No wg0 interface after upgrade from 24.10.3 to 24.10.5

Synice · February 16, 2026, 2:18pm

I have a D-Link Eagle PRO AI M32 A1 - OpenWrt 24.10.5 r29087-d9c5716d1d / LuCI openwrt-24.10 branch 26.043.84860~6cf8bf9

after upgrade, my wg0 is gone, ive installed

wireguard-tools	1.0.20210914-r4	27.76 KiB	WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes…	Installed
kmod-wireguard	6.6.119-r1	35.02 KiB	WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes…	Installed
luci-proto-wireguard	26.043.84860~6cf8bf9	11.46 KiB	Support for WireGuard VPN	Installed

but wg0 keeps using random ports and not the configured port from /etc/config/network

is this something we can fix?

frollic · February 16, 2026, 2:23pm

does this mean nothing can connect ?

post this, redact the keys ...
post firewall file too.

anon63541380 · February 16, 2026, 2:25pm

You should upgrade with owut / luci-app-attendedsysupgrade.
If you "upgraded" just once you still have all preserved conf files, you just need to add packages that you abandoned.

egc · February 16, 2026, 2:52pm

If you mean the endpoint port then your settings are outdated.

Synice · February 16, 2026, 5:24pm

would you happen to know which setting is outdated?

psherman · February 16, 2026, 5:28pm

The best way to troubleshoot this is to see the ground truth:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
opkg list-installed | grep wireguard

frollic · February 16, 2026, 5:31pm

Let us call the clairvoyant and get back to you.

egc · February 16, 2026, 5:31pm

look at the peer section of your WG0 interface.

Endpoint Host and Endpoint port are now separate:

	option endpoint_host '149.40.50.98'
	option endpoint_port '51820'

But if that is not your problem please show the configs as asked

Synice · February 16, 2026, 5:34pm

here is the /etc/config/network

config interface 'wg0'
option proto 'wireguard'
option private_key 'PrivateKey='
option listen_port '28658'
list addresses '10.1.1.1/24'

config wireguard_wg0
option description 'pixel6a'
option public_key 'PublicKey='

option private_key 'PrivateKey='

    option preshared_key 'Preshared-Key='
    list allowed_ips '10.1.1.2/32'
    option endpoint_host 'ddns.address'
    option endpoint_port '28658'
    option persistent_keepalive '25'

here is the /etc/config/firewall

config rule
option name 'Allow-WireGuard'
option src 'wan'
option proto 'udp'
option dest_port '28658'
option target 'ACCEPT'

config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wg0'

config forwarding
option src 'wg'
option dest 'lan'

config forwarding
option src 'wg'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'wg'

when i do a
root@OpenWrt:~# ip link set down dev wg0
root@OpenWrt:~# wg showconf wg0
[Interface]

root@OpenWrt:~# ip link set up dev wg0
root@OpenWrt:~# wg show

it will show its listens, then after like maybe a while, its shows port 0 and as a result, no handshakes.

psherman · February 16, 2026, 5:36pm

The endpoint host and port don't belong here since your WG interface is really setup as a 'server' for inbound connections. Delete those two lines.

Synice:

config wireguard_wg0
option description 'pixel6a'
option public_key 'PublicKey='

option private_key 'PrivateKey='

    option preshared_key 'Preshared-Key='
    list allowed_ips '10.1.1.2/32'
    option endpoint_host 'ddns.address'
    option endpoint_port '28658'
    option persistent_keepalive '25'

You also may want to add option route_allowed_ips '1' so that your Pixel gets routed appropriately.

