Help with secondary Wireguard peer connecting


I am struggling to get a peer connected to wireguard and I cannot work out why.
I have wireguard installed on Openwrt 19.07.1 and I followed this guide to get a working setup with another peer.

My problem peer. (Wireguard for iOS 0.0.20200127 / iOS 13.3.1) produces this error message in wireguard log "Handshake did not complete after 5 seconds, retrying (try x)"
The working peer (almost identical setup except on iOS 13.3) can connect to the vpn perfectly fine where I can access resources on my LAN externally.

I have double and triple checked my keys / key pairs and I am sure they match they match for the problem peer so I think my problem lies with the IP addresses I have chosen or my lack of understanding of the /32 netmask.
(I have also uninstalled the wireguard app and regenerated new key pairs too)

In Openwrt's Wireguard Interfaces section. The IP is set to
The working peer is set to Allowed IPs >
The problem peer is set to Allowed IPs > (also tried

Any help, very much appreciated.


Did you restart your wireguard interface on the openwrt side after you added the new peer?

1 Like

Yes. Router has also been rebooted.

Please post your entire /etc/config/network file (but redact your keys). Also, please post the remote peer wg configurations (again with redacted keys)

Are you testing both of your remote peers using the same method (i.e. cellular connection, external network, etc.)?

I know you said you have verified the keys multiple times, but make sure that the exchanged keys are the public ones, and that the public and private keys are in the right places.

1 Like

System is a Linksys EA6350v3 in case below it looks strange.
/etc/config/network - omitted MACs and VPN keys below

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'x/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask ''
	option ip6assign '60'
	option stp '1'
	option ipaddr ''

config device 'lan_dev'
	option name 'eth0'
	option macaddr 'x'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option peerdns '0'

config device 'wan_dev'
	option name 'eth1'
	option macaddr 'x'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config wireguard_wg0
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'x'
	option description 'iPhone SE'
	list allowed_ips ''

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'x'
	option listen_port '51820'
	list addresses ''

config wireguard_wg0
	option public_key 'x'
	option description 'iPhone'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips ''

Problem Remote Peer: (sorry exporting the zip was painful ..)

Name: Home
Publix key: x
DNS servers
Public key: x
Endpoint: My WAN IP:51820
Allowed IPs
On demand: Off

Both peers are being tested the same, WiFi disabled and cellular 4G Enabled

Public and private keys are definitely the correct way round

Everything looks good there. What is the output of wg show on the OpenWrt router?

Just to confirm, the current status is that one device will connect, but the other will not? The output of wg show should show a timestamp for the last handshake for each of the remote peers -- try connecting from each peer and see if anything changes.

"Current state is that one device will connect but the other will not?" < Correct

wg show

interface: wg0
  public key: x
  private key: (hidden)
  listening port: 51820

peer: x
  allowed ips:
  latest handshake: 19 hours, 53 minutes, 2 seconds ago
  transfer: 889.90 KiB received, 10.91 MiB sent
  persistent keepalive: every 25 seconds

peer: x
  allowed ips:
  persistent keepalive: every 25 seconds

Looks like this one is being tested from inside your network. And the last handshake was 19 hours ago -- is that right? is it still working? If you test the other phone from inside, does it still fail to connect?

1 Like

Yes sorry about that, tested from outside of network just now on both; Handshake doesn't complete on one :s

But you are saying the IPs and netmasks look correct to you ?

interface: wg0
  public key: x
  private key: (hidden)
  listening port: 51820

peer: x
  endpoint: WAN IP:25092
  allowed ips:
  latest handshake: 45 seconds ago
  transfer: 899.75 KiB received, 10.97 MiB sent
  persistent keepalive: every 25 seconds

peer: x
  allowed ips:
  persistent keepalive: every 25 seconds

Yes, looks good to me.

Are both iPhones running the same version of iOS? Are they both using the same cellular carrier? Both up to date on the WireGuard app?

I hate to suggest this (since you said you have done this multiple times), but maybe it is worth generating new keys for the iPhone that isn't working. Double check that the details between the two iPhones are the same except for the iPhone's private and public keys (but the public key for the OpenWrt end should be the same), and then copy the public key from the iPhone > OpenWrt.

  • I would make a route for on the WG; but the route allowed IPs setting should work too.
  • Do you have INPUT 51820/udp opened on your OpenWrt firewall?

@psherman iPhones are on different versions of iOS by a minor version.
Working Peer iOS 13.3
Problem Peer iOS 13.3.1 (This phone has been wiped very recently and had the wireguard app reinstalled two to rule that out)
They are both using the same cellular carrier and both running the same version of the wireguard app.
Perhaps you are correct and I need to do the keys again, could I have got them wrong after two attempts?!
I made sure the public key of Openwrt end is the same and the config is the same, I have them side by side in front of me and each looks to check out. Each iPhone peer has its own generated key pair*

@lleachii I added a route and then checked in the gui - Routes which looks like this for Active IPv4 Routes;


output from cat /etc/config/firewall

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

If I could change one thing about WG from the user side, it would be to have private and public keys distinguishable by some human-readable difference in the string. For example, maybe the private key would end in "+=" and the public key ending in "-=" or whatever. I seem to recall making mistakes as I copied/pasted keys between the two devices.

I don't think that adding the route should be necessary (I don't have any routes added for my configuration), but it theoretically won't be a problem, either. Fundamentally, though, if you are unable to connect from just one device (but all is working from the other), I think that is more likely a key issue than anything else.

Ok, I'll give it a test, maybe a tomorrow job for now.


My setup is now working! I removed the static route. Deleted the problem peer from the wireguard interface. Rebooted Router. Deleted VPN from Wireguard app. Created for scratch, the difference was this time I called the Interface "Home 2" on the problem iphone instead of "Home" (which is the same as working peer). Generated the keypairs as normal and this time, I did everything on the phone so I could be sure of the copy / paste process. Rebooted router again. Both peers can now connect externally!

*I even checked the keys for about the 12th time and they definitely matched before I went through this.

Thanks for the input. I guess it was a key problem, either that or don't name the interface as "Home" on one phone and "Home" on another!

Much appreciated

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.