Wireguard not letting me set a peer

I recently got an OpenWRT-capable router (Linksys WRT3200ACM) because I wanted to route all my home network traffic over Mullvad, a commercial VPN, using my router as a Wireguard "client".

I set it all up per Mullvad's guide to using Wireguard on OpenWRT (although since I use a Pi-Hole on my network for my DNS and DHCP server, I didn't use the final part of the instructions.) It worked great! I was impressed!

Then I changed something while trying to compare endpoint speeds, and it stopped working. No more internet served to my clients on the LAN.

I have now spent two full days trying to fix it. I cannot. The WGInterface just doesn't supply internet access like it used to. Here's what I've narrowed it down to:

The peer settings are not taking. Running wg in the shell yields

public key: <publickey_shown_here>
private key: (hidden)
listening port: 51820

And nothing more, even though after those three lines you are supposed to see the peer settings, if you have a peer set up. Yet I have set up a peer (the Mullvad endpoint)!

So, okay, just to force the peer settings through, I tried wg set WGInterface peer <privkey_goes_here> endpoint <endpoint_ip>:51820 allowed-ips 0.0.0.0/0 persistent-keepalive 25 to manually add the peer. It returned an exit status of 0, and... nothing. Running wg again did not show any peer info.

I have:

  • Added a second peer with a more-specific allowed IP range
  • Deleted and recreated the interfaces
  • Deleted and recreated the keys, and got a new IP assigned from Mullvad's API
  • Tried the same settings given to OpenWRT in the Mac Wireguard client to test if the tunnel works with these settings (it does)
  • Tried different Mullvad endpoint IPs as peers
  • Restored the router settings from scratch, and followed the Mullvad tutorial from scratch

Nothing works. (Even though the first time I set it up, it worked fine!)

I believe I have narrowed the problem down to the odd behaviour of the wg command, which isn't acting like I have a peer set up, even though I have set it up in the web interface. Is there any reason the saved settings would be ignored? How can I further narrow down the problem, and hopefully resolve it?

Here's what my WGInterface configuration looks like:

The settings in the .conf file there are verified working in the macOS Wireguard client.

Here's a dump of a bunch of settings, per a request for the same info I saw in another thread about Wireguard.