Synice · February 16, 2026, 5:42pm

````Preformatted text`root@OpenWrt:~# ubus call system board{"kernel": "6.6.119","hostname": "OpenWrt","system": "ARMv8 Processor rev 4","model": "D-Link EAGLE PRO AI M32 A1","board_name": "dlink,eagle-pro-ai-m32-a1","rootfs_type": "squashfs","release": {"distribution": "OpenWrt","version": "24.10.5","revision": "r29087-d9c5716d1d","target": "mediatek/mt7622","description": "OpenWrt 24.10.5 r29087-d9c5716d1d","builddate": "1766005702"}}root@OpenWrt:~# cat /etc/config/network

config deviceoption name 'br-lan'option type 'bridge'list ports 'lan1'list ports 'lan2'option igmp_snooping '1'

config bridge-vlanoption device 'br-lan'option vlan '1'list ports 'lan1:u*'list ports 'lan2:u*'

config interface 'lan'option device 'br-lan.1'option proto 'static'option ipaddr '192.168.1.1'option netmask '255.255.255.0'

config bridge-vlanoption device 'br-lan'option vlan '254'list ports 'lan1:t'list ports 'lan2:t'

config interface 'vlan254'option device 'br-lan.254'option proto 'static'option ipaddr '192.168.254.1'option netmask '255.255.255.248'

config bridge-vlanoption device 'br-lan'option vlan '40'list ports 'lan1:t'list ports 'lan2:t'

config interface 'guest'option device 'br-lan.40'option proto 'static'option ipaddr '192.168.40.1'option netmask '255.255.255.0'

config bridge-vlanoption device 'br-lan'option vlan '90'list ports 'lan1:t'list ports 'lan2:t'

config interface 'dpn'option device 'br-lan.90'option proto 'static'option ipaddr '192.168.90.1'option netmask '255.255.255.248'

config bridge-vlanoption device 'br-lan'option vlan '100'list ports 'lan1:t'list ports 'lan2:t'

config interface 'servers'option device 'br-lan.100'option proto 'static'option ipaddr '192.168.100.1'option netmask '255.255.255.0'

config bridge-vlanoption device 'br-lan'option vlan '253'list ports 'lan1:t'list ports 'lan2:t'

config interface 'audiovc'option device 'br-lan.253'option proto 'static'option ipaddr '192.168.253.1'option netmask '255.255.255.240'

config interface 'wan'option device 'wan'option proto 'dhcp'option peerdns '1'

config interface 'wan6'option device 'wan'option proto 'dhcpv6'

config bridge-vlanoption device 'br-lan'option vlan '10'list ports 'lan1:t'list ports 'lan2:t'

config interface 'printers'option device 'br-lan.10'option proto 'static'option ipaddr '192.168.10.1'option netmask '255.255.255.248'

config interface 'wg0'option proto 'wireguard'option private_key 'PrivateKey='option listen_port '28658'list addresses '10.1.1.1/24'

config wireguard_wg0option description 'pixel6a'option public_key 'PublicKey='

option private_key 'PrivateKey='

    option preshared_key 'Preshared_KEY='
    list allowed_ips '10.1.1.2/32'
    option endpoint_host 'ddns.Address'
    option endpoint_port '28658'
    option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/firewall

config defaultsoption input 'REJECT'option output 'ACCEPT'option forward 'REJECT'option synflood_protect '1'

config zoneoption name 'lan'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'lan'

config zoneoption name 'wan'option input 'REJECT'option output 'ACCEPT'option forward 'REJECT'option masq '1'option mtu_fix '1'list network 'wan'list network 'wan6'

config forwardingoption src 'lan'option dest 'wan'

config ruleoption name 'Allow-DHCP-Renew'option src 'wan'option proto 'udp'option dest_port '68'option target 'ACCEPT'option family 'ipv4'

config ruleoption name 'Allow-Ping'option src 'wan'option proto 'icmp'option icmp_type 'echo-request'option family 'ipv4'option target 'ACCEPT'

config ruleoption name 'Allow-IGMP'option src 'wan'option proto 'igmp'option family 'ipv4'option target 'ACCEPT'

config ruleoption name 'Allow-DHCPv6'option src 'wan'option proto 'udp'option dest_port '546'option family 'ipv6'option target 'ACCEPT'

config ruleoption name 'Allow-MLD'option src 'wan'option proto 'icmp'option src_ip 'fe80::/10'list icmp_type '130/0'list icmp_type '131/0'list icmp_type '132/0'list icmp_type '143/0'option family 'ipv6'option target 'ACCEPT'

config ruleoption name 'Allow-ICMPv6-Input'option src 'wan'option proto 'icmp'list icmp_type 'echo-request'list icmp_type 'echo-reply'list icmp_type 'destination-unreachable'list icmp_type 'packet-too-big'list icmp_type 'time-exceeded'list icmp_type 'bad-header'list icmp_type 'unknown-header-type'list icmp_type 'router-solicitation'list icmp_type 'neighbour-solicitation'list icmp_type 'router-advertisement'list icmp_type 'neighbour-advertisement'option limit '1000/sec'option family 'ipv6'option target 'ACCEPT'

config ruleoption name 'Allow-ICMPv6-Forward'option src 'wan'option dest '*'option proto 'icmp'list icmp_type 'echo-request'list icmp_type 'echo-reply'list icmp_type 'destination-unreachable'list icmp_type 'packet-too-big'list icmp_type 'time-exceeded'list icmp_type 'bad-header'list icmp_type 'unknown-header-type'option limit '1000/sec'option family 'ipv6'option target 'ACCEPT'

