Choose between Wireguard interfaces

sketchi · October 9, 2025, 1:54pm

I am using an OpenOne router on my FTTH internet.
I want to be able to choose between various Wireguard connections, provided by my VPN supplier.
I was able to create an interface to connect to the Portugal peer (WG_Rom2) and use that without problems.
Following the same guide and my notes I have created 2 other interfaces (Swiss_WG and WG_ROM1) but altho' they appear to connect (Status/Wireguard & as shown in Network/Interfaces) ping does not work (Network/Diagnostics), internet is not available. It appears that a number of packets are sent, but only 3 or 4 received.
I reboot between changes. WG_Rom2 always works, the other 2 never! My OpenVPN interface also works fine.
Obviously I have configured them incorrectly but cannot see where. After loads of attempts and research, could anyone help?
For the interface that doesn’t work I have attached:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
wg show

Thanks

ubus call system board
{
	"kernel": "6.6.93",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "OpenWrt One",
	"board_name": "openwrt,one",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.2",
		"revision": "r28739-d9340319c6",
		"target": "mediatek/filogic",
		"description": "OpenWrt 24.10.2 r28739-d9340319c6",
		"builddate": "1750711236"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fded:f352:cdc2::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option peerdns '0'
	list dns '208.67.222.222'
	list dns '1.1.1.1'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'OpenVPN'
	option proto 'none'
	option device 'tun0'
	option disabled '1'
	option auto '0'

config interface 'WG_Rom2'
	option proto 'wireguard'
	option private_key '******'
	list addresses '10.11.9.185/16'
	option auto '0'

config wireguard_WG_Rom2
	option description 'Portugal'
	option public_key '*******'
	option route_allowed_ips '1'
	option endpoint_host 'wg-pt1.cryptolayer.net'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'

config interface 'WG_ROM1'
	option proto 'wireguard'
	option private_key '*******'
	list addresses '10.11.10.46/16'
	option auto '0'
	option disabled '1'

config wireguard_WG_ROM1
	option description 'Romania'
	option public_key '/*******'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option route_allowed_ips '1'
	option endpoint_host 'wg-ro1.cryptolayer.net'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config interface 'Swiss_WG'
	option proto 'wireguard'
	option private_key '********'
	list addresses '10.11.10.46/16'

config wireguard_Swiss_WG
	option description 'switzerland1.conf'
	option public_key '********'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '25'
	option endpoint_host 'wg-ch1.cryptolayer.net'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	
cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '5'
	option htmode 'HE20'
	option num_global_macaddr '7'
	option cell_density '0'
	option country 'IE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk-mixed'
	option key 'welcome21'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option num_global_macaddr '7'
	option cell_density '0'
	option country 'IE'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt5'
	option encryption 'sae-mixed'
	option key 'welcome21'
	option ocv '0'
	option disabled '1'

cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun0'
	list network 'wan'
	list network 'wan6'
	list network 'OpenVPN'
	list network 'WG_Rom2'
	list network 'WG_ROM1'
	list network 'Swiss_WG'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

wg show
interface: Swiss_WG
  public key: ********
  private key: (hidden)
  listening port: 40909

peer: *********
  endpoint: 79.142.69.181:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 minute, 39 seconds ago
  transfer: 1.18 KiB received, 130.34 KiB sent
  persistent keepalive: every 25 seconds
  
