I am struggling to get a peer connected to wireguard and I cannot work out why.
I have wireguard installed on Openwrt 19.07.1 and I followed this guide to get a working setup with another peer. http://chrisbuchan.co.uk/uncategorized/wireguard-setup-openwrt/
My problem peer. (Wireguard for iOS 0.0.20200127 / iOS 13.3.1) produces this error message in wireguard log "Handshake did not complete after 5 seconds, retrying (try x)"
The working peer (almost identical setup except on iOS 13.3) can connect to the vpn perfectly fine where I can access resources on my LAN externally.
I have double and triple checked my keys / key pairs and I am sure they match they match for the problem peer so I think my problem lies with the IP addresses I have chosen or my lack of understanding of the /32 netmask.
(I have also uninstalled the wireguard app and regenerated new key pairs too)
In Openwrt's Wireguard Interfaces section. The IP is set to 10.200.200.1/24
The working peer is set to Allowed IPs > 10.200.200.2/32
The problem peer is set to Allowed IPs > 10.200.200.3/32 (also tried 10.200.201.2/32)
Please post your entire /etc/config/network file (but redact your keys). Also, please post the remote peer wg configurations (again with redacted keys)
Are you testing both of your remote peers using the same method (i.e. cellular connection, external network, etc.)?
I know you said you have verified the keys multiple times, but make sure that the exchanged keys are the public ones, and that the public and private keys are in the right places.
Problem Remote Peer: (sorry exporting the zip was painful ..)
INTERFACE
Name: Home
Publix key: x
Addresses 10.200.200.3/32
DNS servers 192.168.64.254
PEER
Public key: x
Endpoint: My WAN IP:51820
Allowed IPs 0.0.0.0/0
On demand: Off
Both peers are being tested the same, WiFi disabled and cellular 4G Enabled
Public and private keys are definitely the correct way round
Everything looks good there. What is the output of wg show on the OpenWrt router?
Just to confirm, the current status is that one device will connect, but the other will not? The output of wg show should show a timestamp for the last handshake for each of the remote peers -- try connecting from each peer and see if anything changes.
Looks like this one is being tested from inside your network. And the last handshake was 19 hours ago -- is that right? is it still working? If you test the other phone from inside, does it still fail to connect?
Are both iPhones running the same version of iOS? Are they both using the same cellular carrier? Both up to date on the WireGuard app?
I hate to suggest this (since you said you have done this multiple times), but maybe it is worth generating new keys for the iPhone that isn't working. Double check that the details between the two iPhones are the same except for the iPhone's private and public keys (but the public key for the OpenWrt end should be the same), and then copy the public key from the iPhone > OpenWrt.
@psherman iPhones are on different versions of iOS by a minor version.
Working Peer iOS 13.3
Problem Peer iOS 13.3.1 (This phone has been wiped very recently and had the wireguard app reinstalled two to rule that out)
They are both using the same cellular carrier and both running the same version of the wireguard app.
Perhaps you are correct and I need to do the keys again, could I have got them wrong after two attempts?!
I made sure the public key of Openwrt end is the same and the config is the same, I have them side by side in front of me and each looks to check out. Each iPhone peer has its own generated key pair*
@lleachii I added a route and then checked in the gui - Routes which looks like this for Active IPv4 Routes;
If I could change one thing about WG from the user side, it would be to have private and public keys distinguishable by some human-readable difference in the string. For example, maybe the private key would end in "+=" and the public key ending in "-=" or whatever. I seem to recall making mistakes as I copied/pasted keys between the two devices.
I don't think that adding the route should be necessary (I don't have any routes added for my configuration), but it theoretically won't be a problem, either. Fundamentally, though, if you are unable to connect from just one device (but all is working from the other), I think that is more likely a key issue than anything else.
My setup is now working! I removed the static route. Deleted the problem peer from the wireguard interface. Rebooted Router. Deleted VPN from Wireguard app. Created for scratch, the difference was this time I called the Interface "Home 2" on the problem iphone instead of "Home" (which is the same as working peer). Generated the keypairs as normal and this time, I did everything on the phone so I could be sure of the copy / paste process. Rebooted router again. Both peers can now connect externally!
*I even checked the keys for about the 12th time and they definitely matched before I went through this.
Thanks for the input. I guess it was a key problem, either that or don't name the interface as "Home" on one phone and "Home" on another!