[Solved] I can't connect to both pairs in WireGuard

castillofrancodamian · June 25, 2020, 10:03pm

I have an Archer C60 with OpenWrt Snapshots and WireGuard. The problem is that I cannot connect from one of the two pairs when I am in another external network.

SERVER

config interface 'wg0'
        option proto 'wireguard'
        option delegate '0'
        option private_key 'PRIVATEKEY(server)'
        option listen_port '51820'
        list addresses '10.0.0.2/24'

config wireguard_wg0
        option description 'SM-G531M'
        option public_key 'PUBLICKEY(client1)'
        list allowed_ips '10.0.0.2/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg0
        option description 'GA-B150M-DS3H'
        option public_key 'PUBLICKEY(client2)'
        list allowed_ips '10.0.0.3/24'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wg0'

config rule
        option name 'wg0'
        option family 'ipv4'
        list proto 'udp'
        option src '*'
        option dest_port '51820'
        option target 'ACCEPT'

CLIENTS

[Interface]
PrivateKey = PRIVATEKEY(client1)
Address = 10.0.0.2/24
DNS = 192.168.1.11

[Peer]
PublicKey = PUBLICKEY(server)
AllowedIPs = 0.0.0.0/0
Endpoint = domain.duckdns.org:51820
PersistentKeepalive = 25

[Interface]
PrivateKey = PRIVATEKEY(client2)
Address = 10.0.0.3/24
DNS = 192.168.1.11

[Peer]
PublicKey = PUBLICKEY(server)
AllowedIPs = 0.0.0.0/0
Endpoint = domain.duckdns.org:51820
PersistentKeepalive = 25

This is what LuCI shows me:

And in terminal:

In both images I noticed that allowed ips of the client that does not work shows a (none).

Nocte · June 25, 2020, 10:13pm

You are allowing 10.0.0.2/24 and 10.0.0.3/24 on your router which is routing wise the same and therefore can not do anything. Think of the /24 in the cidr notation as cutting of last 8 bits (32 - 24 = 8) and therefore cutting of your last octet and routing everything addressed to 10.0.0.x to your first peer. At the same time your try to route the same thing to your second peer. Please be aware that this is partially due to how wireguard sets up routing for you wen writing the configuration.

My suggestion as long as you want only your remote peers traffic routed through your OpenWRT device you just change /24 to /32 for both devices on your router. That allows only traffic from that particular device and only routes back traffic to that particular device without overlapping.

And in your config interface 'wg0' you probably want to have the address set to 10.0.0.1/24 since this will be the IP address of your interfaces as shown by ip addr show on your router.
Note that in this case the /24 is correct since the created interface should cover all the ip addresses of your peers.

mikma · June 25, 2020, 10:14pm

Have you assigned the aame IP address (10.0.0.2) to the first client and the openwrt router. That's almost never a good idea.

castillofrancodamian · June 25, 2020, 10:23pm

It had confused me and yes, I wanted to put 10.0.0.1/24. But the problem continues.

psherman · June 25, 2020, 10:29pm

The peer addresses must be /32.

config interface 'wg0'
        option proto 'wireguard'
        option delegate '0'
        option private_key 'PRIVATEKEY(server)'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option description 'SM-G531M'
        option public_key 'PUBLICKEY(client1)'
        list allowed_ips '10.0.0.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_wg0
        option description 'GA-B150M-DS3H'
        option public_key 'PUBLICKEY(client2)'
        list allowed_ips '10.0.0.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

Same your your 'clients':

[Interface]
PrivateKey = PRIVATEKEY(client1)
Address = 10.0.0.2/32
DNS = 192.168.1.11

[Peer]
PublicKey = PUBLICKEY(server)
AllowedIPs = 0.0.0.0/0
Endpoint = domain.duckdns.org:51820
PersistentKeepalive = 25

[Interface]
PrivateKey = PRIVATEKEY(client2)
Address = 10.0.0.3/32
DNS = 192.168.1.11

[Peer]
PublicKey = PUBLICKEY(server)
AllowedIPs = 0.0.0.0/0
Endpoint = domain.duckdns.org:51820
PersistentKeepalive = 25

castillofrancodamian · June 25, 2020, 10:44pm

Suggesting your recommendations, on the server I changed from 10.0.0.2/24 to 10.0.0.1/24 (typing error). Changing only this did not solve the problem.
And in the clients and server (clients section) I changed from 10.0.0.x/24 to 10.0.0.x/32.

It seems I can already connect to both devices at the same time and I can PING from the one that worked well to the one that didn't work.

My idea is to use as a VPN server and I would like all the traffic to go through OpenWrt when I connect to a public Wi-Fi network and have a little more security. Is there anything else i should know?

psherman · June 25, 2020, 10:51pm

Glad it is working.

You should be good using it while you're on public/untrusted networks -- nothing much more to know .

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

castillofrancodamian · June 25, 2020, 10:53pm

It is not enough to give Solution?

psherman · June 25, 2020, 10:58pm

Sorry -- maybe I misread your previous post.

You said that you can ping both sides and both can connect at the same time. What is not working?

castillofrancodamian · June 25, 2020, 11:05pm

Before, I could only connect to a single device and the client that did not work did not respond to ping. Now it does respond and works correctly on both!

I use Google Translate and that may be why it is not well understood.

psherman · June 25, 2020, 11:12pm

So is everything working the way you want? If so, is your problem solved? If it is solved,....

Maybe I misunderstood this question. For the benefit of future readers, please mark the thread as solved and also the specific reply that helped you solve it. This way, people reading this thread will immediately see the solution.

castillofrancodamian · June 25, 2020, 11:14pm

Before entering the thread you see the box with the check before the title, so I do not see it necessary. Thank you and greetings!

tmomas · June 25, 2020, 11:37pm

The checkbox will be shown in the forum, but not in search engines.

grafik

The [Solved] in the topic title will show up in search engines:

grafik

It's a nice to have, not a strict must.

castillofrancodamian · June 26, 2020, 12:11am

I understand, but at the end of the post you see the solution, thanks to having to click on the box. The same I will put it because it is something that can help a few people who read other tutorials and followed the steps as I had read.

system · July 6, 2020, 12:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.