Two OpenWrt routers with the same external ip

Is there a guide where I can start implementing WireGuard from scratch in OpenWRT?

Sure.... but I don't think you need to start over.
Typically if you don't have a handshake, the problem is related to the keys. You may want to try generating a new set of keypairs.

1 Like

Is this correct?
Does the interface not need a list addresses e.g.: list addresses '192.168.25.2/24'
and no

option endpoint_port '192.168.25.2'
list allowed_ips '0.0.0.0.0/0'

I am new to OpenWRT so could be nonsense

1 Like

Good catch... yes, it looks like that is a likely issue.

@azarok - it should look somethign like this:

config interface 'Site_B'
    option proto 'wireguard'
    option private_key 'iD7phcuBzH4='
    list addresses '192.168.25.2/32'

config wireguard_Site_B
    option description 'SITE_A'
    option public_key 'd9Idv1ekI='
    option route_allowed_ips '1'
    option endpoint_host '80.XX.109.223'
    option endpoint_port '51820'
    option persistent_keepalive '25'
    list allowed_ips '0.0.0.0.0/0'
1 Like

Oh... and I just noticed there is an extra 0 in there...
it should be 0.0.0.0/0 (4 octets, not 5).

Undoubtedly nicely spotted :grinning:
I can now see that WireGuard is active with wg show (no handshake)
I still don't have an internet connection, even with 1.1.1.1 as DNS forwarding in the DHCP and DNS page.
Shown below is my network configuration file.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb0:1819:3a56::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '64:66:24:de:8d:f8'

config device
	option name 'lan2'
	option macaddr '64:66:24:de:8d:f8'

config device
	option name 'lan3'
	option macaddr '64:66:24:de:8d:f8'

config device
	option name 'lan4'
	option macaddr '64:66:24:de:8d:f8'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.77'

config device
	option name 'dsl0'
	option macaddr '64:66:24:de:8d:f9'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config interface 'Site_B'
	option proto 'wireguard'
	option private_key 'iD7uBzH4='
	option endpoint_port '192.168.25.2/32'
	option listen_port '51820'

config wireguard_Site_B
	option description 'SITE_A'
	option public_key 'd9v1ekI='
	option route_allowed_ips '1'
	option endpoint_host '80.XX.109.223'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'

This is wrong...

It should look like this:

config interface 'Site_B'
	option proto 'wireguard'
	option private_key 'iD7uBzH4='
	list addresses '192.168.25.2/32'

I removed that line, but I still can't connect.
I might be able to find the default network configuration, which would allow seeing whether there are any configuration issues.

Usually this is generated at first boot... I wouldn't recommend messing with that since your only issue with with WG.

Let's see the site A side.

Thanks for your help.
Please find below the Site_A network config.

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda3:3746:ee7f::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '90:72:82:83:57:1e'

config device
	option name 'lan2'
	option macaddr '90:72:82:83:57:1e'

config device
	option name 'lan3'
	option macaddr '90:72:82:83:57:1e'

config device
	option name 'lan4'
	option macaddr '90:72:82:83:57:1e'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'dsl0'
	option macaddr '90:72:82:83:57:1f'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option macaddr 'E6:FD:07:EC:7F:A0'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config interface 'Site_A'
	option proto 'wireguard'
	option private_key 'WAjXXbWI='
	option listen_port '51820'
	list addresses '192.168.25.1/24'

config wireguard_Site_A
	option description 'SITE_B'
	option public_key '0KWsmY='
	list allowed_ips '192.168.25.2/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

I deleted all of the WireGuard interfaces, peers, and firewall configuration due to the persistent configuration issue, and I generated fresh keys on both routers.
There hasn't been a handshake yet, but I do have internet access on Site B home router, which was impossible with 0.0.0.0/32. I resolved by adding 192.168.25.2/32.
I followed a few guides, but I still think there is a little mistake preventing the handshake.
Please find the two router configurations with screenshots below.

Site_A
Network

config interface 'Site_A'
	option proto 'wireguard'
	option private_key 'GAKQCT7WkRgsG0='
	option listen_port '51820'
	list addresses '192.168.25.1/32'

config wireguard_Site_A
	option description 'site_B'
	option public_key 'uSrT08i52SLRSLRc='
	list allowed_ips '192.168.25.2/32'
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option persistent_keepalive '25'

Firewall

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Site_A'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'Allow-Wireguard-Inbound'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '51820'

config forwarding
	option src 'lan'
	option dest 'vpn'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Site_A'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.25.1'
	option dest_port '51820'

wg show

interface: Site_A
  public key: rGlLpmzKiUoWo=
  private key: (hidden)
  listening port: 51820

peer: uSrT08i5SR2SLRSLRc=
  allowed ips: 192.168.25.2/32
  persistent keepalive: every 25 seconds

