[SOLVED] Wireguard, cannot create a successful connection between router and iOS client

Good day,

For the past days I have been trying to set up a Wireguard connection between my router and iOS client.

Router - Western Digital MYNETN750, OpenWRT 17.01.6
Client - iPhone 6, iOS 12.1.2, Wireguard 0.0.20181104 (7), 0.0.20181018

I have followed through the information described here in the wiki:


I am able to bring the wireguard interface up in the router, but that's it. I am not sure if my routes are correct or my client settings. My router LAN address segment is, for Wireguard I have addressed Router WAN port is connected to my ISP router, to overcome this issue a static dhcp lease with a DMZ address has been added to the ISP router settings so that all requests are forwarded to my OpenWRT router.


opkg list-installed

kmod-wireguard - 4.4.153+0.0.20180519-1
wireguard - 0.0.20180519-1
wireguard-tools - 0.0.20180519-1


config interface 'wg0'
        option proto 'wireguard'
        option private_key '<router private key>'
        option listen_port '50000'
        list addresses ''
#       list addresses 'fe80:0:0:0:0:0:a33:1/128'

config wireguard_wg0
        # MG4A2B/A (iPhone 6)
        option description '<MG4A2B/A (iPhone 6)>'
        option public_key '<client public key>'
        option preshared_key '<router presharedkey>'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips ''
#       list allowed_ips '::/0'


config zone
         option  name            'wireguard'
         list    network         'wg0'
         option  input           'ACCEPT'
         option  output          'ACCEPT'
         option  forward         'DROP'
         option  masq            '1'
 config fowrarding
         option src              'wireguard'
         option dest             'wan'

wg show

interface: wg0
  public key: riT63uPfhD8cEpSVLTGoqQxmKUQcR9Hm41g+HZLWtiA=
  private key: (hidden)
  listening port: 50000

peer: EGiBjDoEiv84NLxoBhAgBt3wR8KyjBaSWLU4D6KkoAU=
  preshared key: (hidden)
  allowed ips:
  persistent keepalive: every 25 seconds

ip route

default via dev eth0.2  proto static  src dev wg0  proto kernel  scope link  src dev eth0.2  proto kernel  scope link  src dev eth0.2  proto static  scope link  src dev br-lan  proto kernel  scope link  src

ifconfig wg0

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:  P-t-P:  Mask:
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)



PrivateKey = <client private key>
Address =

PublicKey = riT63uPfhD8cEpSVLTGoqQxmKUQcR9Hm41g+HZLWtiA=
PresharedKey = <router preshared key>
AllowedIPs =
Endpoint = <wanip>:50000
PersistentKeepalive = 25

Wireguard iOS Client Log

UPDATE - 15.01.2019

After a hardware change to TP-Link C2600 with OpenWRT 18.06.1 and the superb support of #wireguard IRC channel and especilaly user mbello I was able to finish the setup and have a working VPN setup.

As I wanted my iOS client to have full access on the resources behind my router, here are the configuration files from the router and client:


opkg list-installed | grep wireguard

kmod-wireguard - 4.14.63+0.0.20180718-2
wireguard - 0.0.20181119-1
wireguard-tools - 0.0.20181119-1

# /etc/config/network

config interface 'wg0'
        option proto            'wireguard'
        # Server private key
        option private_key      'QH6...uG0='
        option listen_port      '50000'
        list addresses          ''

config wireguard_wg0
        # Peer public key
        option public_key       'vpG...NV0='
        option preshared_key    'lYD...4F8='
        list allowed_ips        ''
        option persistent_keepalive     '25'
        option route_allowed_ips        '1'

# /etc/config/firewall

config zone
        option name             'wg0'
        list    network         'wg0'
        option  input           ACCEPT
        option  output          ACCEPT
        option  forward         REJECT


config forwarding
        option src              wg0
        option dest             lan

config forwarding
        option src              wg0
        option dest             wan

config rule
        option name             'Allow Wireguard'
        option src              'wan'
        option dest_port        '50000'
        option proto            'udp'
        option target           'ACCEPT'

# wg show wg0

interface: wg0
  public key: PAM...Qjk=
  private key: (hidden)
  listening port: 50000

peer: vpG...NV0=
  preshared key: (hidden)
  endpoint: 80.....130:50000
  allowed ips:
  latest handshake: 1 minute, 5 seconds ago
  transfer: 855.73 KiB received, 1.73 MiB sent
  persistent keepalive: every 25 seconds

# route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth0.2       *        U     0      0        0 wg0       *      UH    0      0        0 wg0     *        U     0      0        0 eth0.2    *        U     0      0        0 br-lan

iOS Device:

Wireguard for iOS - 0.0.20190107 (1)
WireGuard Go Backend - 0.0.20181222

# Interface

Name - Profile Name
Private key - kMC...uG4=
Public Key - vpG...NV0=

Addresses  -
Listen Port - 50000
MTU - Automatic
DNS Servers - (Router DNS)

# Peer

Publick Key - PAM...Qjk=
Preshared Key - lYD...4F8=
Endpoint - <Router WAN IP address>
Allowed IPs -
Exclude private IPs - Disabled
Persistent keepalive - 25

guess1: try a port between 1024 and 10k, 50000 is within the default outgoing nat-range. your dmz-defaultforward is probably not helping...
guess2: try lowering mtu of the wireguard