I've got Wireguard working on OpenWrt. I have just one peer setup in the wg0 interface. Can I setup more than one peer and choose between them or do I have to change the peer connection setup in the interface to the location I want? Is there a way to toggle peers on an off and choose different VPN locations easily?
2 Likes
Just create another tunnel by adding a new wg interface and import the config.
Disable one enable the other
1 Like
That's what I thought. I was hoping for an easier way. Thank you.
2 Likes
Just for my reference, a possible script:
#!/bin/bash
# Replace <interface_name> with the name of your WireGuard interface
INTERFACE_NAME="wireguard_interface"
# Replace <peer_name> with the name of the peer you want to toggle
PEER_NAME="peer_name"
# Toggle the peer's enabled status
STATUS=$(uci get network.${INTERFACE_NAME}.peers.${PEER_NAME}.enabled)
if [ $STATUS -eq 1 ]; then
uci set network.${INTERFACE_NAME}.peers.${PEER_NAME}.enabled=0
else
uci set network.${INTERFACE_NAME}.peers.${PEER_NAME}.enabled=1
fi
# Commit the changes and apply them
uci commit network
/etc/init.d/network reload
More reference data I might rely on later:
You don't necessarily need to set up multiple interfaces to alternate between WireGuard peers. You can configure multiple peers within a single WireGuard interface, and then enable or disable them as needed.
Here's how you can do it:
- Navigate to "Network" > "Interfaces" and click on the WireGuard interface you want to modify.
- In the "WireGuard" tab, click on "Add Peer" to add a new peer.
- Enter a name for the peer (e.g., "Peer2") and configure the settings as per your requirements.
- Click on "Save & Apply" to save the changes.
Repeat these steps for each peer you want to add.
To enable or disable a specific WireGuard peer, follow these steps:
- Navigate to "Network" > "Interfaces" and click on the WireGuard interface you want to modify.
- In the "WireGuard" tab, locate the peer you want to activate or deactivate.
- Toggle the "Enabled" checkbox to activate or deactivate the peer.
- Click on "Save & Apply" to save the changes.
By toggling the enabled status of the peers, you can effectively switch between different VPN server locations without having to set up multiple interfaces.
2 Likes
That can only work in a select number of cases where the interface settings (address, private key ) are the same which is often not the case.
So a more universal solution is to create more interfaces/tunnels
1 Like
You're absolutely right there. The configuration settings are in the interface AND the peer settings. I'm thinking it will work on a commercial VPN like NordVPN or Surfshark where the only things that change are the endpoints configured in the peer. I'm using the forum as a scratch pad to remember stuff and find it later by going to my own posts.
1 Like
This is of interest to me as well. I use Mullvad over WireGuard and was wondering about multiple exit node configuration. My assumption was that I could just add additional peers to the existing interface as KSofen suggested and switch between them, but I was operating from the initial condition that I grabbed configs for a bunch of Mullvad's servers all at the same time (i.e. single WireGuard key pair for all configs), so all of the interface stuff would remain constant and only the peer details would change.
I haven't actually tried it out yet, so if someone can confirm that it will or won't work and save me the time, I'd be very grateful.
I have yet to do this successfully, but still experimenting by trial and error. If it can be done I’ll figure it out. But the tagged solution is accurate. WireGuard 1.0 on OpenWrt not as easily configured with Luci in this way. This will likely change in the future because it’s probably what a lot of users want. A working setup with enabled/disabled checkboxes will be developed.
PS: When you have added multiple peers to the WireGuard interface, you can edit the individual peers and check or uncheck the "Peer Disabled" checkbox. However, you have to also change the general settings for the entire interface to include your private and public key and as egc pointed out those are not going to be the same for every peer.
The original solution I tagged is the correct answer. Switching between peers is not so easy currently. You'd need a good script to do it all and restart the services in the right order too. I've likewise found if you poweroff and then reboot cold, the WireGuard setup doesn't always work without some fiddling, like restarting the wan and the lan after booting. Guessing it has something to do with time sync on the Pi that has no realtime clock.
1 Like
My experience has been more positive. On a BPI-R3, I added two Mullvad servers as peers on a single WireGuard interface. I was able to switch back and forth between them and establish a connection simply by toggling the enabled/disabled as you mentioned and then restarting the WG interface.
The caveat is that I was adding peers from the same VPN, and I had generated the configurations at the same time under one "device" (i.e. WireGuard key pair) in my Mullvad account. So the keys and details in the WG interface remained constant, and only the server address and server public key differed for each peer.
I mentioned that could work earlier, but didn't follow my own advice. More stuff to try.
Just another note for my future reference. WireGuard won't work properly or not at all unless the system clock is correct. NTPD sevice won't work properly on OpenWrt - or if it does, I can't figure out how to set it up. I added the package ntpdate and wrote a script to put in /etc/rc.local (System, Startup, Local Startup in Luci)
Use nano and create a file /root/set_time.sh with contents:
#!/bin/sh
# Maximum number of attempts
max_attempts=60
# Wait for internet connectivity
attempts=0
while [ $attempts -lt $max_attempts ]; do
if ping -c 1 8.8.8.8 > /dev/null; then
break
fi
attempts=$((attempts + 1))
sleep 1
done
# Check if the maximum number of attempts is reached
if [ $attempts -eq $max_attempts ]; then
echo "Timeout: Internet connectivity not established. Exiting."
exit 1
fi
# Set the time using ntpdate
/usr/sbin/ntpdate 132.163.96.3
You can change the IP of the NTP server on the last line to your preferred server
Save the file and make it executable:
chmod +x /root/set_time.sh
Add this line to rc.local on a line before exit 0:
/root/set_time.sh &
Don't forget the & on that line - it makes the script run in the background.
NTP appears to be working correctly out of the box on an SDCard install of the r24936 snapshot to a BPI-R3. I used the "sync with browser" button in LuCI to get close enough for my WireGuard VPN to connect initially, though. After that, NTP took over using the default servers.
The Raspberry Pi4 has no realtime clock. NTPd doesn’t work on it no matter what I do. Look at your logs. It’s not working
Time synchronisation works just fine out of the box on a rpi4. As long as there's a working connection to the internet the default config will get a correct time.
Not in the first boot: maybe, after an indeterminate amount of time.
It cannot resolve the NTP address with DNS until it has the correct time and it cannot get the time without DNS lookup.
Ouroboros.
So you sync using browser, but if it is down for a while and gets the time out of sync enough, back to manual setting using browser.
If using a strictly secure DNS you can add numeric IPs of NTP servers in /etc/config/system so that the time can be acquired without DNS. It is not necessary to install a different NTP client.
First boot defaults set up to use ISP DNS advertised by DHCP, and it is not encrypted.
3 Likes
That's is great to know but the numeric IPs addresses are not general knowledge; would love to have one ore two because this a PITA issue with a Pi.
Yeah but even if the install pulls a DNS if the Pi thinks it is 2020 @2300 the DNS is going to drop the request because the time is, ridiculously, off.
root@OpenWrt:~# nslookup 0.pool.ntp.org | grep -oE "[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}" | tail -n4
172.105.168.117
103.160.117.20
203.135.184.123
67.219.100.202
root@OpenWrt:~# nslookup 1.pool.ntp.org | grep -oE "[0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}[.][0-9]{1,3}" | tail -n4
220.158.215.20
27.124.125.252
139.180.160.82
139.99.236.38
1 Like
If you ping any named NTP server, the numerical value is returned.
2 Likes