I have been using Wireguard and OpenVPN with my VPN subscription. And I could use them interchangeably. About 3 weeks ago, Wireguard ceased to work. I am pretty conversant with the configuration so it's not an issue about the configuration because I have a config file that I import.
What happens is that the tunnel comes up, but there is no traffic going through it even though "Route Allowed IPs" is enabled and I have assigned the interface to the WAN zone.
What I have realized is that it is no longer possible to manually configure the interface without entering a public key in the General Settings tab. I entered the public key for the Peer on this tab. I am not absolutely sure this is right, but some posts suggest so. When I import a config file, the key I see populated on that field is not the same as the Public Key of the peer.
At the end if it, there seems to be a handshake and no traffic going through.
For completeness, here is the file that I do import:
Just to add to this, my router's WAN IP is in the 192.168.1.0/24 subnet (LAN subnet of my ISP's router) while my LAN subnet is 172.16.17.1/24. My ISPs router has a public IP that is not NATed.
I remain stumped as to what is the reason wireguard stopped working. This is happening on 3 different routers.
I haven't changed any keys. The only thing I ever change is the Peer EndPoint.
Do you mean my account with the ISP or the VPN provider? For the ISP, my traffic can be throttled if i hit 30GB in 24hrs, but that would get reset at midnight. You can safely assume there is no limit.
My biggest worry was the requirement for a public key in the General Settings tab. It never used to be there. Previously, I would just configure everything and that key would be empty. However, from a Linux box, I have verified that the key being populated in that field when I import the configuration is correct. I can see it by doing sudo wg show.
The other thing is, from a Linux box, I can connect to VPN using wireguard and everything works.
In OpenWrt, I am not even getting a handshake, and something is telling me to try and downgrade to 22.03.1 and what would happen.
If so, you can use the wireguard watchdog to update in cron.
An empty/null public key is not possible...you must have the a public key of the local peer (it's just not used). You public key is filled out by the private one.
If you didn't generate automatically, generate your Public Key with the wg pubkey command.
I have configs before this web GUI box existed - and the value is filled out and does not appear in the command line config, so it seems you may have edited your config at some point in LuCI. After testing myself, adding any value will work upon saving - as long as there's a valid Private Key (see below).
@jow - I reported to you years ago another Wireguard web GUI issue so I tagged you. After testing and even using a good key, it only proceeds when you enter some value foo. I pasted an invalid Public Key and notices when I hit "save" that it edited it to the correct one. The Public Key section only exist for users who wish to generate a new keypair - this box can be edited to be greyed and only fill when the button is pressed.
They do not support using wireguard on routers. They will simply tell you to use their App.
But this is not a problem with them as I am able to use wireguard on a Linux box with the same credentials.
The box for public key is informational only. If you were controlling the keys (you're not), you would need to share your public key with the other peer so they can encrypt packets to send to you. You would then decrypt them with your private key, which should be kept secret.
A VPN service which fully supports Wireguard in the most secure way would allow you to generate your own private key and keep it secret. To authorize your connection you would register the corresponding public key with them by a reasonably secure out of band method such as a web form.
In other words, the base wg0 interface holds your private key. The peer connection holds their public key; they keep their private key secret. A public key can be derived from a private key at any time, but of course the reverse is not possible.
As I mentioned, I am able to use wireguard without any problems from a Linux box. I have tested this also from my Raspberry Pi (running Debian11), which connects to the ISP router via WiFi and there is no problem. That means ISP and NordVPN are not to blame.
After much digging, I did find a solution: The EndPoints I was using did not support the wireguard protocol.
Using https://www.wireguard.com/install/ (for Windows) SxS with the NordVPN app, I was able to shift through servers (EndPoints) and discovered this fact - that NOT ALL NordVPN servers support wireguard.
Was about to post similar to topic starter in regards to NordVPN Wireguard support being iffy with Routers, its I believe due to their own wireguard implementation but can't be 100%, its why I avoided going with them also.
I recommend trying Mullvad VPN out its only $5 per month, you can try it for 1 month even and see, no contracts involved. They also have a more easier and understandable Openwrt guide
shown here
If you don't want to use Mullvad you can also still use its free openwrt guide but you have to get all your details from the VPN provider, so will need your WG config file which has the public/private keys, dns, endpoints, ports etc
Also don't forget you have to generate a new device for your Wireguard openwrt/router use, so if your desktop PC uses Wireguard, you need to create a 2nd Wireguard device for the new router or new device and also new config files based off that 2nd Wireguard device otherwise it will just get blocked and not connect or work right.
I have configs before this web GUI box existed - and the value is filled out and does not appear in the command line config, so it seems you may have edited your config at some point in LuCI.