And the public key for each peer is different? Taken from the setup on the client device?
The public key was generated by Android application with QR-code. Let me regenerate by hand, give some minutes. This could be it.
The Android app does not use nice fonts and I cannot distinguish L from l from I.
I regenerated client keys (private, public and PSK).
Now it returns:
interface: wg0 public key: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ private key: (hidden) listening port: 51820 peer: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX preshared key: (hidden) allowed ips: 10.0.10.2/32, 10.0.10.3/32 persistent keepalive: every 25 seconds
So it is not complaining for public key any longer!
Still I cannot connect with Debian client.
That would appear to indicate that the same public key is being used for both peers, unless you've changed one of the peer configs to put both 10.0.10.2/32 and 10.0.10.3/32 in the AllowedIPs?
All public and private keys are different, I just double-checked.
Have you restarted the WG interface?
I juste restarted and wg show is still similar. To make it simple and avoid reading the whole thread, my config is as follows:
config interface 'wg0' option proto 'wireguard' list addresses '10.0.10.1/24' option private_key '' option listen_port '51820' config wireguard_wg0 option public_key '' option preshared_key '' option description 'x230' option persistent_keepalive '25' list allowed_ips '10.0.10.2' #config wireguard_wg0 option public_key '' option preshared_key '' option description 'samsunggalaxy' option persistent_keepalive '25' list allowed_ips '10.0.10.3'
Get rid of the # and then restart everything again.
Good catch, thanks. Works.
interface: wg0 public key: AAAAAAAAAAAAAAAAAAAAAAAAAA private key: (hidden) listening port: 51820 peer: BBBBBBBBBBBBBBBBBBBBBBBBBB preshared key: (hidden) allowed ips: 10.0.10.2/32 persistent keepalive: every 25 seconds peer: CCCCCCCCCCCCCCCCCCCCCCCCC preshared key: (hidden) allowed ips: 10.0.10.3/32
In fact, you can set up WG server and generate client profiles with a single script.
All that remains is to transfer and import client profiles.
It helps to avoid a lot of mistakes like those.
Thanks. One last question.
My LAN and WLAN are on the same bridge, so they are on the same subnet.
When connection to a WLAN or a LAN host, no encryption is being used as shown in the routing table on client side:
sudo route -n
Table de routage IP du noyau Destination Passerelle Genmask Indic Metric Ref Use Iface 0.0.0.0 192.168.9.1 0.0.0.0 UG 100 0 0 enp0s25 0.0.0.0 192.168.9.1 0.0.0.0 UG 600 0 0 wlp3s0 10.0.10.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0 192.168.9.0 0.0.0.0 255.255.255.0 U 100 0 0 enp0s25 192.168.9.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp3s0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
It's only when connecting to an address other than 192.168.9.x that VPN is being used.
Now that my wireless clients are using wg VPN, I would like to access the LAN using wireguard and not only wireless. This means that I would like to have different subnets, one for wireless and one for WIFI.
I am not sure how to achieve it. Does it mean I shall create a separate VLAN for my LAN? Is there a quick way to seperate WLAN and LAN in LuCi and have seperate DHCP for hosts?
It could be tricky as I also have a mesh running. So I would like to keep WLAN+mesh on the one hand and LAN on the other hand.
Personally, I use different domain suffixes to resolve LAN and VPN host names separately:
- VPN suffix is configured to expand short names automatically.
- LAN suffix relies on mDNS, so it works even when VPN is not available.
Thanks, I would be glad if you could share your configuration.
My point is that when a host (typically a small server) is connected to the OpenWRT router switch with ethernet, it does not need a point-to-point VPN as the router can take care of VPN. In a small family, I trust my ethernet wires. I only want to protect wireless WIFI or 4G roaming
So a typical roadwarrior traceroute would be:
wireless client => VPN wireless client => >VPN OpenWRT router => mini server via ethernet
So all I need to do is create a seperate subnet on both ethernet ports on my GliNet B1300 router seperate from br-lan bridge. How to achieve that? Is your sufix solution even simplier?
It should be similar to guest WLAN, except for the wireless configuration step:
Just disable bridging for LAN and assign your WLAN to the network created on the first step.
Thanks. This is a very interesting approach.
I am planning to offer two ESSID on wireless WIFI: essid-secure and essid-unsecure.
On essid-secure I will allow only wireguard port and kick off all other traffic. On essid-unsecure, I can connect my television and other unsecure devices and kick them away from the main network.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.