Wireguard: can't get multiple peers to work

Hi there, I'm trying to get Wireguard for some time to work. Years ago I used OpenVPN without problems. Now I want to use Wireguard but I think I have a problem understanding some basics of Wireguard.

At home I'm using an OpenWRT router. This should be the server. Next I want to get my Android phone to be a client and a second client which is a Win10 notebook with the Wireguard Windows client. In the next step I'm trying to get a site-to-site VPN to work (where every site should have a unique private network ID).

I followed this tutorial to get a first small victory: https://casept.github.io/post/wireguard-server-on-openwrt-router/
Following this I can get a handshake between my Android client and the server. Unfortunaly I can only test a Windows-client which is sitting in the lan behind the OpenWRT router. It should connect but then the same client config from the Android phone isn't working on the Windows machine.

Here are my server config:

config interface 'lan'
        option type 'bridge'
        option igmp_snooping '1'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
[...]
config interface 'wg0'
        option proto 'wireguard'
        option private_key '<private key>'
        option listen_port '1234'
        list addresses '10.14.0.0/16'
        list addresses 'eeee:1234:8790::/60'

config wireguard_wg0
        option public_key '<public key of client 1>'
        option persistent_keepalive '25'
        option description 'Android'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

#config wireguard_wg0
#       option public_key '<public key of client 2>'
#       option persistent_keepalive '25'
#       option description 'BZ'
#       option route_allowed_ips '1'
#       list allowed_ips '0.0.0.0/0'
#       list allowed_ips '::/0'

I commented out the section for the 2nd client, both clients at the same time won't work. I think it's because under list allowed ips there should not be 0.0.0.0/0 and instead there should be the VPN IP of the client (same as configured in the client config below interface). But when I try it I can't even get a handshake. When I try to use both peer config in the server at the same time, one of the peers has 'none' allowed ip. So I'm really thinking the tutorial in the link above isn't correct.

/etc/config/firewall I added following:

config rule
        option src '*'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '1234'
        option name 'Allow-Wireguard-Inbound'

The wg0 interface is in the same Firewall-Zone of my lan. DynDNS-Lookup is also working.

Android config:

[Interface]
PrivateKey = <private key of the 1st client>
Address = 10.14.0.3/32, eeee:1234:8790::/64
DNS = 192.168.1.1

[Peer]
PublicKey = <public key of the server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <dyndns-name>:1234

Windows client config:

[Interface]
PrivateKey = <private key of the 2nd client>
Address = 10.14.0.4/32, eeee:1234:8791::/64
DNS = 192.168.1.1

[Peer]
PublicKey = <public key of the server>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <dyndns-name>:1234

With the false configs from above I can get my Android phone to work but not the Windows client. And I know that the configs are wrong because I'm searching and reading the forums now for quite some time:


[SOLVED] Problems setting up wireguard <-- tried without success, removed the routing option in the server config and changed the allowed IPs to 10.14.0.3/32 and 10.14.0.4/32 in the server.
Wireguard OpenWrt <-> OpenWrt tunnel for travel router <-- this describes exactly my problem

I'm running out of ideas what I can try, maybe some of you have the perfect idea.

PS: If the Windows-Client sits in a private lan with the same network ID of my LAN (192.168.1.0/24) is there a way it could work without changing the whole subnet?

This is wrong, unless your phone or Windows machine is providing internet to your router. I suggest 10.14.0.2/32 and 10.14.0.3/32.

I also don't advise routing allowed IPs. Make a static route for 10.14.0.0/16.

This is definitely wrong, you must specify an IP, not a subnet. I suggest 10.14.0.1/16. I didn't deeply review the IPv6 address; but be sure to use valid network addresses in all cases (i.e. I don't think any private ranges begin with eeee), and probably use a /64. I'm not sure why you are using such big subnets on your VPN, for only 2 devices in the network.

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<private key>'
        option listen_port '1234'
        list addresses '10.14.0.1/16'
        list addresses 'eeee:1234:8790::1/64'

config wireguard_wg0
        option public_key '<public key of client 1>'
        option persistent_keepalive '25'
        option description 'Android'
        list allowed_ips '10.14.0.2/32'
        list allowed_ips '::/0'

config wireguard_wg0
       option public_key '<public key of client 2>'
       option persistent_keepalive '25'
       option description 'BZ'
       list allowed_ips '10.14.0.3/32'
       list allowed_ips 'eeee:1234:8790::3/64'

config route
	option interface 'wg0'
	option target '10.14.0.0'
	option netmask '255.0.0.0'

config route6
	option interface 'wg0'
	option target 'eeee:1234:8790::/60'

BTW, you should probably make sure there's a keep alive on the client too.

1 Like

Thank you for your suggestions. I know there are definitly some errors in my config but I don't know why it works at least for my android client. That's why I posted the config.

