Wireguard peers using uci

mr_bean4eva · July 28, 2021, 2:52am

I do not have LuCI installed, and would like to add a peer to an exinsting interface. The wiki only has examples of adding new interfaces for each peer. Is there a way to add a peer to an existing interface using uci or editing /etc/config/network?

Currently, when I add a wireguard interface, a new config interface name with option proto wireguard is created, and upon adding a peer a new config wireguard_peername is created, but that section doesn't seem to have any references to which interface the peer is supposed to be on.

Thanks

stangri · July 28, 2021, 4:54am

AFAIK, config wireguard_wgname refers to the interface wgname.
Also, afaik, to name a peer, you need config wireguard_wgname 'peer0'.

vgaetera · July 28, 2021, 6:03am

Really?

https://openwrt.org/docs/guide-user/services/vpn/wireguard/server#network

# Add VPN peers
uci -q delete network.wgclient
uci set network.wgclient="wireguard_${WG_IF}"
uci set network.wgclient.public_key="${WG_PUB}"
uci set network.wgclient.preshared_key="${WG_PSK}"
uci add_list network.wgclient.allowed_ips="${WG_ADDR%.*}.2/32"
uci add_list network.wgclient.allowed_ips="${WG_ADDR6%:*}:2/128"
uci commit network
/etc/init.d/network restart

See also:

mr_bean4eva · July 28, 2021, 7:48am

Really really sorry if it sounds stupid, but that only adds one peer for the WG_IF, doesn't it?
I tried this as per @stangri 's suggestion -

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xx='
        option listen_port '9009'
        list addresses 'fd12:34:56::1'
                                                                                                                                             
config wireguard_wg0 phone
        option description 'phone'
        option public_key 'xx='
        list allowed_ips 'fd00::/8'

config wireguard_wg0 laptop
        option description 'laptop'
        option public_key 'xx='
        list allowed_ips 'fd00::/8'

This actually kinda worked, i had 2 peers successfully, but phone peer's allowed ips: were shown as (none) when I ran wg show wg0.

vgaetera · July 28, 2021, 7:50am

No, just change the peer name.

mr_bean4eva · July 28, 2021, 7:53am

I tried that as well, and as I mentioned previously, the allowed_ips for the first peer - phone get set to none for some reason

vgaetera · July 28, 2021, 7:57am

The wiki instructions are verified by multiple users, so that should be a typo on your side.

mr_bean4eva · July 28, 2021, 7:58am

Alright, I'll check again. Thanks a lot for helping

mr_bean4eva · July 28, 2021, 8:07am

So turns out this is actually expected behaviour:
https://phabricator.vyos.net/T2735

In wireguard routing is done based on the allowed-ip statements and the destination ip and not on the nexthop ip defined on the neighbor

So, defining the same/overlapping allowed-ips on two peers
in the same tunnel results in only one peer getting the statement, as wireguard removes it from the prevous defined peer

vgaetera · July 28, 2021, 8:13am

Yep, each peer in a single config should use unique non-overlapping allowed IPs ranges.

system · August 7, 2021, 8:13am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.