Troubles with Wireguard, only latest configured peer works [SOLVED]

feulif · January 7, 2024, 2:37pm

Hello everyone,

I'm having trouble with wireguard configuration and I haven't been able to sort it out in the last months, so here I am to look for help.

I have three android phones that I want to peer with the openwrt router via wireguard; I also want to route all traffic from mobiles through the openwrt router and to access the other subnets in my home network.
The problem I have is that whenever I add a mobile phone as a peer, the phones added previously are no longer able to connect neither to the internet nor to the peer router, while only the last configured phone is able to.

I think I have quite a complex setup, with various subnets, vlan and other vpn tunnels as well, but I don't think that is the issue: even if I stop all the other vpn-like interfaces, the wireguard vpn works only with the mobile phone I configured last (no matter also if the other mobiles are trying to join or not).
The whole home network and the openwrt router are behind a modem-router from my carrier provider, which has a public ip address and it is port-forwarding wireguerd traffic to the openwrt router on a dedicated 2-hosts-only private subnet; similarly, the openwrt router masquerades all the other private subnets (including the vpn, I guess) when sending data to the carrier modem.

INTERNET <---> Modem <---> OpenWrtRouter <---> local subnets, wifi, etc.

I suppose there is some routing trap somewhere but I can't find it. Also, this setup works fine when I use OpenVPN ('tun0' in my config file) instead of Wireguard ('vpn' in my config file), but I wanted to try wireguard because I had some difficulties in pushing my DNS through OpenVPN and because I thought that the OpenVPN app was draining to much of battery from my mobile phones...

Here is my config/network file (manually edited just to hide personal data):

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '...'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.1.249'
        option netmask '255.255.255.0'
        option gateway '192.168.1.254'
        option metric '10'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'

config bridge-vlan
        option device 'br-lan'
        option vlan '100'
        list ports 'lan1:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '101'
        list ports 'lan1:t'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '102'
        list ports 'lan1:t'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '103'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '104'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '105'
        list ports 'lan1:t'

config interface 'lan0'
        option proto 'static'
        option device 'br-lan.100'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'

config interface 'lan1'
        option device 'br-lan.101'
        option proto 'static'
        option ipaddr '10.1.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '1.1.1.1'

config interface 'lan2'
        option proto 'static'
        option device 'br-lan.102'
        option ipaddr '10.2.2.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'

config interface 'lan3'
        option proto 'static'
        option device 'br-lan.103'
        option ipaddr '10.3.3.1'
        option netmask '255.255.255.0'

config interface 'vec'                   # This is another vpn I use as a peer, but even if I shut it down I can't make my vpn work as desired
        option proto 'wireguard'
        option private_key '...'
        list addresses '192.168.0.202/24'
        list dns '9.9.9.9'
        list dns '192.168.0.1'
        option disabled '0'
        option metric '20'

config wireguard_vec
        option description 'Imported peer configuration'
        option public_key '...'
        option preshared_key '...'
        list allowed_ips '192.168.0.0/24'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_host '...'
        option endpoint_port '...'

config rule
        option out 'wan'
        option src '10.10.10.0/24'
        option disabled '1'
        option mark '0x10'

config rule
        option src '192.168.1.249/32'
        option out 'wan'
        option mark '0x10'
        option disabled '1'

config device
        option name 'br-lan.100'
        option type '8021q'
        option ifname 'br-lan'
        option vid '100'
        option macaddr '...:00'

config device
        option name 'br-lan.101'
        option type '8021q'
        option ifname 'br-lan'
        option vid '101'
        option macaddr '...:01'

config device
        option name 'br-lan.102'
        option type '8021q'
        option ifname 'br-lan'
        option vid '102'
        option macaddr '...:02'

config device
        option name 'br-lan.103'
        option type '8021q'
        option ifname 'br-lan'
        option vid '103'
        option macaddr '...:03'

config interface 'tun0'               ## This is the openvpn interface and it works fine.
        option proto 'none'
        option device 'tun0'
        list dns '10.0.0.100'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '...'
        option listen_port '...'
        list addresses '10.11.11.1/24'
        option defaultroute '0'        ## I think I've tried also with '1' with no success but I had so many trials and error that I'm no longer sure about anything...
        option delegate '0'
        option auto '0'

config wireguard_vpn
        option description 'mobile1'
        option public_key '...'
        option preshared_key '...'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '10.0.0.0/8'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_vpn
        option description 'mobile2'
        option public_key '...'
        option private_key '...'
        option preshared_key '...'
        list allowed_ips '10.0.0.0/8'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config wireguard_vpn
        option description 'mobile3'
        option public_key '...'
        option private_key '...'
        option preshared_key '...'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '10.0.0.0/8'
        list allowed_ips '0.0.0.0/0'

Here is an example config file that I'm using in one of the mobiles:

[Interface]
PrivateKey = ...
# ListenPort not defined
address = 10.11.11.101/24  ## configured manually in the wireguard mobile UI
dns = 10.0.0.100 ## configured manually in the wireguard mobile UI

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <publicIPaddressOfCarrierModem>:<port>
PersistentKeepAlive = 25

The vpn interface belongs to the lan zone in the firewall configuration

config zone                    
        option name 'lan' 
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'
        list network 'tun0'
                         
config zone                  
        option name 'wan'     
        option input 'DROP'    
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'vec'
                             
config forwarding             
        option src 'lan'       
        option dest 'wan'

Here is the routing table in the router:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    10     0        0 wan
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.100
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 vpn
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.101
10.2.2.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.102
10.3.3.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.103
10.11.11.0      0.0.0.0         255.255.255.0   U     0      0        0 vpn
10.10.10.0      10.10.10.2      255.255.255.0   UG    0      0        0 tun0
10.10.10.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
otherVPNip      192.168.1.254   255.255.255.255 UGH   10     0        0 wan
192.168.1.0     0.0.0.0         255.255.255.0   U     10     0        0 wan

I hope someone could tell me what I've got wrong.