I reworked the configs with your hints:
Server (OpenWRT router):

config interface 'wg0'
	option proto 'wireguard'
	option private_key '<private key server>'
	option listen_port '1234'
	list addresses '10.14.0.1/24'

config wireguard_wg0
	option public_key '<public key client 1>'
	option persistent_keepalive '25'
	option description 'Florian_Android'
	list allowed_ips '10.14.0.3/32'

config route
	option interface 'wg0'
	option target '10.14.0.0'
	option netmask '255.255.0.0'

In my client I ticked also "keep alive" to on. I removed all IPv6 entries and will it add later, when IPv4 works.

With above config I can't even get a handshake in Wireguard:

root@OpenWrt:~# wg show
interface: wg0
  public key: <public key server>
  private key: (hidden)
  listening port: 1234

peer: <public key client 1>
  allowed ips: 10.14.0.3/32
  persistent keepalive: every 25 seconds

My DynDNS address is pingable (I get a IPv6 address). My Android phone is on 4G only and can't connect to the VPN.

Do you have any tipps for trouble shooting?

What's your Android config?

Of course I made the key unreadable. So there's not much I have to configure.

???

  • Does your WAN have IPV6?
  • If not, where's your IPv6 interface?

(The only other thing I can see - is that you may want to remove the keep alive on the OpenWrt side.)

Remove it from the Android's config, too.

Have you had any successful tests from WAN?

Nothing has changed that should prevent handshaking at this time.

1 Like

I removed the '::/0' on the Android side. Nothing has changed, I get no handshake.

Here is my full network config from the server:

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbc:33fb:8f21::/48'

config interface 'lan'
        option type 'bridge'
        option igmp_snooping '1'
        option ifname 'eth1.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.7'
        option proto 'pppoe'
        option password 'pw'
        option username 'xxx@t-online.de'
        option ipv6 'auto'

config interface 'wan6'
        option ifname 'eth0.7'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '1 2 3 4 5 6t'

config switch_vlan
        option device 'switch0'
        option vlan '7'
        option vid '7'
        option ports '0t 5t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key '<private key server>'
        option listen_port '1234'
        list addresses '10.14.0.1/24'

config wireguard_wg0
        option public_key '<public key client 1>'
        option persistent_keepalive '25'
        option description 'Android'
        list allowed_ips '10.14.0.3/32'

config route
        option interface 'wg0'
        option target '10.14.0.0'
        option netmask '255.255.0.0'

And here are my network stats:

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AC
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: 2003:cd:7f32:ec00::1/60 Scope:Global
          inet6 addr: fdbc:33fb:8f21::1/60 Scope:Global
          inet6 addr: fe80::a62b:b0ff:feda:1bac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:215761 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3796316 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26191819 (24.9 MiB)  TX bytes:5080762464 (4.7 GiB)

eth0      Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AD
          inet6 addr: fe80::a62b:b0ff:feda:1bad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3780077 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171398 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:826123944 (787.8 MiB)  TX bytes:24460181 (23.3 MiB)
          Interrupt:30

eth0.7    Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AD
          inet6 addr: fe80::a62b:b0ff:feda:1bad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3780077 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171391 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5053049854 (4.7 GiB)  TX bytes:23773791 (22.6 MiB)

eth1      Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AC
          inet6 addr: fe80::a62b:b0ff:feda:1bac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3689138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18889605 (18.0 MiB)  TX bytes:682228509 (650.6 MiB)
          Interrupt:31

eth1.1    Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AC
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:143149 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3689125 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:16269805 (15.5 MiB)  TX bytes:4962437513 (4.6 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:487 errors:0 dropped:0 overruns:0 frame:0
          TX packets:487 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:43094 (42.0 KiB)  TX bytes:43094 (42.0 KiB)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:91.1.58.247  P-t-P:62.155.240.37  Mask:255.255.255.255
          inet6 addr: 2003:cd:7fff:330b:a469:66ad:6e4:d16c/64 Scope:Global
          inet6 addr: fe80::a469:66ad:6e4:d16c/10 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:3779862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:171161 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:5022801157 (4.6 GiB)  TX bytes:19994705 (19.0 MiB)

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.14.0.1  P-t-P:10.14.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:1 dropped:36 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AB
          inet6 addr: fe80::a62b:b0ff:feda:1bab/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2121 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30955 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:296426 (289.4 KiB)  TX bytes:11752296 (11.2 MiB)

wlan1     Link encap:Ethernet  HWaddr A4:2B:B0:DA:1B:AC
          inet6 addr: fe80::a62b:b0ff:feda:1bac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:70826 errors:0 dropped:0 overruns:0 frame:0
          TX packets:132758 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10666484 (10.1 MiB)  TX bytes:131443259 (125.3 MiB)

Actually, you're not sending packets, either (which makes some sense).

