Wireguard handshake problem with Apple devices

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

I followed this tutorial and I'm able to use VPN on Windows PC and Android phone. However, when I try to connect Apple device (Mac and iPhone) I can't seem to connect properly.

It seems the issue is with the handshake. From the logs:

[NET] peer(2W6F…X3jA) - Handshake did not complete after 5 seconds, retrying (try 2)

Peer config:

[Interface]
PrivateKey = [private_key]
Address = 192.168.9.2/32

[Peer]
PublicKey = [public_key]
PresharedKey = [preshared_key]
AllowedIPs = 0.0.0.0/0
Endpoint = [wan_ip]:51820

I'm sure the keys are correct as the exactly same configuration (exported) is working fine on non-Apple devices.

I noticed similar issues on the internet but no solution worked for me so far.

I'd be grateful for any advice. Thank you.

3

Wireguard uses the keys to identify peers, so if you have multiple peers you have to generate a key pair for each so they all have a unique key. Also of course each peer needs a unique IP address. The server should hold a /24 IP which covers them all. Each peer has a /32.

1 Like
4

Yes, I'm aware of it. I never tried to connect more than one peer at the time. I can try to generate new keys but Macbook which isn't working was the first one I tried it with.

5

Ntably missing from your interface configuration is a DNS server.

Try this:

[Interface]
PrivateKey = [private_key]
Address = 192.168.9.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = [public_key]
PresharedKey = [preshared_key]
AllowedIPs = 0.0.0.0/0
Endpoint = [wan_ip]:51820

If that doesn't work, let's see your OpenWrt config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
1 Like
6

Thank you, the DNS helped! Apparently Apple devices need it set while other devices don't. Thanks again and have a great weekend!!!

7

One more note - I didn't think there could be a DNS issue because I wasn't even able to access resources (via IP address) on my LAN, for which I assume DNS shouldn't be needed.