Wireguard does not work

Installed Wireguard on my router (Rpi), using this guide:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

Set the mobile app with QR code and I cannot connect in.

I did the same for OpenVPN and following guide worked straight away, I can connect using port 1194.

One difference I see is that Wireguard uses its own interface while OpenVPN uses only tun0.
Ports for both services are opened the same way.

Ports are opened on my public IP:

$nmap -sU -p51820
PORT      STATE         SERVICE
51820/udp open|filtered unknown

This is my interfaces of boh VPNs:

6: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534] 
    inet 192.168.8.1/24 brd 192.168.8.255 scope global vpn
       valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN qlen 500
    link/[65534] 
    inet 192.168.9.1/24 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::b79:f75d:a1b7:b5d3/64 scope link flags 800 
       valid_lft forever preferred_lft forever

This is the client configuration on the router:

[Interface]
PrivateKey = $$$$$$$$$$$$$$$$$
# Address not defined
# ListenPort not defined
DNS = 192.168.0.1

[Peer]
PublicKey = $$$$
PresharedKey = $$$$
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = $mypublicip:51820
# PersistentKeepAlive not defined

Client has Addresses set to 192.168.8.11/24

Nothing in the logs on the router. Device logs have only this:

05-25 13:49:35.822  4189  4189 I menu_item_selected: [0,Settings]
05-25 13:49:36.809  4189  4189 I binder_sample: [android.app.IActivityTaskManager,1,985,com.wireguard.android,100]
05-25 13:49:36.809  4189  4189 I Quality : SlowBinder: com.wireguard.android to android.app.IActivityTaskManager cost= 985 code= 1
05-25 13:49:36.811  4189  4189 I Quality : Skipped: true 58
05-25 13:49:36.812  4189  4189 I wm_on_top_resumed_lost_called: [37001856,com.wireguard.android.activity.MainActivity,topStateChangedWhenResumed]
05-25 13:49:36.879  4189  4189 I wm_on_paused_called: [37001856,com.wireguard.android.activity.MainActivity,performPause]
05-25 13:49:37.501  4189  4189 I binder_sample: [android.app.IActivityTaskManager,21,622,com.wireguard.android,100]
05-25 13:49:37.501  4189  4189 I Quality : SlowBinder: com.wireguard.android to android.app.IActivityTaskManager cost= 622 code= 21
05-25 13:49:37.504  4189  4189 I Quality : Skipped: false 41
05-25 13:49:37.736  4189  4189 I wm_on_create_called: [229653284,com.wireguard.android.activity.SettingsActivity,performCreate]
05-25 13:49:38.789  4189  4189 I wm_on_start_called: [229653284,com.wireguard.android.activity.SettingsActivity,handleStartActivity]
05-25 13:49:38.810  4189  4189 I wm_on_resume_called: [229653284,com.wireguard.android.activity.SettingsActivity,RESUME_ACTIVITY]
05-25 13:49:39.304  4189  4189 I Quality : Blocked msg = Package name: com.wireguard.android [ schedGroup: 5 schedPolicy: 0 ] process the message: { when=-1s956ms what=159 target=android.app.ActivityThread$H obj=ClientTransaction LaunchActivityItem,ResumeActivityItem } took 1743 ms
05-25 13:49:39.305  4189  4189 I wm_on_top_resumed_gained_called: [229653284,com.wireguard.android.activity.SettingsActivity,topStateChangedWhenResumed]
05-25 13:49:39.305  4189  4189 I Quality : Skipped: false 107
05-25 13:49:40.005  4189  4189 I Quality : Skipped: false 41
05-25 13:49:40.407  4189  4189 I Quality : Skipped: false 9
05-25 13:49:40.563  4189  4189 I wm_on_stop_called: [37001856,com.wireguard.android.activity.MainActivity,STOP_ACTIVITY_ITEM]
05-25 13:49:40.625  4189  4189 I Quality : Skipped: false 2

Anything else to check on?

wg showconf vpn

The WG client needs an address which should be the same as set in the Allowed IPs in the peer section of the WG server e.g. 192.168.8.2 ?

# wg showconf vpn
[Interface]
ListenPort = 51820
PrivateKey = $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$Q3c=

[Peer]
PublicKey = $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$QCDc=
PresharedKey = $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$oXqAsc=

I partialy hid my keys with $ so I don't have to recrete them.

1 Like

This is config from the server. Client has IP 192.168.8.11/24

Isnt the IP allowed this line in the client section?
AllowedIPs = 0.0.0.0/0, ::/0

btw. I don't use IPv6 so I should not have allowed ::/0 but that should not matter?

The Client config should look like this:

[Interface]
PrivateKey = XXXXXX=
Address = 192.168.8.11/24
DNS = 9.9.9.9

[Peer]
PublicKey = XXXXXXXXXX=
AllowedIPs = 0.0.0.0/0
Endpoint = your-endpoint:52820
PersistentKeepalive = 25

Note for now use a Public DNS server, your DNS server might not listen on the WG interface and/or only allows local service

The peer section on the WG server should have:

list allowed_ips  `192.168.8.11/32`
option route_allowed_ips '1'

After changing and rebooting, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show
1 Like

I have a progress here, followed https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated
The procedure changed my address pool to 192.168.9.0 which is the same as OpenVPN, but I will change it later when all working fine. My config look pretty much like you posted.
And now I can connect to the point of handshake.
I cannot access any resources though. My home network is 192.168.0.1/24, I cannot even ping gw 192.168.9.1 from my phone and I cannot ping my mobile from inside my network, my mobile is ip 192.168.9.4. I can see some traffic there and back.
Do I need to setup some extra routing? Perhaps this?

option route_allowed_ips '1'

That actually bricked my router yesterday. I was not able to access any interface. Luckily its RPI so I connected to the OS and cancelled the route option and all was working fine again. I am kind of scared to do it again, but I will try it later when my wife does not need to use the Internet.

Please show the requested information so that we can have a look :nerd_face:

1 Like

So it looks like I am good! Not only the router works after allowing ip routes and survived the reboot, on the top of it I am able to connect to my home network resources finally :slight_smile:
Unfortunatelly the OpenVPN service stopped working, I can connect but can't ping any host in my network.
I suppose moving it to a different IP network will resolve the problem.

Thanks a lot for your help @egc !

Glad you got it working.

OpenVPN needs to be on a different subnet (and different ports), you can run a WG server and OpenVPN server together, I have this setup many times :slight_smile:

You can make a separate thread for OpenVPN

1 Like

Fortunatelly no needed for a separate thread. It was an easy change:

# grep 192.168.9. /etc/ -r | grep openvpn
/etc/openvpn/server.conf:server 192.168.9.0 255.255.255.0
/etc/openvpn/server.conf:push "dhcp-option DNS 192.168.9.1"

Changed both records, rebooted and works like a charm!
Now I have both VPNs running.
I am suprised how tricky actually the Wireguard setup was comparing to OpenVPN for me. OpenVPN was just copy, paste and enjoy. Wireguard not straight forward at all. And on the top it it I bricked my router. I was lucky it was not a classic router but RPi, otherwise I would have to solder the serial connectors.

Now I am going to test both VPNs and after some time will likely stick with one of them. For now its Wireguard on mobile phone and OpenVPN on my laptop.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.