Regards and happy new year

lleachii · January 7, 2024, 3:47pm

Your allowed IPs overlap on the peer configs.

feulif · January 7, 2024, 4:02pm

Yes, but indeed the configuration of allowed ip is quite confusing for me.
According to the hint I see in the luci interface when configuring the peer: "IP addresses and prefixes that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through the tunnel."
Since I want those subnets to be allowed in the tunnel, I've configured them on all peers, both router side and mobile side.
How am I supposed to I change it?

lleachii · January 7, 2024, 4:06pm

What you described is not possible. If you need overlapping subnets, they need to be separate WG interfaces. You can then manages routes with Policy Based Routing - or by making manual IP Routes and IP Rules.

feulif · January 7, 2024, 4:12pm

Thanks for your reply and your help... but I don't get what are the overlapping subnets causing the issue.
For me they look all different ones.
I have 10.11.11.0/24 for the wireguard vpn and other 10.x.x.0/24 for other local nets. I've configured all 10.0.0.0/8 to be allowed in the tunnel and also all internet traffic (0.0.0.0/0) to be allowed too.
Could you kindly point out which configuration options are responsible for the overlapping?

Thanks

lleachii · January 7, 2024, 4:17pm

These cannot overlap
This configuration is for need to allow the SRC IP of the peer, you only need 0.0.0.0/0 for a VPN endpoint that will provide Internet (i.e. a traditional VPN service)
You would set a single allowed IP for each peer config (e.g. 10.0.0.2/32 and 10.0.0.3/32)

feulif · January 7, 2024, 5:13pm

Ok, so I've changed the /etc/config/network in this way (removed the 10.0.0.0/8 net and left the 0.0.0.0/0)

config interface 'vpn'                                                     
        option proto 'wireguard'                                           
        option private_key '...'  
        option listen_port '...'                                       
        list addresses '10.11.11.1/24'                                       
        option defaultroute '0'                                            
        option delegate '0'                                                
        option auto '0'                                                    
                                                                           
config wireguard_vpn                                                       
        option description 'mobile1'                                           
        option public_key '...'   
        option preshared_key '...'
        option route_allowed_ips '1'                                       
        option persistent_keepalive '25'                                   
        list allowed_ips '0.0.0.0/0'  

config wireguard_vpn                                                       
        option description 'mobile2'                                           
        option public_key '...'   
        option private_key '...'  
        option preshared_key '...'
        option route_allowed_ips '1'    
        option persistent_keepalive '25'                                
        list allowed_ips '0.0.0.0/0'                                     
                                                                           
config wireguard_vpn                                                       
        option description 'mobile3'                                         
        option public_key '...'   
        option private_key '...'  
        option preshared_key '...'
        option route_allowed_ips '1'    
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'

Also, in the mobile peer, I'm now using this (restricted the subnet from /24 to /32 and restricted AllowedIPs to the one of the mobile peer):

[Interface]
PrivateKey = ...
# ListenPort not defined
address = 10.11.11.101/32  ## configured manually in the wireguard mobile UI
dns = 1.1.1.1 ## configured manually in the wireguard mobile UI

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 10.11.11.101/32
Endpoint = <publicIPaddressOfCarrierModem>:<port>
PersistentKeepAlive = 25

The route table is also updated accordingly:

root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    10     0        0 wan
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.100
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.101
10.2.2.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.102
10.3.3.0        0.0.0.0         255.255.255.0   U     0      0        0 br-lan.103
10.11.11.0      0.0.0.0         255.255.255.0   U     0      0        0 vpn
10.10.10.0      10.10.10.2      255.255.255.0   UG    0      0        0 tun0
10.10.10.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
otherVPNip      192.168.1.254   255.255.255.255 UGH   10     0        0 wan
192.168.1.0     0.0.0.0         255.255.255.0   U     10     0        0 wan

As a result, the wireguard tunnel is established but none of mobile peer's traffic goes thought it; I can successfully ping the router peer 10.11.11.1 from the mobile but I can't reach anything else in the other 10.x.x.0/24 subnets (e.g ping at my 10.0.0.100 pihole fails from the mobile peer) and all internet traffic is not routed in the vpn.

egc · January 7, 2024, 5:20pm

You must do it the other way around.

On the server side in the peers section use:
list allowed_ips '10.11.11.101/32' instead of

This is just the address of the mobile client but always with a /32 mask (the address on the mobile client can have a /24 mask)

and for each peer a different address so the next has '10.11.11.102/23` etc

On all the mobile client use:
`AllowedIPs = 0.0.0.0/0'

mk24 · January 7, 2024, 6:03pm

Yes allowed_ips are IPs that will appear as source addresses from the other end of the tunnel.

For a "road warrior" client such as a phone or laptop which is not routing a network behind it, the allowed_Ip is only the /32 of the client itself. This IP must unique and inside the /24 defined on the overall wireguard interface. When the phone makes a request for anywhere on the Internet, it will always use its tunnel ip (10.11.11.X) as the source IP.

When there are multiple peers on one interface, the wireguard kernel module must have a non-overlapping set of allowed_ips to internally route packets to the proper peer.

lleachii · January 7, 2024, 7:03pm

The IP of the WG interface can't match the IP of the peer - that's an IP conflict. Follow others' posted advice to get the setup fixed.

feulif · January 7, 2024, 8:11pm

THANK YOU!

The instructions in the last three replies have worked!

system · January 17, 2024, 8:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.