMan11]

Without NAT acceleration your maximum WAN to LAN transfer speed will be limited by your router's CPU. I don't have an RT-AC3100 but I'd guess the maximum transfer speed will now be about 300Mbps.

ok, thank you for this. Seeing as how my service is 300dl/100up I should probably be good to go.

@RMerlin any ideas why NAT acceleration is effecting UDP port mappings for wireguard?

 

[RMerlin]

ok, thank you for this. Seeing as how my service is 300dl/100up I should probably be good to go.

@RMerlin any ideas why NAT acceleration is effecting UDP port mappings for wireguard?

No idea. Only Broadcom would know.

 

[armedmetallica]

Sorry - to wake this older thread - but I'm having similar issue in that it won't even CONNECT. I've tried all the steps here. I've even tried putting the wireguard device on the DMZ. For some reason, there's some sort of filtering going on. Any other ideas?

When I connect to the Asus's router's local wifi, I CAN connect to wireguard server (using it's local ip address). but doesn't seem to work from outside. I've done the port forwarding on Asus router.