root@OpenWRT:/# uci show network; uci show wireless;
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdd5:872b:58ee::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='192.168.1.25'
network.wan=interface
network.wan.ifname='eth1.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth1.2'
network.wan6.proto='dhcpv6'
network.@switch[0]=switch
network.@switch[0].name='switch0'
network.@switch[0].reset='1'
network.@switch[0].enable_vlan='1'
network.@switch_vlan[0]=switch_vlan
network.@switch_vlan[0].device='switch0'
network.@switch_vlan[0].vlan='1'
network.@switch_vlan[0].ports='0 1 2 3 5t'
network.@switch_vlan[1]=switch_vlan
network.@switch_vlan[1].device='switch0'
network.@switch_vlan[1].vlan='2'
network.@switch_vlan[1].ports='4 6t'
network.WGInterface=interface
network.WGInterface.proto='wireguard'
network.WGInterface.private_key='<removed>'
network.WGInterface.listen_port='51820'
network.WGInterface.force_link='1'
network.WGInterface.addresses='<removed>'
network.@wireguard_WGInterface[0]=wireguard_WGInterface
network.@wireguard_WGInterface[0].public_key='<removed>'
network.@wireguard_WGInterface[0].endpoint_host='<removed>'
network.@wireguard_WGInterface[0].endpoint_port='51820'
network.@wireguard_WGInterface[0].persistent_keepalive='25'
network.@wireguard_WGInterface[0].allowed_ips='0.0.0.0/0'
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='36'
wireless.radio0.hwmode='11a'
wireless.radio0.path='soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
wireless.radio0.htmode='VHT80'
wireless.radio0.country='US'
wireless.radio0.legacy_rates='0'
wireless.radio0.distance='20'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='<removed>'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='<removed>'
wireless.default_radio0.wpa_disable_eapol_key_retries='1'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11g'
wireless.radio1.path='soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
wireless.radio1.channel='2'
wireless.radio1.country='US'
wireless.radio1.legacy_rates='1'
wireless.radio1.distance='20'
wireless.default_radio1=wifi-iface
wireless.default_radio1.device='radio1'
wireless.default_radio1.network='lan'
wireless.default_radio1.mode='ap'
wireless.default_radio1.ssid='<removed>'
wireless.default_radio1.encryption='psk2'
wireless.default_radio1.key='<removed>'
wireless.default_radio1.wpa_disable_eapol_key_retries='1'
wireless.radio2=wifi-device
wireless.radio2.type='mac80211'
wireless.radio2.hwmode='11a'
wireless.radio2.path='platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
wireless.radio2.htmode='VHT80'
wireless.radio2.disabled='1'
wireless.radio2.country='US'
wireless.radio2.legacy_rates='1'
wireless.radio2.channel='11'
wireless.default_radio2=wifi-iface
wireless.default_radio2.device='radio2'
wireless.default_radio2.network='lan'
wireless.default_radio2.mode='ap'
wireless.default_radio2.encryption='none'
wireless.default_radio2.ssid='<removed>'
root@OpenWRT:/# uci show firewall; uci show dhcp;
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='ACCEPT'
firewall.@zone[0].network='lan'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].network='wan wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[2]=zone
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='wgzone'
firewall.@zone[2].input='REJECT'
firewall.@zone[2].masq='1'
firewall.@zone[2].mtu_fix='1'
firewall.@zone[2].network='WGInterface'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wgzone'
firewall.@forwarding[0].src='lan'
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_management='1'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
root@OpenWRT:/# ip -4 addr ; ip -4 ro ; ip -4 ru;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
17: eth1.2@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 71.105.203.61/24 brd 71.105.203.255 scope global eth1.2
       valid_lft forever preferred_lft forever
56: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.25/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
60: WGInterface: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.64.39.98/32 brd 255.255.255.255 scope global WGInterface
       valid_lft forever preferred_lft forever
default via 71.105.203.1 dev eth1.2 proto static src 71.105.203.61 
71.105.203.0/24 dev eth1.2 proto kernel scope link src 71.105.203.61 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.25 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
root@OpenWRT:/# iptables-save; head -n -0 /etc/firewall.user;
# Generated by iptables-save v1.6.2 on Wed Nov  6 01:17:54 2019
*nat
:PREROUTING ACCEPT [2347:252406]
:INPUT ACCEPT [16:1016]
:OUTPUT ACCEPT [41:2751]
:POSTROUTING ACCEPT [548:23031]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wgzone_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wgzone_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wgzone_postrouting - [0:0]
:zone_wgzone_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1.2 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i WGInterface -m comment --comment "!fw3" -j zone_wgzone_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1.2 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o WGInterface -m comment --comment "!fw3" -j zone_wgzone_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wgzone_postrouting -m comment --comment "!fw3: Custom wgzone postrouting rule chain" -j postrouting_wgzone_rule
-A zone_wgzone_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wgzone_prerouting -m comment --comment "!fw3: Custom wgzone prerouting rule chain" -j prerouting_wgzone_rule
COMMIT
# Completed on Wed Nov  6 01:17:54 2019
# Generated by iptables-save v1.6.2 on Wed Nov  6 01:17:54 2019
*mangle
:PREROUTING ACCEPT [2724:345770]
:INPUT ACCEPT [408:97247]
:FORWARD ACCEPT [2108:186522]
:OUTPUT ACCEPT [956:159599]
:POSTROUTING ACCEPT [956:159599]
-A FORWARD -o WGInterface -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wgzone MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Nov  6 01:17:54 2019
# Generated by iptables-save v1.6.2 on Wed Nov  6 01:17:54 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wgzone_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wgzone_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wgzone_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wgzone_dest_ACCEPT - [0:0]
:zone_wgzone_dest_REJECT - [0:0]
:zone_wgzone_forward - [0:0]
:zone_wgzone_input - [0:0]
:zone_wgzone_output - [0:0]
:zone_wgzone_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1.2 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i WGInterface -m comment --comment "!fw3" -j zone_wgzone_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1.2 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i WGInterface -m comment --comment "!fw3" -j zone_wgzone_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1.2 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o WGInterface -m comment --comment "!fw3" -j zone_wgzone_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wgzone forwarding policy" -j zone_wgzone_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o eth1.2 -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i eth1.2 -m comment --comment "!fw3" -j reject
-A zone_wgzone_dest_ACCEPT -o WGInterface -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wgzone_dest_ACCEPT -o WGInterface -m comment --comment "!fw3" -j ACCEPT
-A zone_wgzone_dest_REJECT -o WGInterface -m comment --comment "!fw3" -j reject
-A zone_wgzone_forward -m comment --comment "!fw3: Custom wgzone forwarding rule chain" -j forwarding_wgzone_rule
-A zone_wgzone_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wgzone_forward -m comment --comment "!fw3" -j zone_wgzone_dest_REJECT
-A zone_wgzone_input -m comment --comment "!fw3: Custom wgzone input rule chain" -j input_wgzone_rule
-A zone_wgzone_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wgzone_input -m comment --comment "!fw3" -j zone_wgzone_src_REJECT
-A zone_wgzone_output -m comment --comment "!fw3: Custom wgzone output rule chain" -j output_wgzone_rule
-A zone_wgzone_output -m comment --comment "!fw3" -j zone_wgzone_dest_ACCEPT
-A zone_wgzone_src_REJECT -i WGInterface -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Nov  6 01:17:54 2019
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
root@OpenWRT:/# 

Are you running these at the same time?

