@vanyaindigo This did not work to change anything. I don’t think it would, because wg shows that no peer is set up, it’s not a case of bad routing rules.
@vgaetera I guess I can try that. Before I go further, I guess I should do this with another full settings reset? Also, are the lines like WG_SERV="SERVER_NAME_OR_IP_ADDRESS" intended to be entered at the shell just like opkg install wireguard before it? Or am I meant to put this in a script file? The page is a bit unclear.
The peer should show up in the list even if no traffic is flowing, but as @lleachii said, if there is an issue with the cryptographic keys, it would likely not register as a valid peer (under the hood) and thus would not appear in the peer list. In particular, I find it really odd that inserting a private key into the peer config's public key field makes the peer show up (even if it doesn't work).
@vgaetera suggested starting from scratch... I'll go one step further -- reset your entire router to defaults, reinstall WG and other necessary packages, and then start the process of WG configuration. This will help ensure that you don't have some other odd stuff going on that is causing things to fail. Be really careful not to mix up any of the keys (it can be really easy to mix up the keys since they all are in the exact same format and the differences cannot be spotted by eye). Double check that you are:
using the locally generated private key for your WG interface setup
exchanging the locally generated public key with Mullvad
using the Mullvad generated public key for your peer key configuration.
I did try your suggestions to reinstall here, including making a .sh file out of everything in that OpenWRT guide to setting up Wireguard, on my current install, then on a reverted to bare bones setup, and finally, I tried the Mullvad guide once more on the cleanest of clean installs. All efforts failed.
Here’s what worked:
Mullvad’s config file generator asks for your private key and the server you want to use, but I notice it doesn’t ask for a public key and it generates a new one in the file you download. I used the private key I generated locally and the public key from the config file in my OpenWRT settings and… tada. It worked.
Thank you everyone for the help in diagnosing this problem. If you use Mullvad, try their config generator! It seems to get the correct settings when the wg genkey | tee privatekey | wg pubkey > publickey command doesn’t.
# make key, place into file, then generate its pubkey
# PubKey is what you give to others, private key is interface config
root@OpenWrt:~# wg genkey | tee privatekey_test | wg pubkey > publickey_test
# test generating pubkey from file above
root@OpenWrt:~# wg pubkey < privatekey_test
# verify first command shows same key in file
root@OpenWrt:~# cat publickey_test
(Notice, at no point did I need to show you the private key! )
Here's what I think actually happened:
They should be asking only for your Public Key, if they use your Private key (or give you a new one) instead, they can impersonate traffic as you (other implications are not serious, since they are the VPN provider carrying the traffic anyway)! Just be sure never to reuse that keypair.
You should have received a public key - it's for Mullvad’s endpoint. You configure this public key, IP and port in your peer setting.
The other set of information needed are: you your Interface IP provided by Mullvad, and a private key (it seems also generated by them)
Other VPN companies give you a private key too (e.g. Tunsafe), so they can properly distribute a full config file
It seems you may have misconfigured Wireguard at first.
“Generate new key pair” is captioned: “Create a new pair in your browser. The public key will be sent to us so that we can assign an IP address to you and grant you access to the servers.”
“Reuse last key pair” is captioned: “Reuse the last key pair that you generated in this browser session.” (it’s greyed out for me.)
“Custom key pair” is captioned: “Retrieve a key pair from a previous occasion by entering the private key.”
It seems to me that I should avoid this interface and generate the key pair on my own with wg genkey | tee privatekey_test | wg pubkey > publickey_test to keep my private key entirely private, because all of these options involve Mullvad seeing my private key.
(As a reminder, I used “Custom key pair” and gave it a private key generated on the router.)
However, my attempts to make router-generated keys happen over the last few days demonstrate to me that I can’t get keys generated on my router to be accepted by the endpoint (or, at the least, it’s something nearly un-figure-out-able, with the limitations of my technical knowledge and the speed of this forum.) I guess I should just live with this? Isn’t part of the problem of using a VPN that you place all your trust in the VPN to behave ethically anyway, so I’m not really that much more compromised than before?
and it seems to me - that the only available option for your wishes is the "Generate new key pair" option
That was worth alot! This is idential to TunSafe; and what I said was true!
You cannot use genkey for services like TunSafe and Mullvad. The Custom key pair option appears only to recover an old config, as in TunSafe.
To simply prove the point...perhaps someone can setup a test WG for you. Or you can configure one for accessing your home (on another interface setup for testing, of course). The only data your public key (if you;'re the router, the endpoint IP/port too).
But I can use genkey for Mullvad. If I use the keys generated on the router with my Mac’s Wireguard client, it works. And, indeed, I followed the Mullvad guide when I first got this router, and it worked on OpenWRT, too. (The whole puzzle of this topic was why I could never get it working again after I broke it while testing endpoint speeds.)
So I don’t think you’re right that Mullvad does not support using genkey, indeed, their own guide tells you to use it, not their config file generator. The problem is, as I said, that for some reason it does not work for me anymore, and days of troubleshooting in this forum lead to no solution.
Regarding “Generate new key pair” — this will have Mullvad generate a private and public key for me, right? So I don’t see it as a security improvement. I am still trusting them to not keep my private key after generating the config file, so it is the same level of less-than-ideal security as what I did pick, “Custom key pair”.
I definitely used that exact curl command multiple times, taking special care to use the correct account number and my public key. Each time, I wouldn’t be able to get the “peer” to show up when running wg. I could do it again right now but I know what the result would be, having done it about ten different times.
So, again, I accept what you’re saying is the best, most secure way to set this up, but I can’t get it to work. Only using the new public key returned by this config generator worked.