config ruleoption name 'Allow-IPSec-ESP'option src 'wan'option dest 'lan'option proto 'esp'option target 'ACCEPT'

config ruleoption name 'Allow-ISAKMP'option src 'wan'option dest 'lan'option dest_port '500'option proto 'udp'option target 'ACCEPT'

config zoneoption name 'audiovc'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'audiovc'

config zoneoption name 'dpn'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'dpn'

config zoneoption name 'guest'option input 'ACCEPT'option output 'ACCEPT'option forward 'REJECT'option masq '1'list network 'guest'

config zoneoption name 'servers'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'servers'

config zoneoption name 'vlan254'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'vlan254'

config forwardingoption src 'audiovc'option dest 'lan'

config forwardingoption src 'audiovc'option dest 'wan'

config forwardingoption src 'lan'option dest 'audiovc'

config forwardingoption src 'dpn'option dest 'lan'

config forwardingoption src 'dpn'option dest 'wan'

config forwardingoption src 'lan'option dest 'dpn'

config forwardingoption src 'guest'option dest 'wan'

config forwardingoption src 'wan'option dest 'guest'

config forwardingoption src 'servers'option dest 'lan'

config forwardingoption src 'servers'option dest 'wan'

config forwardingoption src 'lan'option dest 'servers'

config forwardingoption src 'vlan254'option dest 'lan'

config forwardingoption src 'vlan254'option dest 'wan'

config forwardingoption src 'lan'option dest 'vlan254'

config zoneoption name 'printers'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'printers'

config forwardingoption src 'printers'option dest 'lan'

config forwardingoption src 'printers'option dest 'wan'

config forwardingoption src 'lan'option dest 'printers'

config zoneoption name 'wg'option input 'ACCEPT'option output 'ACCEPT'option forward 'ACCEPT'list network 'wg0'

config forwardingoption src 'wg'option dest 'lan'

config forwardingoption src 'wg'option dest 'wan'

config forwardingoption src 'lan'option dest 'wg'

config forwardingoption src 'servers'option dest 'audiovc'

config forwardingoption src 'servers'option dest 'dpn'

config forwardingoption src 'servers'option dest 'printers'

config forwardingoption src 'servers'option dest 'vlan254'

config forwardingoption src 'servers'option dest 'wg'

config forwardingoption src 'vlan254'option dest 'audiovc'

config forwardingoption src 'vlan254'option dest 'dpn'

config forwardingoption src 'vlan254'option dest 'printers'

config forwardingoption src 'vlan254'option dest 'servers'

config ruleoption name 'Allow-Router-DNS'option src '*'option dest 'wan'option proto 'tcp udp'option dest_port '53'option target 'ACCEPT'

config forwardingoption src 'audiovc'option dest 'servers'

config forwardingoption src 'audiovc'option dest 'vlan254'

config redirectoption dest 'servers'option target 'DNAT'option name 'Postgres'option family 'ipv4'list proto 'tcp'option src 'wan'option src_dport '5432'option dest_ip '192.168.100.203'option dest_port '5432'

config redirectoption dest 'lan'option target 'DNAT'option name 'fx-fivem'option src 'wan'option src_dport '40120'option dest_ip '192.168.1.154'option dest_port '40120'

config redirectoption dest 'lan'option target 'DNAT'option name 'fx-fivem-test'option src 'wan'option src_dport '40140'option dest_ip '192.168.1.154'option dest_port '40140'

config redirectoption dest 'lan'option target 'DNAT'option name 'server'option src 'wan'option src_dport '30120'option dest_ip '192.168.1.154'option dest_port '30120'

config redirectoption dest 'lan'option target 'DNAT'option name 'server-test'option src 'wan'option src_dport '30140'option dest_ip '192.168.1.154'option dest_port '30140'

config redirectoption dest 'servers'option target 'DNAT'option name 'srv01-test'option src 'wan'option src_dport '30140'option dest_ip '192.168.100.171'option dest_port '30120'

config redirectoption dest 'lan'option target 'DNAT'option name 'torrent'option src 'wan'option src_dport '6881'option dest_ip '192.168.100.221'option dest_port '6881'

config redirectoption dest 'printers'option target 'DNAT'option name 'Printer'option family 'ipv4'list proto 'tcp'option src 'lan'option src_dport '9100'option dest_ip '192.168.10.5'option dest_port '9100'

config ruleoption name 'Allow-WireGuard'option src 'wan'option proto 'udp'option dest_port '28658'option target 'ACCEPT'

root@OpenWrt:~# wg showinterface: wg0root@OpenWrt:~# opkg list-installed | grep wireguardkmod-wireguard - 6.6.119-r1luci-proto-wireguard - 26.043.84860~6cf8bf9wireguard-tools - 1.0.20210914-r4

Synice · February 16, 2026, 5:49pm

i did, however it removes wireguard, leaving the proto missing, so it was broken, now that i still confused as to what changed.

but when i commented endpoint host and port, its working.

system · February 26, 2026, 5:50pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.