Are you sure that the mask of the WG interface is /32?

10.64.39.98/32
3 Likes

/24 and /32 are supposed to match subnet and p2p topology respectively.
https://wiki.archlinux.org/index.php/WireGuard#Example_peer_configuration

1 Like

@lleachii I was, mistakenly, during some of my troubleshooting last night. But I deactivated it on my Mac and it didn’t change anything, unfortunately. (Worth noting that I followed the Mullvad guide well before I tried troubleshooting by connecting on my Mac, and that just didn’t work.)

@trendy That is what Mullvad assigned me from the curl API request, including the /32.

@vgaetera I don’t really understand what you are saying. If you’re saying a setting of mine is in conflict with the /32 IP, what is that setting? I should also note that I probably had that setting set the first time I set this up, when it worked, so it probably wouldn’t work to fix the problem.. but I can try!

/32 is a single host. You need at least the local and remote peers to be link-local to each other

Which setting should I change, given that Mullvad did return “10.64.39.98/32” for my assigned Wireguard interface IP?

First make sure you have the right date and time: date
Also make sure the keys are copy-pasted without any extra characters.
What is the output of wg ?
Give a ifup WGInterface to see if the interface comes up.

1 Like

Also verify that DNS works correctly, otherwise NTP may not work.

Try a different endpoint and see if it works.

1 Like

@trendy The date is correct. The keys are copy-pasted without any extra characters (they end with a =, but this worked in the past and seems correct.) The output of wg is the first thing I quote in my OP. As for ifup:

root@OpenWRT:~# ifup WGInterface
root@OpenWRT:~# echo $?
0
root@OpenWRT:~# ifconfig
WGInterface Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.64.39.98  P-t-P:10.64.39.98  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

@vgaetera DNS works correctly.

@stangri As mentioned in the OP, I’ve tried multiple endpoints to no avail.

If you remove this line, does it help? AFAIK, the listen port is only necessary for WG interfaces that are listening for inbound connections. For interfaces that are initiating the connection (i.e. outbound), the can (should?) be unspecified and will automatically configure itself.

To be clear, you'll still want the endpoint port specified... I'm only suggesting that you try removing the interface listen port.

1 Like

Yes, it does seem like a useless option, doesn’t it? I put it there only because it was in the Mullvad instructions. Unfortunately, I just removed it, rebooted the router, and no, no changes, no peer info when I run wg at the shell, same old.

The peer should contain the public key of the endpoint -- you referenced the private key here, not sure if that was a typo. In theory, this public key should have been provided for you by Mullvad. Make sure that you are using the public key for Mullvad and that there are no typos (it should be 44 characters long, including the last character which is an equals sign (=).

Your wireguard interface definition will be configured with the private key that you generated on your own (and presumably you would submit your generated public key to Mullvad for the peer configuration on their side).

It is optional. Try to reset router and configure it again .

Yes, the keys are 44 characters long and end with a =.

You did catch a typo! I’m not sure whether I previously was trying the private key in that wg set command, but it’s OK, I can test it now. And the results:

Still nothing. I tried the public key, and running wg a second time did not yield any peer information appearing in wg, nor the interface working to provide internet after I set up the firewall. I tried revoking my old key and generating new ones and getting a new IP (using wg genkey | tee privatekey | wg pubkey > publickey and the curl command in the Mullvad tutorial) and the same occurs.

Curiously, I did try the private key as well, and wg shows:

interface: WGInterface
  public key: <publickey>
  private key: (hidden)
  listening port: 47899

peer: <privatekey>
  endpoint: <endpoint ip>:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds

I know this is wrong, but it’s notable to me that this peer section shows up when I enter the “wrong” private key data, because if I enter the “right” public key, it only prints the first three lines and shows no “peer” info.

@vanyaindigo I guess I can do it, again. But I did reset the settings completely before starting this topic, and I still had the problem after following the Mullvad tutorial. I’m reluctant to do it a third time when I don’t expect it would make any difference.

Try to setup mobile client first with the same config.

Per my OP, in the list of things I tried before posting: “Tried the same settings given to OpenWRT in the Mac Wireguard client to test if the tunnel works with these settings (it does)”

Open /etc/config/network file and remove this:

option force_link '1'

from config interface 'WGInterface'
and add this at peer section config wireguard_WGInterface

option route_allowed_ips '1'
1 Like

Try this from scratch:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/client

If it doesn't help, then there's likely some issue with your keys or connection parameters.

1 Like