Can you use tcpdump -i pppoe-wan udp and port 1234 to check if packets are arriving?

It seems there are no packages incoming:

root@OpenWrt:~# tcpdump -i pppoe-wan udp and port 1234
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe-wan, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

I tried to connect via wireguard, but then no internet is working on my Android phone. Pinging the public DNS name (endpoint) from my phone with active VPN also doesn't work. With my "wrong" old config this was possible but I don't know why.

Well, that's an issue.

Doing a DNS lookup if your hostname doesn't send traffic to your router, it sends traffic to your DNS hosting company.

  • If you're saying that there is no hostname resolution, fix your DDNS service first.
  • Since there's no traffic arriving from your cell carrier to your border, we can safely assume the issue is not the OpenWrt.
1 Like

OK, but I can ping my DynDNS address from my desktop behind the OpenWRT router:

C:\Users\veb_b>ping [mydns].ddnss.de

Ping wird ausgeführt für [mydns].ddnss.de [2003:cd:7f32:ec00::1] mit 32 Bytes Daten:
Antwort von 2003:cd:7f32:ec00::1: Zeit=1ms
Antwort von 2003:cd:7f32:ec00::1: Zeit<1ms
Antwort von 2003:cd:7f32:ec00::1: Zeit<1ms

Ping-Statistik für 2003:cd:7f32:ec00::1:
    Pakete: Gesendet = 3, Empfangen = 3, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 0ms, Maximum = 1ms, Mittelwert = 0ms
STRG-C
^C

Also a nslookup is possible:

C:\Users\veb_b>nslookup [mydns].ddnss.de
Server:  OpenWrt.lan
Address:  fdbc:33fb:8f21::1

Name:    [mydns].ddnss.de
Address:  2003:cd:7f32:ec00::1

If I log into my ddnss account I also can see the actual IPv4 address.

I changed my Android config now to a static endpoint IP instead of the DynDNS name: it works.

root@OpenWrt:~# wg show
interface: wg0
  public key: <public key server>
  private key: (hidden)
  listening port: 1234

peer: <public key client 1>
  endpoint: 80.187.119.185:18396
  allowed ips: 10.14.0.3/32
  latest handshake: 1 minute, 51 seconds ago
  transfer: 408.96 KiB received, 2.33 MiB sent
  persistent keepalive: every 25 seconds

So I will test another DynDNS provider. Seems the solution is on the horizon! Thanks in advance.

@lleachii

Thanks man! I logged into my DynDNS account and the host is dual stack. And sometimes only the IPv6 adress got updated. Now I modified the update script and explicit named the IPv4 adress. This seems to work for my phone now! I have now to test the second client.

What I have to do to get also IPv6 to work? Only add private IPv6 adresses on the server and clients?

If you mean to reach your Wireguard server from the Internet on IPv6:

  • If Android prefers IPv6 (I believe it does), all you need to do is add an IPv6 AAAA record too
  • Otherwise, you're correct, just make the server accessible at your IPv6 address instead of the IPv4

If you mean IPv6 within the Wireguard tunnel, just assign a minimum /64 subnet to the Interface, route it and address the OpenWrt and client.

1 Like

I've recently switched from strongswan to wireguard because of IPv6[0], as a switch to a FTTH ISP providing only DS-Lite is in my immediate future. As long as you only care about accessing your wireguard 'server' from the road via IPv6, the situation is very simple and should work out of the box[1].

Allowing IPv6 traffic over the wireguard tunnel itself is often more complicated in typical home environments, as all the consumer ISPs around here only offer dynamic IPv6 prefixes[2, 3]. The problem here is that wireguard depends on hardcoding the allowed IPs (and with that the outgoing IPv6 prefix) on both sides of the tunnel, which simply isn't known in advance. Therefore I'd suggest to ignore (outgoing) IPv6[4] for a start as well and to defer it until later, into the optimization stage, once your have the 'simple' settings working.

--
[0] IPsec and strongswan itself support IPv6 just fine, however the strongswan android app doesn't, which made me look for alternatives.
[1] provided DDNS and firewall rules allow it.
[2] this also means that the IPv6 /56 prefix will change upon reconnecting, always and every time, regardless of the downtime or other details.
[3] unless you opt for a significantly more expensive business contract, which officially isn't even available to consumers in the first place - but ISPs usually don't take that formal requirement too seriously.
[4] I don't know any way around finding some way to get a(n at least semi-) static IPv6 prefix to use for this.

2 Likes

You should use wg command to check allowed-ips of each peer. Maybe uci set allowed-ips does not work correctly, if so try wg set command to set allowed-ips.

A post was split to a new topic: WireGuard: multiple site-to-site connections

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.