Site_B
Network

config interface 'Site_B'
	option proto 'wireguard'
	option private_key 'eB1VdbcEM='
	option listen_port '51820'
	list addresses '192.168.25.2/32'

config wireguard_Site_B
	option description 'site_a'
	option public_key 'rGlLpmAYzKiUoWo='
	list allowed_ips '192.168.25.1/32'
	option route_allowed_ips '1'
	option endpoint_host '80.XX.109.223'
	option endpoint_port '51820'
	option persistent_keepalive '25'

Firewall

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Site_B'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'wan'

config redirect
	option dest 'vpn'
	option target 'DNAT'
	option name 'wg'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '192.168.25.2/32'
	option dest_port '51820'

wg show

interface: Site_B
  public key: uSrT08i52SLRSLRc=
  private key: (hidden)
  listening port: 51820

peer: rGlLpmArs40YzKiUoWo=
  endpoint: 80.XX.109.223:51820
  allowed ips: 192.168.25.1/32
  transfer: 0 B received, 31.07 KiB sent
  persistent keepalive: every 25 seconds

Delete this, and the corresponding entry in Site B's firewall config.

1 Like

Though wireguard is peer to peer, it is conventional to designate one site as a client (initiator) and the other one as server or responder.

The initiator site:

  • does not need a public IP. NAT and/or CGNAT can be present on its end.
  • does not need any firewall port opening, since it makes outgoing connections.
  • should not have a listen_port specified.
  • needs endpoint_host and endpoint_port configured to point at the responder site's public IP.

The responder site:

  • must have a public IP and ISP that allows incoming connections without NAT.
  • needs a listen_port specified, and that port opened for UDP in the firewall.
  • will not have endpoint_host or endpoint_port entries.
1 Like

Use /24 here.

Add this to the site a firewall:

config forwarding
	option src 'vpn'
	option dest 'lan'

Remove this. Use a traffic rule instead of a redirect.

Remove the listen port from site b

Allowed ips on site b should be 0.0.0.0/0 to send all traffic.

Remove this:

And remove all of this:

99% of success!!!!!!

There is a handshake, and Site A and Site B's external IP addresses are identical.
The only issue is that I am unable to open any internet pages, while being able to ping any domain via the OpenWrt console. I added 192.168.25.2/32 to my existing settings to solve any problems.
Should I add it?

Add Site B's LAN subnet as another allowed_ips.

Let’s see the full /etc/config/network and /etc/config/firewall files from each device.

Yep,

Site_A
Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda3:3746:ee7f::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '90:72:82:83:57:1e'

config device
	option name 'lan2'
	option macaddr '90:72:82:83:57:1e'

config device
	option name 'lan3'
	option macaddr '90:72:82:83:57:1e'

config device
	option name 'lan4'
	option macaddr '90:72:82:83:57:1e'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'dsl0'
	option macaddr '90:72:82:83:57:1f'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option macaddr 'E6:FD:07:EC:7F:A0'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config interface 'Site_A'
	option proto 'wireguard'
	option private_key 'GAKkRgsG0='
	option listen_port '51820'
	list addresses '192.168.25.1/24'

config wireguard_Site_A
	option description 'site_B'
	option public_key 'uSrT08i5LRSLRc='
	list allowed_ips '192.168.25.2/24'
	option route_allowed_ips '1'
	option endpoint_port '51820'
	option persistent_keepalive '25'

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Site_A'

config forwarding
	option src 'vpn'
	option dest 'wan'

config rule
	option name 'Allow-Wireguard-Inbound'
	list proto 'udp'
	option target 'ACCEPT'
	option src 'wan'
	option dest_port '51820'

config forwarding
	option src 'vpn'
	option dest 'lan'

Site_B
Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdb0:1819:3a56::/48'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '64:66:24:de:8d:f8'

config device
	option name 'lan2'
	option macaddr '64:66:24:de:8d:f8'

config device
	option name 'lan3'
	option macaddr '64:66:24:de:8d:f8'

config device
	option name 'lan4'
	option macaddr '64:66:24:de:8d:f8'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.77'

config device
	option name 'dsl0'
	option macaddr '64:66:24:de:8d:f9'

config interface 'wan'
	option proto 'dhcp'
	option device 'wan'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'

config interface 'Site_B'
	option proto 'wireguard'
	option private_key 'eB1nkMdbcEM='
	list addresses '192.168.25.2/24'

config wireguard_Site_B
	option description 'site_a'
	option public_key 'rGlLpmArzsYzKiUoWo='
	option route_allowed_ips '1'
	option endpoint_host '81.XX.190.223'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'

Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'Site_B'

config forwarding
	option src 'lan'
	option dest 'vpn'

Have you tried this?

Remove the endpoint port and change the allowed ips to 192.168.25.2/32.

You may have a dns issue. From site b, run a ping test: