Wireguard not letting me set a peer

@vanyaindigo This did not work to change anything. I don’t think it would, because wg shows that no peer is set up, it’s not a case of bad routing rules.

@vgaetera I guess I can try that. Before I go further, I guess I should do this with another full settings reset? Also, are the lines like WG_SERV="SERVER_NAME_OR_IP_ADDRESS" intended to be entered at the shell just like opkg install wireguard before it? Or am I meant to put this in a script file? The page is a bit unclear.

It runs on CLI and makes the variables noted.

This means that no properly crypted handshakes/traffic are being received by the device.

The peer should show up in the list even if no traffic is flowing, but as @lleachii said, if there is an issue with the cryptographic keys, it would likely not register as a valid peer (under the hood) and thus would not appear in the peer list. In particular, I find it really odd that inserting a private key into the peer config's public key field makes the peer show up (even if it doesn't work).

@vgaetera suggested starting from scratch... I'll go one step further -- reset your entire router to defaults, reinstall WG and other necessary packages, and then start the process of WG configuration. This will help ensure that you don't have some other odd stuff going on that is causing things to fail. Be really careful not to mix up any of the keys (it can be really easy to mix up the keys since they all are in the exact same format and the differences cannot be spotted by eye). Double check that you are:

  • using the locally generated private key for your WG interface setup
  • exchanging the locally generated public key with Mullvad
  • using the Mullvad generated public key for your peer key configuration.

It includes the commands to remove old settings, although it may be more reliable to make clean setup.

Both ways should work.

This saga has finally reached an end.

I did try your suggestions to reinstall here, including making a .sh file out of everything in that OpenWRT guide to setting up Wireguard, on my current install, then on a reverted to bare bones setup, and finally, I tried the Mullvad guide once more on the cleanest of clean installs. All efforts failed.

Here’s what worked:

Mullvad’s config file generator asks for your private key and the server you want to use, but I notice it doesn’t ask for a public key and it generates a new one in the file you download. I used the private key I generated locally and the public key from the config file in my OpenWRT settings and… tada. It worked.

Thank you everyone for the help in diagnosing this problem. If you use Mullvad, try their config generator! It seems to get the correct settings when the wg genkey | tee privatekey | wg pubkey > publickey command doesn’t.

1 Like

I think you misunderstand.

This command better work, or there's a big issue with Wireguard's encryption!

See: https://www.wireguard.com/quickstart/#key-generation

# make key, place into file, then generate its pubkey
# PubKey is what you give to others, private key is interface config
root@OpenWrt:~# wg genkey | tee privatekey_test | wg pubkey > publickey_test

# test generating pubkey from file above
root@OpenWrt:~# wg pubkey <  privatekey_test 

# verify first command shows same key in file
root@OpenWrt:~# cat publickey_test 

(Notice, at no point did I need to show you the private key! :wink:)

Here's what I think actually happened:

They should be asking only for your Public Key, if they use your Private key (or give you a new one) instead, they can impersonate traffic as you (other implications are not serious, since they are the VPN provider carrying the traffic anyway)! Just be sure never to reuse that keypair.

  • You should have received a public key - it's for Mullvad’s endpoint. You configure this public key, IP and port in your peer setting.
  • The other set of information needed are: you your Interface IP provided by Mullvad, and a private key (it seems also generated by them)
  • Other VPN companies give you a private key too (e.g. Tunsafe), so they can properly distribute a full config file :bulb:

It seems you may have misconfigured Wireguard at first.


Interesting, thank you for the explanation. Here’s what the Mullvad configuration file generator interface looks like, for what it’s worth:

  • “Generate new key pair” is captioned: “Create a new pair in your browser. The public key will be sent to us so that we can assign an IP address to you and grant you access to the servers.”
  • “Reuse last key pair” is captioned: “Reuse the last key pair that you generated in this browser session.” (it’s greyed out for me.)
  • “Custom key pair” is captioned: “Retrieve a key pair from a previous occasion by entering the private key.”

It seems to me that I should avoid this interface and generate the key pair on my own with wg genkey | tee privatekey_test | wg pubkey > publickey_test to keep my private key entirely private, because all of these options involve Mullvad seeing my private key.

(As a reminder, I used “Custom key pair” and gave it a private key generated on the router.)

However, my attempts to make router-generated keys happen over the last few days demonstrate to me that I can’t get keys generated on my router to be accepted by the endpoint (or, at the least, it’s something nearly un-figure-out-able, with the limitations of my technical knowledge and the speed of this forum.) I guess I should just live with this? Isn’t part of the problem of using a VPN that you place all your trust in the VPN to behave ethically anyway, so I’m not really that much more compromised than before?

This is just fundamentally incorrect.

  • No, I wouldn't live with that...
  • and it seems to me - that the only available option for your wishes is the "Generate new key pair" option

:bulb: That was worth alot! This is idential to TunSafe; and what I said was true!


You cannot use genkey for services like TunSafe and Mullvad. The Custom key pair option appears only to recover an old config, as in TunSafe.

To simply prove the point...perhaps someone can setup a test WG for you. Or you can configure one for accessing your home (on another interface setup for testing, of course). The only data your public key (if you;'re the router, the endpoint IP/port too).

But I can use genkey for Mullvad. If I use the keys generated on the router with my Mac’s Wireguard client, it works. And, indeed, I followed the Mullvad guide when I first got this router, and it worked on OpenWRT, too. (The whole puzzle of this topic was why I could never get it working again after I broke it while testing endpoint speeds.)

So I don’t think you’re right that Mullvad does not support using genkey, indeed, their own guide tells you to use it, not their config file generator. The problem is, as I said, that for some reason it does not work for me anymore, and days of troubleshooting in this forum lead to no solution.

Regarding “Generate new key pair” — this will have Mullvad generate a private and public key for me, right? So I don’t see it as a security improvement. I am still trusting them to not keep my private key after generating the config file, so it is the same level of less-than-ideal security as what I did pick, “Custom key pair”.

  • Did you use their API to submit the Public Key properly?

  • I'm not sure about Mulivad, but here's TunSafe's clear reasoning why (I cannot locate the "to provide a full config" verbiage at this time)
# The private key of this computer. This is a secret key, don't give it out.
# To convert it to a public key you can go to 'Generate Key Pair' in TunSafe.

To be clear, I've never generated a keypair by submitting a Private key on the web interface, I used the API to submit my Public Key.

So, I would surmise "Custom key pair" only resurrects (or "retrieves") a config already existing - by presenting its Private key to Mullvad's web interface (same as TunSafe).

So, I would suggest using the API to properly send your Public Key.

1 Like

I definitely used that exact curl command multiple times, taking special care to use the correct account number and my public key. Each time, I wouldn’t be able to get the “peer” to show up when running wg. I could do it again right now but I know what the result would be, having done it about ten different times.

So, again, I accept what you’re saying is the best, most secure way to set this up, but I can’t get it to work. Only using the new public key returned by this config generator worked.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.