Configuring wireguard vpn with mullvad: i get handshake, but no internet

I know you have a solution so this is about clarifying previously posted information.

It is possible to configure OpenWrt as a Tailscale Subnet Router and connect it to a remote Tailscale Exit Node such as an Apple TV. In this scenario individual devices will not need a Tailscale Client installed.

Also note, Content Providers monitor and block traffic coming from VPN Providers, so using them to get around geoblocking can be hit and miss.

thanks a lot
i will check other threads and guides on how to do that, if i get stuck i will create another thread to solve that issue

that sounds interesting, i will look more into this
thanks a lott

Heey
sorry once again
I just got back home and noticed the vpn not working, i am getting no handshakes this time. I even tried to restore to the back up i created right after your advice worked and everything was good. Still no handshakes with the servers
what can i do to solve this?

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdeb:bd7b:db54::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'wg0_int'
        option proto 'wireguard'
        option private_key 'redacted'
        option force_link '1'
        list addresses 'fc00:bbbb:bbbb:bb01::2:74e7/128'
        list addresses '10.65.116.232/32'
        option mtu '1280'
        list dns '10.64.0.1'
        option listen_port '51820'

config wireguard_wg0_int
        option description 'au-adl-wg-301'
        option public_key 'rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option route_allowed_ips '1'
        option endpoint_host '103.214.20.50'
        option endpoint_port '51820'
        option persistent_keepalive '25'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'CN'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt8'
        option encryption 'psk2'
        option key '00998877'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '904'
        option encryption 'psk2'
        option network 'guest'
        option key '00998877'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0_int'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Guest_DHCP'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Guest_DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'BLock_Guest_from_Lan'
        option src 'guest'
        option dest 'lan'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

config forwarding
        option src 'guest'
        option dest 'WGZONE'

root@OpenWrt:~# wg show
interface: wg0_int
  public key: wMmu2t4KvOETXc1uQsg8TXqkohTso26UBcN2dvQUJzA=
  private key: (hidden)
  listening port: 51820

peer: rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw=
  endpoint: 103.214.20.50:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 14.89 KiB sent
  persistent keepalive: every 25 seconds

Since your setup is effectively a 'client' config that is connecting to a remote peer, you don't need this line:

But your problem may be the time. What is the output of:

date

There is also the possibility that the server is overcrowded or down for maintenance.
I have a well known VPN provider (Mullvad) but occasionally that happens, I have multiple tunnels with failover, if one tunnel is down the next one is tarted :slight_smile:

But I would first research other things e.g. the things already noted by @psherman and general internet etc.

Otherwise make a new WireGuard config and upload that to a second peer, and disable this peer for testing

i have just noticed that whenever i reboot the router, the time is set at 23:02 and continues from there. i'd have to manually sync the time with my browser. but even after sync, i'd still get no handshake
before sync

root@OpenWrt:~# date
Tue Mar  4 23:07:09 CST 2025

after sync

root@OpenWrt:~# date
Wed Mar  5 06:38:27 CST 2025
root@OpenWrt:~# wg show
interface: wg0_int
  public key: wMmu2t4KvOETXc1uQsg8TXqkohTso26UBcN2dvQUJzA=
  private key: (hidden)
  listening port: 59521

peer: rm2hpBiN91c7reV+cYKlw7QNkYtME/+js7IMyYBB2Aw=
  endpoint: 103.214.20.50:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 740 B sent
  persistent keepalive: every 25 seconds

is there a way to solve the sync problem, or do i have to make sure the router never goes off after problem is fixed

i am using mullvad too
i have just tried to add multiple peers, i am not getting handshakes still.
i can add multiple peers to the same interface, right? i just have to make sure i am enabling one at a time

Your device doesn't have a battery-backed realtime clock. This means that it cannot keep time when it is off or rebooted. The system will use the time (and date) of the most recently modified file on the router as the starting point, and then it will perform an NTP sync after the network has been established.

It's a bit of a chicken or egg -- the router cannot reach the internet to sync the time because all traffic is supposed to go through the tunnel but the tunnel cannot be established because the time is wrong.

There are a few ways (you can search the forum for "wireguard after ntp sync")... one way is to use policy based routing to allow the time servers to be reached via the regular wan. Another way is to simply delay the startup of WireGuard until after the time synchronization has been successful.

Better not do that.

I recommend that you use a new interface/tunnel for each WireGuard config you get from Mullvad because address and private keys can also be different.

Then Enable only the tunnel you want to use

i searched for this and found a thread on it. i created a routing table for the wireguard interface and the LAN
whenever i reboot now, the time is set correctly
however, my wireguard interface still gets no handshake. I have tried generating new keys via luci, upload the pub keys to mullvad and get new ip address to use, multiple times, still to no avail. using a different peer also doesn't work
is there something else that could be wrong? here is my latest conf

root@OpenWrt:~#  cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdeb:bd7b:db54::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'wg0_int'
        option proto 'wireguard'
        option private_key 'redacted'
        option force_link '1'
        list dns '10.64.0.1'
        option ip4table '200'
        list addresses 'fc00:bbbb:bbbb:bb01::9:b47c/128'
        list addresses '10.72.180.125/32'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'

config wireguard_wg0_int
        option description 'au-syd-wg-104'
        option public_key '61Ovy3ObuHqllZK/P/5cOWZnY26SY2csmjzVK1q+fFs='
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option route_allowed_ips '1'
        option endpoint_host '103.136.147.197'
        option endpoint_port '51820'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'CN'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt8'
        option encryption 'psk2'
        option key '00998877'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option ssid '904'
        option encryption 'psk2'
        option network 'guest'
        option key '00998877'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '10.64.0.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'hybrid'
        option ra 'hybrid'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'WGZONE'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0_int'

config forwarding
        option src 'lan'
        option dest 'WGZONE'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config forwarding
        option src 'guest'
        option dest 'lan'

config rule
        option name 'Guest_DHCP'
        option src 'guest'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Guest_DNS'
        option src 'guest'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'BLock_Guest_from_Lan'
        option src 'guest'
        option dest 'lan'
        list dest_ip '192.168.1.0/24'
        option target 'REJECT'

config forwarding
        option src 'guest'
        option dest 'WGZONE'

root@OpenWrt:~# wg show
interface: wg0_int
  public key: Tv7sNVLRq0zRygrELHNXThOOYvp/O43YcCJp47rQyz0=
  private key: (hidden)
  listening port: 49021

peer: 61Ovy3ObuHqllZK/P/5cOWZnY26SY2csmjzVK1q+fFs=
  endpoint: 103.136.147.197:51820
  allowed ips: 0.0.0.0/0, ::/0
  transfer: 0 B received, 5.35 KiB sent
  persistent keepalive: every 25 seconds

each config i get from mullvad, has the same priv key, ipv4 and ipv6 address. the difference has been in the peers pub key, and endpoint port. whenever i create a new peer to try, i just change these two details and save and restart the interface. Am i doing this wrong!?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.