Wireguard Luci only last peer configured working

Raymond · September 18, 2022, 5:53am

I have configured Wireguard on a Belking RT3200 installed with the latest OpenWRT 22.03.

I configured wireguard using Luci and have not modified manually any config file or used the command line in any way.

All peer configurations are entered in Luci and the config is transferred to the peer devices scanning the qrcode generated by Luci
Each peer use different Private & Public keys as well as different pre-shared keys.
All keys are generate using the Generate keys buttons available in Luci.
In addition to the Config transferred scanning the qrcode, I enter manually in the peers wireguard app different ip addresses and configure the DNS to point to the openwrt wireguard address.
I restart the openwrt wireguard interface in between each configuration changes.

I have configured successfully wireguard on a first peer using wireguard for android.
I routed all peer traffic via the openwrt endpoint using Allowed IP Address 0.0.0.0/0.
The Android peer functioned as expected.

I configured an additional peer using wireguard for IOS.
I routed all peer traffic via the openwrt endpoint using Allowed IP Address 0.0.0.0/0
The new IOS peer function as expected.
The previously configured Android peer is able to connect to the openwrt endpoint but i can no longer access my internal network or the Internet.
Traffic seem to go from the peer to openwrt but only few bytes seem to come back.

I created again an additional wireguard peer on MacOs.
In the same way the Mac could access the internal network and internet, but now the previously configured Android and IOS peers no longer function.

I erased the Android peer and reconfigured it from scratch on both openwrt and the Android peer, now the Android peer is functioning fine but the IOS and MAC peers are not able to use the wireguard tunnels.

It seem thus that only the last per configured work properly while previous peer stop functionning once I configure a new one.
Any idea what I am doing wrong ?

My Openwrt Wireguard Config

My Luci Android Peer Config

My Luci IOS Peer Config

My Android peer wireguard app config

My IOS peer wireguard app config

I hid my keys andpublic IP addresses and port, however each peer has different public, private and preshared keys. The public IP Address is accessible and all peers point to the same address and use the same port.

Thanks for any comment that would help understand the issue.

Regards

-R

psherman · September 18, 2022, 6:02am

Do not use 0.0.0.0/0 on the OpenWrt peer configuration allowed IPs. Instead, change each peer's allowed IPs to the actual address it will use as a WG peer. So, for your Android Peer, change it to 10.10.100.10/32, and for iOS, change it to 10.100.30/32.

Then restart your router (or restart the WG interface) and try again. It should work.

jabbawok · October 1, 2022, 12:06pm

Thanks! this solved my problem too!!

Raymond · October 2, 2022, 3:31am

Hi Psherman,
Thanks for participating in this long topic.

I tried to change the config on my Android Peer and checked with a traceroute to google.com and it went via the peer internet instead of being routed via the wireguard peer.

the AllowedIPs setting of WireGuard is used to configure which blocks of IP addresses should be routed through my openwrt WireGuard peer. If I use allowed addresses containing only 10.10.100.10/32 only traffic directed to 10.10.100.10 would point to the tunnel and likely stop on the sending peer interface if at all.

My goal is to route all my traffic via the openwrt wireguard peer so as to 1) access my internal network & 2) access the internet via my country of residence when traveling.
The only way I understand this can be done is using an allowed IP Addess of 0.0.0.0/0.
Also the change would not explain why the configuration work only for the last configured peer but not for the others.

psherman · October 2, 2022, 12:15pm

In your configuration, the openwrt side peer acts as a server. The remote peers (iOS, android, etc) in this setup behave as clients.

“Server” config:
In each respective peer configuration on the “server” side, the allowed ips field should be a /32 address in the same subnet as the address defined in the main interface stanza (10.10.100.1/24). So your first peer might be 10.10.100.2/32, and your second peer might take 10.10.100.3/32, etc.

Each peer config will usually have the option “route allowed ips” enabled.

Remote peer “client” config:
The interface address on the remote peer should be the same as the “server’s” allowed ips address for that peer (10.10.100.2/32, etc).
Then, the allowed ips on the “client” peer should be 0.0.0.0/0 (if all traffic should be sent via the tunnel). You probably also need to ensure that a valid dns server is configured on the “client” peer.

mk24 · October 2, 2022, 12:49pm

Allowed_ips can be confusing. Every packet that is received through the tunnel by a Wireguard peer has its original source IP checked against the allowed_ips list. If it is not on the list, it will be rejected (actually ignored and dropped).

In this role, allowed_ips serves as a simple firewall to protect against malicious or improperly configured peers. A road warrior such as a smartphone will originate all packets from its single Wireguard interface IP. At the other end of the tunnel, allowed_ips should be restricted to that single IP. Typically a road warrior will request an Internet site which may have any IP. The server will pass the request to the Internet and route the reply (with an original source of somewhere on the Internet) back into the tunnel to the smartphone. Allowed_ips configured at the phone must be 0.0.0.0 to allow replies from anywhere on the Internet.

So far it looks like allowed_ips is just a filter on what can be received at a peer. How does the choice of allowed_ips affect packet transmission? The answer is in route_allowed_ips. If this option is enabled (and it usually should be) then the local OS routing table will be altered to direct packets to an allowed IP via that wireguard interface.

On a server, the only packets sent to a road warrior phone should be those for its one IP. So allowed_ips for that client should be set with a /32. (Route_allowed_ips isn't strictly necessary here since the automatic /24 route generated by setting a /24 IP on the wireguard interface already covers all the peers.)

On the phone, requests to anywhere on the Internet should go by Wireguard, so allowed_ips 0.0.0.0/0 in conjunction with route_allowed_ips sets that up.

Another thing to keep in mind about Wireguard is that unlike VPNs based more on a server-controlled model (OpenVPN, Zerotier, etc), Wireguard does not "push" or "pull" IP addresses, routes, or any other configuration between peers. Each peer must be directly configured locally (out of band) in a way that is compatible with the rest of the network.

Raymond · October 12, 2022, 3:46am

Hi mk24,
Thanks for the detailed explanation.
I believe the allowed Allowed IP configuration on the mobile peers to be correct as if I configure 1 device it work fine. Routing of IP traffic from mobile device is all via the router peer as I want to use this as a VPN for all traffic to the country where the router is installed.
My problem is that when I configure the next mobile device the first one will stop working properly.
Configurations are identical apart of course that I use a different IP address for each mobile device as well as own keys.
So I think it to be less of a Allowed IP address and more likely something I don't do right on the router config.

psherman · October 12, 2022, 3:57am

I explained how it should be configured in my response above, and @mk24 expanded on the reasoning.

Are you still having issues? Did you implement the changes we suggested?