Newbie help configuring Wireguard

I'm trying to use luci-proto-wireguard to configure wireguard, following these directions, but the interface does not get created - ip and ifconfig show that no wireguard interface exists. I've tried connecting and reconnecting numerous times, but it hasn't helped. The generated stanzas in /etc/configure/network look like this:

config interface 'foo'
	option proto 'wireguard'
	option private_key 'private_key1'
	option listen_port '51820'
	list addresses '10.0.0.1/32'

config wireguard_foo
	option public_key 'public_key2'
	list allowed_ips '10.0.0.2'

I can successfully create an interface using:

# ip link add dev foo type wireguard

What am I doing wrong?

You're missing some configuration.

I finally got around to tinkering with WireGuard on OpenWRT, and it's just as easy - possibly easier than - setting it up on other systems.

Here is a sanitised excerpt of a working configuration, taken from a setup which I've got on my desk right now as I type this:

/etc/config/network

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'this endpoint's private key'
	option listen_port '51280'
	list addresses '192.168.71.5'

config wireguard_wg0
	option public_key 'other endpoint's public key'
	list allowed_ips '192.168.71.0/24'
	list allowed_ips '192.168.68.0/24'
	option route_allowed_ips '1'
	option endpoint_host 'other endpoint's IP address'
	option endpoint_port '51280'
	option persistent_keepalive '25'
	option description 'other endpoint's description'
	option preshared_key 'pre-shared key'
/etc/config/firewall

config zone
	option input 'ACCEPT'
	option forward 'DROP'
	option output 'ACCEPT'
	option name 'wireguard'
	option masq '1'
	option network 'wg0'

config forwarding
	option dest 'wireguard'
	option src 'lan'
ifconfig

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.71.5  P-t-P:192.168.71.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:123 errors:43 dropped:0 overruns:0 frame:43
          TX packets:541 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:16216 (15.8 KiB)  TX bytes:36932 (36.0 KiB)

The other endpoint is set up similarly. Feel free to change IP addresses and omit/include options to suit your requirements. Not every option is mandatory.

Thanks, but I'm still not getting the point of which mandatory configuration I'm missing. My 'config interface' is pretty much the same as yours. The key options in my 'config wireguard_foo' stanza also seem to be the same as yours. Most of the other stuff doesn't seem like it should prevent the interface from coming up, and as I've said, I've followed these instructions, by the guy who apparently wrote the OpenWRT Wireguard support, quite closely. Can you be a bit more specific about what else I need to add.?

Observe that my configuration has a CIDR mask for the allowed_ips directives (I chose /24 because I want to allow an entire subnet rather than a single host), but not for the addresses directive.

If I swap my configuration around to match yours (adding a CIDR mask to the addresses directive, and removing it from the allowed_ips directives) then the interface fails to come up.

Thank you again, but I've tried every combination of with / without CIDR, and nothing works. My current configuration:

config interface 'foo'
	option proto 'wireguard'
	option private_key 'xxxx'
	option listen_port '51820'
	list addresses '10.0.0.1'

config wireguard_foo
	option public_key 'yyyy'
	list allowed_ips '10.0.0.2/24'

Thanks again for bearing with me on this.

Do you have a working internet connection on the device you are configuring?

Alright, that's just odd.

I trimmed my configuration to match yours: four lines for interface and two lines for the interface configuration.

The interface came up without demur.

What version of OpenWRT are you running, and on what device? As an example, I'm running 18.06.1 on a GL.iNet MT-300N-v2

Yes. I'm actually configuring it remotely via ssh / Luci over ssh forwarding.

Really dumb question time, so apologies if you've done this already: have you restarted the network stack after writing the configuration? /etc/init.d/network restart

OpenWrt 18.06.0, r7188-b0b5c64c22, on a TP-LINK Archer C2600. I had been simply restarting the interface via the Luci buttons, but I just tried via /etc/init.d and it's still not working. I probably am doing something silly, so feel free to continue with any suggestions at all.

Thanks.

with USB exroot or on the 2600 internal flash?

may be my setup here can help you out. been encountering various issues with exroot usb drive causing various eratic behaviour.

What did you use to create the private key?

Restart the network stack - see above for command.

Immediately after restarting the network stack, what's the output of logread | grep foo ?

Yay! It's working. The thing that seems to have been wrong was the inclusion of a second, stray, empty 'config wireguard_foo' stanza in /etc/config/network.

I think that it was added at some point by Luci, but it may have been something I did wrong. Now I have to go back and see which of the other things are also fragile.

Thanks everyone for the help.

1 Like

How bizarre. I wonder how that happened. Something to keep an eye out for.

Still, as long as it's working now!

What version of OpenWrt are you using???

This was broken in earlier version 17 LEDE.

As above, OpenWrt 18.06.0, r7188-b0b5c64c22.

1 Like

So...had you ever upgraded?

As I said, it was broken in 17. It's fine in 18. I'll look for the thread when I have time.

Glad you got it working! :+1:

As I said, throughout this thread I've been on 18.06.0, and still experienced the problem (I'm now on 18.06.1).