Wireguard interface unable to connect to my 2nd remote router's wireguard interface

darksky · October 20, 2024, 3:02pm

I have two openwrt routers located in different cities. Router A has a wireguard interface wg1 on it configured to connect to router B's wireguard interface wg0. For some reason, bringing up wg1 on router A no longer connects to router B.

I have other peers configured on router B which are able to connect
I am thinking something on router A is misconfigured

On router A:

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd1d:692b:58dc::/48'
	option packet_steering '2'
	option steering_flows '128'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'br-lan.5'
	option type '8021q'
	option ifname 'br-lan'
	option vid '5'
	option ipv6 '0'

config device
	option name 'br-lan.6'
	option type '8021q'
	option ifname 'br-lan'
	option vid '6'
	option ipv6 '0'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '6'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:t'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'wan'
	option device 'eth0'
	option proto 'static'
	option ipaddr 'xxx'
	option netmask '255.255.255.192'
	option gateway 'xxx'
	option delegate '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'guest'
	option device 'br-lan.3'
	option proto 'static'
	option ipaddr '10.9.7.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'homeoffice'
	option device 'br-lan.4'
	option proto 'static'
	option ipaddr '10.9.6.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'iot'
	option device 'br-lan.5'
	option proto 'static'
	option ipaddr '10.9.5.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn'
	option device 'br-lan.6'
	option proto 'static'
	option ipaddr '10.9.4.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.9.8.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option ipaddr '10.0.4.1'
	option netmask '255.255.255.0'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '51820'
	list addresses '10.200.200.200/24'
	option private_key 'xxx'
	option delegate '0'

config wireguard_wg0
	option description 'me'
	list allowed_ips '10.200.200.201/32'
	option route_allowed_ips '1'
	option public_key 'xxx'
	option preshared_key 'xxx'

config interface 'wg1'
	option proto 'wireguard'
	option private_key 'xxx'
	list addresses '10.100.100.104/24'
	list dns '10.0.4.250'
	option defaultroute '0'
	option delegate '0'

config wireguard_wg1
	option description 'MT6000'
	option public_key 'xxx'
	option preshared_key 'xxx'
	option endpoint_host 'my.routerb.org'
	option endpoint_port '47100'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'

And on router B:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd99:97d2:a14e::/48'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'
	option ipv6 '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'
	list ports 'lan5:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'

config device
	option name 'br-lan.10'
	option type '8021q'
	option ifname 'br-lan'
	option vid '10'
	option ipv6 '0'

config device
	option name 'br-lan.3'
	option type '8021q'
	option ifname 'br-lan'
	option vid '3'
	option ipv6 '0'

config device
	option name 'br-lan.4'
	option type '8021q'
	option ifname 'br-lan'
	option vid '4'
	option ipv6 '0'

config device
	option name 'eth0'
	option ipv6 '0'

config device
	option name 'eth1'
	option ipv6 '0'

config device
	option name 'lan1'
	option ipv6 '0'

config device
	option name 'lan2'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config device
	option name 'lan4'
	option ipv6 '0'

config device
	option name 'lan5'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'

config interface 'lxc'
	option device 'lxcbr0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.0.4.1'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '10.100.100.100/24'
	option private_key 'xxx'
	option listen_port '47100'
	option delegate '0'

config wireguard_wg0
	option description 'phone'
	list allowed_ips '10.100.100.103/32'
	option route_allowed_ips '1'
	option public_key 'xxx'
	option preshared_key 'xxx'

config wireguard_wg0
	option description 'amtrack'
	list allowed_ips '10.100.100.104/32'
	option route_allowed_ips '1'
	option public_key 'xxx'
	option preshared_key 'xxx'

config device
	option type 'bridge'
	option name 'lxcbr0'
	option bridge_empty '1'
	option ipv6 '0'

On router B, issuing wg looks like this:

# wg
interface: wg0
  public key: MT...
  private key: (hidden)
  listening port: 47100

peer: pHO...
  preshared key: (hidden)
  endpoint: xxx:57890
 allowed ips: 10.100.100.103/32
  latest handshake: 18 hours, 59 minutes, 30 seconds ago
  transfer: 73.18 MiB received, 381.09 MiB sent

peer: amT...
  preshared key: (hidden)
  allowed ips: 10.100.100.104/32

So no handhake is seen.

egc · October 20, 2024, 3:37pm

On router A you did disable Default route and did not enable route allowed IPs so the only thing you can reach from router A is the WG interface of router B ( 10.100.100.100 )

However that should not stop you from connecting to router A.
I noticed that the handshake of the other peer is long, ago so maybe your endpoint is not correct anymore, check the IP address of the endpoint (DDNS?)

darksky · October 20, 2024, 4:25pm

Thanks for the reply. Interestingly, once one of my devices behind router A actually connects to the interface "vpn" in the above config, traffic flows as expected through the wg1 interface and the "latest handhake" output of wg is updated. Is that to be expected?

Note - this is without modifying anything, ie no introduction of option route_allowed_ips '1'