Can't make more than 2 Wireguard peers work

For the last ~2 months, I've been on and off troubleshooting an issue with the Wireguard configuration on my OpenWRT router.

I want to have 2+ Wireguard peer configs for my home network. I have been able to add 2 configs, and have them connect to my home VPN, but I can't make anything more than 2 configs at once work. I've tried shuffling the configs between my devices, I tried searching online for my issue, and a bunch of things I probably forgot about at this point, but I was never able to make things work.

Below is my Wireguard config, please let me know if there is any more info I can provide.

I have never been able to get device 3 to get a handshake with the server, or get any traffic flowing through the tunnel.

Server config:

IP Address 10.10.0.1/16
Listen Port 51844

Device 1 (works):

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.10.2.2/32
ListenPort = 51844
DNS = 192.168.1.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myddnsservice.com:51844
PersistentKeepAlive =

Device 2 (works):

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.10.2.3/32
ListenPort = 51844
DNS = 192.168.1.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myddnsservice.com:51844
PersistentKeepAlive = 5

Device 3 (doesn't work):

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.10.2.4/32
ListenPort = 51844
DNS = 192.168.1.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = myddnsservice.com:51844
PersistentKeepAlive = 5

Thank you for any tips.

Let's take a look at the full config details on the OpenWrt side -- that will be the most useful to diagnose your issue.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

System board:

root@OpenWRT:~# ubus call system board
{
	"kernel": "5.15.167",
	"hostname": "OpenWRT",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS TUF-AX6000",
	"board_name": "asus,tuf-ax6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.5",
		"revision": "r24106-10cc5fcd00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
	}
}

Network config:

root@OpenWRT:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde8:8959:e12b::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan2'
	option macaddr 'X'

config device
	option name 'lan3'
	option macaddr 'X'

config device
	option name 'lan4'
	option macaddr 'X'

config device
	option name 'lan5'
	option macaddr 'X'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'X'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'TestVPN'
	option proto 'wireguard'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option listen_port '51844'
	list addresses '10.10.0.1/16'

config wireguard_TestVPN
	option description 'Device 1'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option route_allowed_ips '1'
	option endpoint_port '51844'
	option persistent_keepalive '5'
	list allowed_ips '10.10.2.2/32'

config wireguard_TestVPN
	option description 'Device 2'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option route_allowed_ips '1'
	option endpoint_port '51844'
	option persistent_keepalive '5'
	list allowed_ips '10.10.2.3/32'

config wireguard_TestVPN
	option description 'Device 3'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	list allowed_ips '10.10.2.4/32'
	option route_allowed_ips '1'
	option endpoint_port '51844'
	option persistent_keepalive '5'

Firewall config:

root@OpenWRT:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'TestVPN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Divert-DNS, port 53'
	option src 'wan'
	option src_dport '53'
	option dest_port '53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HomeVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '51844'
	option dest_ip '192.168.1.1'
	option dest_port '51844'

The PrivateKey is not part of the peer configuration.
Remove the ListenPort from the clients and from the Server peer configs. It is not needed and can create problems if the client is restricted.
All the clients should have the same PublicKey and the PreSharedKey must match the one in the peer config of the server. Better remove it completely until you spot the culprit, then you can reinstate it.

That gives a good indication that one config is faulty. I would recreate the PrivateKey and extract the PublicKey from that to add it in the Server peer config.

Only a few edits seem to be necessary:

Starting with the main interface:

change the address to a /24. There is no reason to use /16, and it will have a high likelihood of conflict when you are away from home.

Then on the peers (the same will apply to all):

remove the endpoint port, and change the persistent keepalive to a much higher value like 25 or so. Also, since we changed the main interface to a /24, adjust the address so that it's 10.10.0.x/32 (where x is the address per peer).

Delete this redirect and replace it with a traffic rule that accepts udp port 51844 from wan.

Unrelated... but this probably shouldn't be here... I'd recommend deleting it unless you have a specific reason to allow DNS from the wan (very unusual, probably not a good idea):

As @trendy said, the other thing is the keys... make sure that each peer has its own keypair. Don't forget to update the configs on the peers, too.

Once the changes are complete, restart the router and test again.

Hi, sorry for taking so long to respond. I haven't had much time lately to deal with this, but with the release of OpenWRT 24.10, I completely nuked all my configs, and intentionally started over again. Here is are my current configs:

System board:

root@Router:~# ubus call system board
{
	"kernel": "6.6.73",
	"hostname": "Router",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS TUF-AX6000",
	"board_name": "asus,tuf-ax6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.0",
		"revision": "r28427-6df0e3d02a",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
		"builddate": "1738624177"
	}
}

Firewall config:

root@Router:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'HomeVPN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Divert-DNS, port 53'
	option src 'wan'
	option src_dport '53'
	option dest_port '53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Divert-DNS, port 5353'
	option src 'lan'
	option src_dport '5353'
	option dest_port '53'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HomeVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '54280'
	option dest_ip '192.168.1.1'
	option dest_port '54280'

Network config:

root@Router:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdbf:9907:7140::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option peerdns '0'

config interface 'HomeVPN'
	option proto 'wireguard'
	option private_key 'AAA'
	option listen_port '54280'
	list addresses '10.10.10.1/24'

config wireguard_HomeVPN
	option description 'Phone'
	option public_key 'BBB'
	option private_key 'CCC'
	option preshared_key 'DDD'
	list allowed_ips '10.10.10.2/32'
	option route_allowed_ips '1'

config wireguard_HomeVPN
	option public_key 'EEE'
	option private_key 'FFF'
	option preshared_key 'GGG'
	option description 'MacBook'
	list allowed_ips '10.10.10.3/32'
	option route_allowed_ips '1'
	option persistent_keepalive '5'

Phone:

[Interface]
PrivateKey = CCC
Address = 10.10.10.2/32
# ListenPort not defined
# DNS not defined

[Peer]
PublicKey = ZZZ
PresharedKey = DDD
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ddnsservice.com:54280
# PersistentKeepAlive not defined

MacBook:

[Interface]
PrivateKey = FFF
Address = 10.10.10.3/32
# ListenPort not defined
# DNS not defined

[Peer]
PublicKey = ZZZ
PresharedKey = GGG
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ddnsservice.com:54280
PersistentKeepAlive = 5

With this current config, I can get "Phone" to connect, but not "MacBook". I have redacted the keys so that you can see what values they have in relation to each other. I'm doing the entire configuration through LuCI. The Firewall redirects for ports 53 and 5353 are for DNSCryptProxy I'm running on the router.
Thanks for any help, I have been on this since November, and I'm about ready to throw my router out the window.

Based on a quick readthrough, it looks okay.

The issue may be as simple as DNS on the Macbook.
Please try to connect from both devices and then let's see the output of:

wg show

I intentionally don't specify the DNS for the MacBook, because that setting actually causes problems with the way I have DoH set up on the MacBook.

Ok. Well, let’s see what the results are when you run the command I gave earlier.

With only the MacBook connected:

root@Router:~# wg show
interface: HomeVPN
  public key: ZZZ
  private key: (hidden)
  listening port: 54280

peer: BBB
  preshared key: (hidden)
  endpoint: 174.224.61.143:7749
  allowed ips: 10.10.10.2/32
  latest handshake: 1 hour, 2 minutes, 43 seconds ago
  transfer: 167.44 KiB received, 844.11 KiB sent

LuCI:

Screenshot_20250225_2058171754×788 121 KB

Is the Mac on the same network as this router (192.168.1.0/24)?

Yeah, I test the configs on my phone before moving them to the MacBook to rule out device specific problems. The "Phone" config works as expected, but the "MacBook" one doesn't.

Ok... try changing the endpoint host on the Macbook's config...

Edit this line:

Endpoint = 192.168.1.1:54280

Then try connecting and let's see the output of wg show again after you do that.

Same as before, the MacBook isn't showing up in wg show even after the suggested modifications.

I'm not seeing any reason why that machine should be any different than your phone.

You might try regenerating the private+public keys that you're using for the Mac.

I don't know. I'm initially testing the peer configs on my phone, since I know I can get one peer working, and at one point, I had two peers working, but never more than that.

Screenshot_20250225_2126481755×1960 348 KB

Screenshot_20250225_212719-31748×1956 351 KB

Screenshot_20250225_2126201738×784 122 KB

Screenshot_20250225_2125461755×376 53.1 KB

Screenshot_20250225_212517-11757×450 104 KB

Screenshot_20250225_2124461757×1687 200 KB

Silly question... have you rebooted your router lately? Try it. Then test again.

It had about 2 days of uptime. Rebooted, and nothing changed about the Wireguard issue.

And to clarify, did you say that you used your phone to validate the Macbook's configuration? In other words, you used the config you have on the Mac on the phone and were able to successfully connect (phone > router)?

If so, that suggests that there is nothing wrong with the config (keys, etc.) and that it's an issue on the Mac.

Alternatively, you could take the configuration from the phone and put it on the Mac. Then see if the Mac can connect successfully.

Note: since each peer config needs to be unique, if you have the same configs loaded on more than one device, obviously only one of those can be active at a time; this method can be useful for testing, but clearly not a good method for 'production'.

No, I was never able to get the MacBook config working on either phone or MacBook, but could get the phone config working on both phone and MacBook.