Only 1 of 2 Wireguard VPN interfaces works

aba771 · January 19, 2023, 10:37am

I am trying to setup 2 additional network interfaces (separate from lan) with VPN. Each interface should use a different VPN server (both from the same provider, Mullvad).

They are both setup in a very similar way, but only one ever worked at any given time.

At the moment, Interface #1 does not work: devices can connect to the interface, and they get an IP in the 10.10.10.X range, but they have no internet.

Interface #1 (which doesn't work currently):

config interface 'VPN_1'  
        option proto 'static'  
        option device 'br-vpn-1'  
        option netmask '255.255.255.0'  
        list dns '-PROVIDER DNS-'  
        option ipaddr '10.10.10.1'  

config interface 'WG_VPN_1'  
        option proto 'wireguard'  
        option private_key '-PRIVATE KEY #1-'  
        option listen_port '51820'  
        list addresses '-PROVIDER IP #1-'  

config wireguard_WG_VPN_1  
        option public_key '-REDACTED-'  
        list allowed_ips '0.0.0.0/0'  
        option endpoint_host '-REDACTED-'  
        option endpoint_port '51820'  
        option description '-REDACTED-'  

config rule  
        option in 'VPN_1'  
        option lookup '1742'  

config route  
        option interface 'WG_VPN_1'  
        option target '0.0.0.0'  
        option netmask '0.0.0.0'  
        option table '1742'

Interface #2 (which works):

config interface 'VPN_2'  
        option proto 'static'  
        option device 'br-vpn-2'  
        option ipaddr '10.10.12.1'  
        option netmask '255.255.255.0'  
        list dns '-PROVIDER DNS-'  

config interface 'WG_VPN_2'  
        option proto 'wireguard'  
        option private_key '-PRIVATE KEY #2-'  
        option listen_port '51820'  
        list addresses '-PROVIDER IP #2-'  

config wireguard_WG_VPN_2  
        option description '-REDACTED-'  
        option public_key '-REDACTED-'  
        list allowed_ips '0.0.0.0/0'  
        option endpoint_host '-REDACTED-'  
        option endpoint_port '51820'  

config rule  
        option in 'VPN_2'  
        option lookup '1743'  

config route  
        option interface 'WG_VPN_2'  
        option target '0.0.0.0'  
        option netmask '0.0.0.0'  
        option table '1743'

Is there something obvious that I am missing?

trendy · January 19, 2023, 11:16am

Do you have a proper forwarding rule in the firewall to allow zone of interface VPN_1 to forward to WG_VPN_1?

aba771 · January 19, 2023, 11:40am

Hi @trendy and many thanks for chiming in!

This is the firewall rule for the WG_VPN_1 interface:

And this is the firewall rule for the VPN_1 interface:

VPN_2 and WG_VPN_2 are also configured in the same way:

trendy · January 19, 2023, 11:47am

Remove the option listen_port '51820' from both wg interfaces.

aba771 · January 19, 2023, 1:31pm

Thanks so much, that fixed it.

I noticed that the default listening port for the WG interfaces is 51820 by default anyway; any thoughts on why removing the explicit setting fixes this?

krazeh · January 19, 2023, 1:54pm

If you don't specify a port then it will (as far as I know) pick a random port to listen on. Obviously for inbound connections this is less useful so you can specify a port (i.e. option listen_port).

The reason why removing the setting fixed your issue is that your two interfaces will now be running on different ports, rather than both trying to use 51820.

aba771 · January 19, 2023, 6:20pm

Thanks @krazeh !

Makes sense, and you're right, I have no intention of setting up inbound connections, so this works a treat for my use case.

Thanks again both, and hopefully this will help others in the future as well

system · January 29, 2023, 6:20pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.