I set a Peer Allowed IP through the Luci interface to be 10.14.0.11/16 but in the CLI it is set to 10.14.0.0/16
If I set more than 1 peer then the allowed IP's are set to "no ip" in the web interface status screen.
root@router:~# wg showconf wg0
ListenPort = 50123
PrivateKey = xxx
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 10.14.0.0/16
PersistentKeepalive = 25
Because this is the Correct CIDR notation for the network you cited. A single IP is 10.14.0.11/32; and is likely want you want - unless you intended for the peer to forward traffic for all of 10.14.0.0/16.
I don't see this, you lost me...
Also, you haven't addressed the OpenWrt. I suggest:
- OpenWrt 10.14.0.1/16 (/16 is correct, since it's the router, BTW, I doubt you need a network with 65,000 IPs, you can use /24 which is 254 usable IPs)
- Peer: 10.14.0.11/32 (since you prefer .11)
If I set 10.14.0.11/32 in the web console "Allowed IP's" then wg on the CLI shows:
public key: xxxxxxxx
private key: (hidden)
listening port: 50123
preshared key: (hidden)
allowed ips: (none)
persistent keepalive: every 25 seconds
Is this what you desire?
You're not stating an issue; and you haven't addressed the OpenWrt side.
Have you seen: https://www.wireguard.com/#cryptokey-routing
Also, did you reboot?
Each peer should be defined with a unique IP address and /32.
With its own key and unique CIDR range (per peers in any given OpenWrt WG interface).
Yes, I want each peer to only be able to route its own WireGuard IP.
I've addressing the OpenWRT side here for hours. What I'm entering through the Luci interface is not reflected on the command line wg command.
Yes, I've rebooted numerous times.
Yes, each of my peers has its own key and allocated 10.14.0.0/16 IP
Post your complete /etc/config/network file (redact the keys and any other private information, but leave all RFC1918 IP addresses intact).
Can you show us the config, and not the output?
I'll give this a go tomorrow night. I just remoted in to my work router and that's how I have it set up there.
First, there is no reason at all to use a /16. I prefer to make the interface definition a /24. Beyond that, each peer should be defined with a unique IP address within the subnet, each peer must be /32.
Take a look at my thread from last year when I was doing some experimentation with WG configurations.
I was working off a tutorial and copying and pasting in order to get something running. It doesn't really matter how big the subnet is that I allocate. I could make it a /28 and I'd still be fine. That's wasn't the issue.
I think it was the multiple peers with the /16 specified broke something. Changing the per peer config to the /32 has worked.
This was the issue. Changed each peer config to specify 10.14.0.x/32 (yes I changed the OpenWRT config to 10.14.0.1/24) and all is working again.
Great. Glad to hear you're all up and running now!
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.