Wireguard allowed IP issue

Running 19.07.2

I set a Peer Allowed IP through the Luci interface to be but in the CLI it is set to

If I set more than 1 peer then the allowed IP's are set to "no ip" in the web interface status screen.

root@router:~# wg showconf wg0
ListenPort = 50123
PrivateKey = xxx

PublicKey = xxx
PresharedKey = xxx
AllowedIPs =
PersistentKeepalive = 25

Because this is the Correct CIDR notation for the network you cited. A single IP is; and is likely want you want - unless you intended for the peer to forward traffic for all of

I don't see this, you lost me...

Also, you haven't addressed the OpenWrt. I suggest:

  • OpenWrt (/16 is correct, since it's the router, BTW, I doubt you need a network with 65,000 IPs, you can use /24 which is 254 usable IPs)
  • Peer: (since you prefer .11)

If I set in the web console "Allowed IP's" then wg on the CLI shows:

root@router:~# wg
interface: wg0
  public key: xxxxxxxx
  private key: (hidden)
  listening port: 50123

peer: iHk91svo6Y/xxxxxxx+IxQ=
  preshared key: (hidden)
  allowed ips: (none)
  persistent keepalive: every 25 seconds

Is this what you desire?

You're not stating an issue; and you haven't addressed the OpenWrt side.

Have you seen: https://www.wireguard.com/#cryptokey-routing

Also, did you reboot?

Each peer should be defined with a unique IP address and /32.

1 Like

:memo: With its own key and unique CIDR range (per peers in any given OpenWrt WG interface).

1 Like

Yes, I want each peer to only be able to route its own WireGuard IP.

I've addressing the OpenWRT side here for hours. What I'm entering through the Luci interface is not reflected on the command line wg command.

Yes, I've rebooted numerous times.

Yes, each of my peers has its own key and allocated IP

1 Like

Post your complete /etc/config/network file (redact the keys and any other private information, but leave all RFC1918 IP addresses intact).

1 Like

Can you show us the config, and not the output?

It's in /etc/config/network

I'll give this a go tomorrow night. I just remoted in to my work router and that's how I have it set up there.

First, there is no reason at all to use a /16. I prefer to make the interface definition a /24. Beyond that, each peer should be defined with a unique IP address within the subnet, each peer must be /32.

Take a look at my thread from last year when I was doing some experimentation with WG configurations.

I was working off a tutorial and copying and pasting in order to get something running. It doesn't really matter how big the subnet is that I allocate. I could make it a /28 and I'd still be fine. That's wasn't the issue.

I think it was the multiple peers with the /16 specified broke something. Changing the per peer config to the /32 has worked.

1 Like

This was the issue. Changed each peer config to specify 10.14.0.x/32 (yes I changed the OpenWRT config to and all is working again.


Great. Glad to hear you're all up and running now!


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.