Wireguard not working, OpenVPN protocol works

I have been using Wireguard and OpenVPN with my VPN subscription. And I could use them interchangeably. About 3 weeks ago, Wireguard ceased to work. I am pretty conversant with the configuration so it's not an issue about the configuration because I have a config file that I import.
What happens is that the tunnel comes up, but there is no traffic going through it even though "Route Allowed IPs" is enabled and I have assigned the interface to the WAN zone.

What I have realized is that it is no longer possible to manually configure the interface without entering a public key in the General Settings tab. I entered the public key for the Peer on this tab. I am not absolutely sure this is right, but some posts suggest so. When I import a config file, the key I see populated on that field is not the same as the Public Key of the peer.
At the end if it, there seems to be a handshake and no traffic going through.

For completeness, here is the file that I do import:

Address =
MTU = 1420
ListenPort = 51820
DNS =,

AllowedIPs =
Endpoint = us10149.nordvpn.com:51820
PersistentKeepalive = 25

Just to add to this, my router's WAN IP is in the subnet (LAN subnet of my ISP's router) while my LAN subnet is My ISPs router has a public IP that is not NATed.

I remain stumped as to what is the reason wireguard stopped working. This is happening on 3 different routers.

1 Like

Odd, your pic shows the color as green, while OpenWrt usually displays the WAN firewall zone as red.

  • What config changes did you make. It's all key-based so only your changes should affect.
  • Does you account jave a bandwidth limit?

I haven't changed any keys. The only thing I ever change is the Peer EndPoint.
Do you mean my account with the ISP or the VPN provider? For the ISP, my traffic can be throttled if i hit 30GB in 24hrs, but that would get reset at midnight. You can safely assume there is no limit.

My biggest worry was the requirement for a public key in the General Settings tab. It never used to be there. Previously, I would just configure everything and that key would be empty. However, from a Linux box, I have verified that the key being populated in that field when I import the configuration is correct. I can see it by doing sudo wg show.
The other thing is, from a Linux box, I can connect to VPN using wireguard and everything works.

In OpenWrt, I am not even getting a handshake, and something is telling me to try and downgrade to 22.03.1 and what would happen.

What did they tell you from Nordvpn?

1 Like
  • I assume it merely changes IP, correct?
  • Does it have a hostname?

If so, you can use the wireguard watchdog to update in cron.

An empty/null public key is not possible...you must have the a public key of the local peer (it's just not used). You public key is filled out by the private one.

If you didn't generate automatically, generate your Public Key with the wg pubkey command.

:spiral_notepad: I have configs before this web GUI box existed - and the value is filled out and does not appear in the command line config, so it seems you may have edited your config at some point in LuCI. After testing myself, adding any value will work upon saving - as long as there's a valid Private Key (see below).

@jow - I reported to you years ago another Wireguard web GUI issue so I tagged you. After testing and even using a good key, it only proceeds when you enter some value foo. I pasted an invalid Public Key and notices when I hit "save" that it edited it to the correct one. The Public Key section only exist for users who wish to generate a new keypair - this box can be edited to be greyed and only fill when the button is pressed.

See: https://www.wireguard.com/quickstart/#key-generation

I mean whatever your Wireguard peer is.

:spiral_notepad: FYI, this doesn't fix your handshake issue. Have you asked your VPN Customer Service, as @trendy suggested?

DId this change?

1 Like

They do not support using wireguard on routers. They will simply tell you to use their App.
But this is not a problem with them as I am able to use wireguard on a Linux box with the same credentials.

1 Like

In most of the cases the absence of incoming packets from the peer is a sign of bad keys.
Let's have a look on the uci export network

The box for public key is informational only. If you were controlling the keys (you're not), you would need to share your public key with the other peer so they can encrypt packets to send to you. You would then decrypt them with your private key, which should be kept secret.

A VPN service which fully supports Wireguard in the most secure way would allow you to generate your own private key and keep it secret. To authorize your connection you would register the corresponding public key with them by a reasonably secure out of band method such as a web form.

In other words, the base wg0 interface holds your private key. The peer connection holds their public key; they keep their private key secret. A public key can be derived from a private key at any time, but of course the reverse is not possible.


As I mentioned, I am able to use wireguard without any problems from a Linux box. I have tested this also from my Raspberry Pi (running Debian11), which connects to the ISP router via WiFi and there is no problem. That means ISP and NordVPN are not to blame.
After much digging, I did find a solution: The EndPoints I was using did not support the wireguard protocol.
Using https://www.wireguard.com/install/ (for Windows) SxS with the NordVPN app, I was able to shift through servers (EndPoints) and discovered this fact - that NOT ALL NordVPN servers support wireguard.


Hummmm....OK. Interesting.

So you changed endpoints. Gotcha.

Just curious, what do you blame them as the source of the issue?

(TBH, I wasn't aware a lot of VPN providers roamed the WG private key and accounts across multiple servers anyway, although in theory, it's possible,)

It is absolutely expected behavior. I know, who is ready to confirm it.

1 Like

Was about to post similar to topic starter in regards to NordVPN Wireguard support being iffy with Routers, its I believe due to their own wireguard implementation but can't be 100%, its why I avoided going with them also.

I recommend trying Mullvad VPN out its only $5 per month, you can try it for 1 month even and see, no contracts involved. They also have a more easier and understandable Openwrt guide
shown here

If you don't want to use Mullvad you can also still use its free openwrt guide but you have to get all your details from the VPN provider, so will need your WG config file which has the public/private keys, dns, endpoints, ports etc

Also don't forget you have to generate a new device for your Wireguard openwrt/router use, so if your desktop PC uses Wireguard, you need to create a 2nd Wireguard device for the new router or new device and also new config files based off that 2nd Wireguard device otherwise it will just get blocked and not connect or work right.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.