WireGuard: Peer not showing in 'wg showconf'

Xierion · February 20, 2021, 12:35am

I have successfully configured and tested a WireGuard VPN connection from my unRAID server, but would prefer to have connections directly on my OpenWRT router (Raspberry Pi 3B+)

My android device can connect via unRAID, but identical settings will not connect via OpenWRT

(interface name wg0 is common across devices, but port number is different to allow side-by-side connections for testing)

running 'wg showconf wg0' on unRAID shows:

> [Interface]
> ListenPort = 12345
> PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> 
> [Peer]
> PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> AllowedIPs = 10.253.0.2/32
> Endpoint = xxx.xxx.xxx.xxx:xxxxx

Running the same command on OpenWRT shows:

> [Interface]
> ListenPort = 1234
> PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

but there is no mention of a peer on OpenWRT.

'/etc/config/network' shows a peer is configured:

> config interface 'wg0'
>         option proto 'wireguard'
>         option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
>         option listen_port '1234'
>         list addresses '192.168.1.1'
> 
> config wireguard_wg0
>         option route_allowed_ips '1'
>         option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
>         option description 'Android'
>         list allowed_ips '0.0.0.0/0'
>         option persistent_keepalive '25'

I can only guess that I am having connection issues because WireGuard does not show a peer as configured.

vgaetera · February 20, 2021, 3:00am

Check the output:

wg show; iptables-save -c -t filter | grep -e 1234

Xierion · February 20, 2021, 4:19am

interface: wg0
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 1234
[0:0] -A zone_wan_input -p udp -m udp --dport 1234 -m comment --comment "!fw3: WireGuard" -j ACCEPT

vgaetera · February 20, 2021, 5:02am

uci show network

Xierion · February 20, 2021, 5:18am

network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd52:833a:b6a8::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='10.0.0.1'
network.lan.ifname='eth1'
network.lan.proto='static'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.wg0.listen_port='1234'
network.wg0.addresses='192.168.1.1'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wg0[0].description='Android'
network.@wireguard_wg0[0].allowed_ips='0.0.0.0/0'
network.@wireguard_wg0[0].endpoint_host='192.168.1.2'
network.@wireguard_wg0[0].persistent_keepalive='25'

The peer appears to be showing up in the core config. Should it be showing in the 'wg showconf wg0' command?

vgaetera · February 20, 2021, 5:23am

uci -q delete network.wg0.addresses
uci add_list network.wg0.addresses="192.168.1.1/24"
uci -q delete network.@wireguard_wg0[0].endpoint_host
uci -q delete network.@wireguard_wg0[0].allowed_ips
uci add_list network.@wireguard_wg0[0].allowed_ips="192.168.1.2/32"
uci commit network
/etc/init.d/network restart

Xierion · February 20, 2021, 5:54am

still no luck

root@OpenWrt:~# wg showconf wg0
[Interface]
ListenPort = 1234
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxx

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd52:833a:b6a8::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='10.0.0.1'
network.lan.ifname='eth1'
network.lan.proto='static'
network.wan=interface
network.wan.ifname='eth0'
network.wan.proto='dhcp'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxxxxxxxxxxxxxxxxxxxxxxx'
network.wg0.listen_port='1234'
network.wg0.addresses='192.168.1.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wg0[0].description='Android'
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='192.168.1.2/32'

vgaetera · February 23, 2021, 10:49am

That's weird, perhaps there's some typo I cannot notice.

Try this script:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#automated

Run the script as-is, and it should give you a working config at least.
Then you can adjust the code and configs to your needs.

Xierion · February 20, 2021, 6:31am

'Weird' was my thoughts too. I thought the process I was following was pretty straight forward.

The script didn't appear to do too much, and manually visiting 'https://openwrt.org/_export/code/docs/guide-user/services/vpn/wireguard' shows This page does not exist anymore

yousong · February 20, 2021, 7:03am

Are there any errors in logread when restarting the interface, like with ifup wg0

Or debug it by editing /lib/netifd/proto/wireguard.sh and check the generated config in /tmp/wireguard/wg0.conf

diff --git a/package/network/utils/wireguard-tools/files/wireguard.sh b/package/network/utils/wireguard-tools/files/wireguard.sh
index 63261aea71..cb4be373f8 100644
--- a/lib/netifd/proto/wireguard.sh
+++ b/lib/netifd/proto/wireguard.sh
@@ -139,7 +139,7 @@ proto_wireguard_setup() {
 	${WG} setconf ${config} "${wg_cfg}"
 	WG_RETURN=$?
 
-	rm -f "${wg_cfg}"
+	#rm -f "${wg_cfg}"
 
 	if [ ${WG_RETURN} -ne 0 ]; then
 		sleep 5

Xierion · February 20, 2021, 6:54am

The only result I am getting from a logread is 'user.notice firewall: Reloading firewall due to ifup of wg0 (wg0)'

I am not sure what to edit in '/lib/netifd/proto/wireguard.sh' to enable debugging, and '/tmp/wireguard/wg0.conf' does not currently exist

yousong · February 20, 2021, 7:04am

Commenting out the rm -f command should preserve the generated config file in tmp dir

vgaetera · February 20, 2021, 7:07am

That's only part of the full URL to be expanded while downloading the script.

It should download and combine 5 blocks of code from the relevant how-tos.
Then run the resulting script which should generate a working config:

sh wireguard-server.sh

Xierion · February 23, 2021, 10:32am

Gotcha. running script now

Xierion · February 23, 2021, 10:58am

Script appeared to work, and set up a vpn interface, but ended up with the same scenario as created manually.

Xierion · February 23, 2021, 11:04am

enabling debugging after running the 'WireGuard extras - Automated' script shows the following:

root@OpenWrt:/tmp/wireguard# cat vpn
[Interface]
PrivateKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ListenPort=51820
[Peer]
PublicKey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs=192.168.9.2/32
AllowedIPs=fdf1:e8a1:8d3f:9::2/128

vgaetera · February 23, 2021, 11:15am

Then the cause of the problem is likely unrelated to the WireGuard configs.
Try to re-flash the latest stable OpenWrt release.

Xierion · February 23, 2021, 11:14am

currently running v19.07.7

yousong · February 23, 2021, 11:35am

How about trying to manually setup the wireguard with the generated config. Something like the following

ip link add vpn0 type wireguard
wg setconf vpn0 /tmp/wireguard/vpn
wg show

Is it possible that there is something wrong in peer's public key? like a typo when copying/pasting. A wild guess.

Xierion · March 2, 2021, 9:46am

I think I have it sorted. I was using luci-app-wireguard and I think the QR code thing was throwing me off.

Following the guide chrisbuchan.co.uk/computing/wireguard-setup-openwrt/ has worked fine.

In hindsight I should have done that in the 1st place. Thanks for your collective help.