Two WireGuard peers can't work simultaneously

Installing and Using OpenWrt
1

I set up WireGuard on my OpenWrt router previously. It was working perfectly, then I decided to refactor my network topology (i.e. break everything).

I use WireGuard to route all traffic from my phone and laptop through my home ISP and access machines on my LAN when I'm away from home. Previously, both could connect simultaneously and use everything they would expect from a VPN. Now they can't: I managed to make it work on my laptop, but it wouldn't on my phone. I reinstalled WG Tunnel on my phone and it would work, but it immediately stopped working on my laptop. I genuinely can't understand what is happening, after double checking, no address is clashing.

Both of distant peers (laptop and phone) can still connect to the VPN (the handshake succeeds and the keepalive packets are exchanged), but currently only my phone has access my home LAN and can route its traffic. The only configuration difference with before is the addition of IPv6 ULA addresses on all peers. Firewall configuration is also the same as before.

Configurations

Router

Listening port: 4500/udp

Interface IPs:

  • 10.6.67.1/24
  • <48 bits of unicast prefix>:<8 bits of unicast prefix>10::1/64
  • <ula prefix>:10::1/64

Firewall configuration:

  • Rule: accept incoming traffic from WAN on UDP port 4500 to the device
  • VPN interface is included in a zone that can forward traffic to WAN

Laptop

NixOS 26.05 with WireGuard configuration handled by NetworkManager.

Interface IPs:

  • 10.6.67.101/24
  • <48 bits of unicast prefix>:<8 bits of unicast prefix>10::101/64
  • <ULA prefix>:10::101/64

DNS servers: <ULA address from the VPN interface of router>, 10.6.67.1

Phone

LineageOS 23.0 with WireGuard handled by WG Tunnel app from F-Droid (kernel mode thanks to root privileges).

Interface IPs:

  • 10.6.67.102/24
  • <48 bits of unicast prefix>:<8 bits of unicast prefix>10::102/64
  • <ULA prefix>:10::102/64

DNS servers: <ULA address from the VPN interface of router>, 10.6.67.1

Thanks in advance for your help!

~ Ahurac

2

What happens if you remove it?

It can help if you show us your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show

Redacting ULA addresses is not necessary as they are also private

P.S. on the router the allowed IPs of your peers should have a mask of /32 for IPv4 and /128 for IPv6

1 Like
3

Besides that allowed_ips cannot overlap, you also can't use the same public/private key pair on multiple peers. Every peer must have a unique private key, that is how the central peer knows them. Preshared keys may be reused.

2 Likes
4

I never understood why allowed IPs should have /32 and /128 masks on the router, but it started working when I set these. Consequently, there's a good chance these wrong masks were the culprits. Weirdly enough, from what I recall, the previous working config already had wrong masks, so I should have encountered this issue earlier, it has no reason to start malfunctionning just now.

Thanks a lot for your help!

~ Ahurac

2 Likes