   logread | grep -E -i 'netifd|wireguard'
Thu Oct  9 11:47:21 2025 kern.info kernel: [   14.808287] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
Thu Oct  9 11:47:21 2025 kern.info kernel: [   14.816296] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'lan' is enabled
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'lan' is setting up now
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'lan' is now up
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'Swiss_WG' is setting up now
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'loopback' is enabled
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'loopback' is setting up now
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'loopback' is now up
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'wan' is enabled
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'wan6' is enabled
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Network device 'lo' link is up
Thu Oct  9 11:47:24 2025 daemon.notice netifd: Interface 'loopback' has link connectivity
Thu Oct  9 11:47:24 2025 daemon.notice netifd: radio0 (2360): WARNING: Variable 'data' does not exist or is not an array/object
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Network device 'phy0-ap0' link is up
Thu Oct  9 11:47:27 2025 daemon.notice netifd: bridge 'br-lan' link is up
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Interface 'lan' has link connectivity
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Wireless device 'radio0' is now up
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Network device 'eth0' link is up
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Interface 'wan' has link connectivity
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Interface 'wan' is setting up now
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Interface 'wan6' has link connectivity
Thu Oct  9 11:47:27 2025 daemon.notice netifd: Interface 'wan6' is setting up now
Thu Oct  9 11:47:27 2025 daemon.notice netifd: wan (2778): udhcpc: started, v1.36.1
Thu Oct  9 11:47:27 2025 daemon.notice netifd: wan (2778): udhcpc: broadcasting discover
Thu Oct  9 11:47:28 2025 daemon.notice netifd: Network device 'eth1' link is up
Thu Oct  9 11:47:30 2025 daemon.notice netifd: Swiss_WG (2299): Try again: `wg-ch1.cryptolayer.net:51820'. Trying again in 1.00 seconds...
Thu Oct  9 11:47:30 2025 daemon.notice netifd: wan (2778): udhcpc: broadcasting discover
Thu Oct  9 11:47:30 2025 daemon.notice netifd: wan (2778): udhcpc: broadcasting select for 192.168.6.107, server 192.168.6.254
Thu Oct  9 11:47:31 2025 daemon.notice netifd: wan (2778): udhcpc: lease of 192.168.6.107 obtained from 192.168.6.254, lease time 864000
Thu Oct  9 11:47:31 2025 daemon.notice netifd: Interface 'wan' is now up
Thu Oct  9 11:47:31 2025 daemon.notice netifd: Interface 'Swiss_WG' is now up
Thu Oct  9 11:47:31 2025 daemon.notice netifd: Network device 'Swiss_WG' link is up

brada4 · October 9, 2025, 1:59pm

ROM2 is only one auto-started.

egc · October 9, 2025, 2:20pm

You are creating default routes (by enabling Route Allowed IPs) for all WG interfaces that will not work.

What is it you want to do with all those interfaces?

For the record: WireGuard Client Setup Guide

sketchi · October 9, 2025, 2:24pm

Thanks for the replies.

I want to be able to switch between the WG “servers” provided by my VPN provider, so that I can listen and view geofenced media. I thought that I would need to create an interface for each “server”. Is that not the correct way?

mk24 · October 9, 2025, 2:57pm

You can leave multiple connections in your config, but set the disabled flag on all but the one you want to use.

They can't all start because of IP addresses conflict.

sketchi · October 9, 2025, 3:16pm

So I set the WG interfaces to be “Disabled” and “Not started on boot” except the one I want to use which is set to “Bring up on boot”. Then I reboot the router.

That works every time for WG_Rom2, and gives me Internet, all the Network/Diagnostics work .

If I try with either of the other 2, the interface comes up, but there is no internet available, and Diagnostics show “ping: bad address 'openwrt.org'“ and “;; connection timed out; no servers could be reached”

egc · October 9, 2025, 3:19pm

Correct.

Easy way to switch e.g. using your phone with an SSH client: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/wireguard-companion

egc · October 9, 2025, 3:22pm

Servers might be down if you connect to a non working what is the output of (redact keys):

wg show
ping 8.8.8.8
#if ping succeeds the run a traceroute
traceroute 8.8.8.8
ping openwrt.org

sketchi · October 9, 2025, 3:45pm

Your Companion is great!

Still the same trouble though:

egc · October 9, 2025, 4:20pm

The toggle script does nothing on your connection of course.

If WG show shows a connection with some traffic in the KB your keys are working but something else on the server is not working.

Sometimes a server is not working or you have exceeded the maximum peers etc.

I would just download a new config and try that, it looks like your setup is not the problem

sketchi · October 9, 2025, 5:53pm

Okay i will try other servers and check with the providers. Thanks for your help.