"No client associated" - WireGuard IVPN

After watching this VPN + DNS comparison video, I have now been trying to add IVPN but found that I can't get neither IVPN nor Proton VPN to connect whereas two days ago Proton VPN was managing to connect albeit I had no functional wireless connection.

Today I've tried importing the settings from the config file and copying/pasting the details manually but neither of the two methods seem to get a handshake from either VPN. On the wireless tab the radio indicates "no client associated", wired connection works fine albeit the VPN isn't working and the wireless signal indicates no internet access on mobile devices.. Here's my log:

BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2e:a2b0:d9d6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '2a07:a8c0::df:afbd'

config device
	option name 'wan'
	option macaddr 'XXX'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option dns_metric '20'
	list dns 'XXX::df:afbd'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns 'XXX::df:afbd'

config interface 'ivpnMIA'
	option proto 'wireguard'
	option private_key 'XXX'
	list addresses '172.29.240.45/32'
	list addresses 'fd00:4956:504e:ffff::ac1d:f02d/128'
	option peerdns '0'
	list dns 'XXX::df:afbd'

config wireguard_ivpnMIA
	option description 'Imported peer configuration'
	option public_key 'XXX'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::0/0'
	option endpoint_host '173.44.49.93'
	option endpoint_port '2049'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
	option band '5g'
	option cell_density '0'
	option country 'CO'
	option htmode 'VHT20'
	option channel 'auto'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option macaddr 'XXX'
	option key 'XXX'
	option ssid 'Chromecast'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'
	option country 'CO'
	option cell_density '0'
	option channel 'auto'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option macaddr '60:38:e0:b7:2d:21'
	option encryption 'psk2'
	option ssid 'Signal 2'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option band '5g'
	option disabled '1'
	option country 'CO'
	option cell_density '0'
	option htmode 'VHT20'
	option channel 'auto'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option encryption 'psk2'
	option ssid 'Signal 3'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'ivpnMIA'

config forwarding
	option src 'lan'
	option dest 'vpn'

What is the output from

wg show

root@OpenWrt:~# wg show
interface: ivpnMIA
  public key: ktt715gzviLjYxDCkRPmKRQcxIPZpdjK/fCd4ra58l8=
  private key: (hidden)
  listening port: 41748

peer: Rkzo9WgxJBiKyEbkZvqGWtOVh9Gk9Vd7wL49SHXdHig=
  endpoint: 173.44.49.93:2049
  allowed ips: 0.0.0.0/0, ::/0

This setup is strictly from a copy & paste from the config file. I'm not sure where it gets that public key from since I don't see it in the file (it was the same case with Proton). I've tried manually replacing the public key with the one stated in the config file but that didn't seem to help.

Ok. So no handshake.

Usually this happens because of:

• an error in the keys
• incorrect endpoint ip/domain or port
• incorrect time for the system clock

Double check the first 2 items based on your previous config. Make sure the keys are exactly the same as they were previously.

And for the time - what is the output of

date

root@OpenWrt:~# date
Thu Feb 23 02:41:57 UTC 2023

That's not my real time zone though

Public key is derived from the private key (it is done with an algorithm)

The public key in the peer config must match the one for the endpoint to which you are connecting. That will be provided to you by the vpn provider.

The public key (derived from your private key) must be exchanged with the vpn provider so that they have your public key in their respective peer config.

First of course make sure you can ping the other endpoint.

The interface public key is derived from your local private key (This derivation is one-way, so there is no way a peer or a man in the middle should know your private key). This public key must be registered at the VPN server as a peer. The peer public key is likewise the server's interface public key.

@mk24 @psherman I double checked the details with the config file and everything seems to match. I think it might be the time zone since the date output is hours off from my system/local time. How do I correct this?

I don’t think time zone matters here as long as that is accurate in utc. However, that is in the system config option.

I doubt that's the problem as networking devices are generally set to UTC.

I'm running Fedora Silverblue and the system time zone in the settings is accurate. IDK why the date command indicated UTC. I'm not sure if I needed to check/adjust the time zone with a command (I'm not adept with the terminal).

As @MK24 indicated network devices use UTC.

Select LuCI/System/System. It should show your local time.

Can you try this same wg config on a phone or computer to see if it connects properly? This will help us determine if the problem is related to openwrt or the keys/config from the vpn provider.