OpenWrt working with one peer but not another

Hi everyone,

I just set up Wireguard on OpenWrt and I'm having a strange issue: one peer with working fine (iOS) while another one is not (macOS).

Here is the config on OpenWrt's side:

Working peer:

Not working peer. The only difference is the IP:

Here is the config in the iOS Wireguard app (working):

And here is the config in the macOS app (not working):

When I activate the connection on the Mac, only a few bytes seem to go through.

I've tried with different DNS servers on the Mac side (10.6.0.1, 192.168.0.1, 1.1.1.1). They all work from the iOS app but not from the Mac. I've tried both inside and outside my home network, again iOS always works and not the Mac. I have another Wireguard peer on my Mac (a Raspberry Pi) which works perfectly and has a similar configuration. The public/private/shared keys are correct because I used OpenWrt to generate the configuration for both my iPhone and my Mac.

I'm a bit lost. Any ideas?

Thanks!

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Thanks for the suggestions, here you go:

ubus call system board

{
        "kernel": "6.1.82",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r25589-f84ed09d2c",
                "target": "mediatek/filogic",
                "description": "OpenWrt SNAPSHOT r25589-f84ed09d2c"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config device
        option name 'lan1'
        option macaddr 'REDACTED'

config device
        option name 'lan2'
        option macaddr 'REDACTED'

config device
        option name 'lan3'
        option macaddr 'REDACTED'

config device
        option name 'lan4'
        option macaddr 'REDACTED'

config device
        option name 'lan5'
        option macaddr 'REDACTED'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr 'REDACTED'

config interface 'wan'
        option device 'eth1.35'
        option proto 'dhcp'
        option hostname 'REDACTED'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'eth1.35'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'REDACTED'
        option listen_port '51821'
        list addresses '10.6.0.1/24'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config wireguard_wg0
        option description 'iPhone 15 Pro'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option preshared_key 'REDACTED'
        option endpoint_port '51821'
        option route_allowed_ips '1'
        list allowed_ips '10.6.0.2/32'

config wireguard_wg0
        option description 'MacBook Pro'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option preshared_key 'REDACTED'
        option route_allowed_ips '1'
        option endpoint_port '51821'
        list allowed_ips '10.6.0.3/32'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard Pi'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.0.64'
        option dest_port '51820'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Wireguard OpenWrt'
        list proto 'udp'
        option src 'wan'
        option src_dport '51821'
        option dest_ip '192.168.0.1'
        option dest_port '51821'

This should be a rule, not a redirect/port-forward. Delete this and replace it with a rule:

On the Mac, what happens if you set the endpoint address to 192.168.0.1 while on your wifi? Does it successfully handshake?

After removing the redirect and adding the rule, it doesn't work from the iPhone anymore, strangely. I tried that before setting up the redirect and it didn't work, but I just did it again to confirm:

On the Mac, it doesn't handshake even if I use the local IP.

Thanks for your help!

The destination zone should be Device (input), not lan. Also, leave the source port blank.

And please don't post screenshots, use ssh and copy the relevant text.

That suggests an issue with the keys.

1 Like

Ok indeed, with the following rule, the handshake does work between OpenWrt and the iPhone (but still not on the Mac):

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '51821'
        option target 'ACCEPT'

Regarding keys, I don't see how this could be the problem because again, OpenWrt generated the configuration which I copied and pasted into the Wireguard app on the Mac. However I will try to put the keys manually to make sure.

Thanks

Remove the preshared keys for now.... just one less thing to get in the way.

Just did, same result. Here is the configuration on the Mac side:

[Interface]
PrivateKey = ///////////REDACTED////////////
ListenPort = 51821
Address = 10.6.0.3/32
DNS = 10.6.0.1

[Peer]
PublicKey = ///////////REDACTED////////////
AllowedIPs = 0.0.0.0/0
Endpoint = REDACTED:51821

I just tripled checked and the keys are correct.

I just tried using the iPhone's configuration on the Mac... it worked. I'm puzzled. I tried deleting and readding a new Mac peer from OpenWrt before and no luck. Also tried adding a third peer and using that configuration on iOS: also doesn't work. It's as if only the first peer works.

That suggests that there is a problem with the keys. Just toss the old ones and setup new ones.

Just did that: I generated new private/public keys for OpenWrt. I also deleted both peers and readded new ones. Now neither the iPhone nor the Mac can successfully handshake. I double checked the public keys in configurations on both sides and they are correct. There is no preshared key anymore.

To be clear:

The public key is derived from the private key. The private keys will be unique between all of the peers, and it must exist in the interface section for each.

The public keys will be exchanged. The public key from the OpenWrt side (derived from the private key in the interface stanza) will be populated in the public key section of the peer configs on the Mac and the iPhone (not on the OpenWrt side).

Then, the public keys from the Mac and iPhone will be popluated into the OpenWrt peer config sections on OpenWrt itself (and of course respectively for the Mac and iPhone peer configs themselves).

Yes I understand how these work, and I'm pretty sure the setup is correct. I will illustrate by obfuscating only part of the keys:

OpenWrt's public key as visible in wg0 interface settings:

KIrpeK*************************91f4Wk=

OpenWrt configuration for the Mac peer:

config wireguard_wg0
        option description 'MBP'
        option public_key '3j8zmI***********************syTsK6ZxU='
        list allowed_ips '10.6.0.2/32'
        option endpoint_port '51821'
        option route_allowed_ips '1'

Wireguard Mac public key:

3j8zmI***********************syTsK6ZxU=

And config:

[Interface]
PrivateKey = +EBkB**************************eZlSmgJYlE=
ListenPort = 51821
Address = 10.6.0.2/32
DNS = 10.6.0.1

[Peer]
PublicKey = KIrpeK*************************91f4Wk=
AllowedIPs = 0.0.0.0/0
Endpoint = REDACTED:51821

Edit: I'm not sure what it was, but I just rebooted the router and now it seems to work. Thank you for your help!

Remove the endpoint port

1 Like

endpoint_port should only be set on the Mac and phone that will be originating connections to the OpenWrt server. In the OpenWrt server peer configurations you only need the peer's public_key and an allowed IP /32 that is the peer's tunnel IP.