I have an openwrt installation with a wireguard configured to access my home network. With openwrt 24.10 everything worked fine, but after upgrading to 25.10 I have one peer that fails to connect. The weird part is that it only fails on some networks. It's a windows laptop and if try to connect from outside my network via a mobile phone's hotspot (4G) it works perfectly. But when the laptop is connected to an external wifi network, it looks like it can't establish a wireguard connection. On the router (in luci or with wg show), the latest handshake doesn't update when trying to connect the peer.
Other wireguard peers (Linux laptops and Android phones) work just fine with the 25.10 setup. The problematic laptop also works fine if I downgrade the router back to 24.10. So the problem is not that the external wifi network blocks UDP traffic to the wireguard port. So the only thing that changed is the openwrt version. I even compared the config files between the two version, and there is nothing that stands out. Most settings are 100% identical, and the few differences are settings that got migrated during the upgrade (for example the dhcp_default_duid).
I have a pretty standard wireguard configuration, with the wireguard interface added to the lan firewall zone and a traffic rule to allow traffic to the wireguard port from the wan.
Let's check your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
Please also share the config from the laptop.
The laptop can connect from a mobile hotspot but not from an external wifi so the problem must also be related to the external wifi.
What is the IP address the laptop get from the external wifi, is it the same as your home network?
Does your laptop also receive a public IPv6 address from the external wifi?
These problems are often related to MTU or IPv4/IPv6 problems
I might have a similar issue with wireguard. Every peer made with 24.10.x can connect, a new peer made with 25.12.0 (target device is a GL.inet slate7 running latest firmware) won’t connect. Using the same new peer configuration on a previous client as a new connection profile will connect successfully.
I have a scheduled session with glinet to try to confirm if there is a issue with their build of openwrt/wg. If they won’t find anything substantial i will bother you with the config dump.
Bananapi r4 running openwrt 25.12.0 as the wireguard server, glinet slate 7 as a wireguard client. I’m not going to inconvenience anyone here with help requests (and hijacking the thread any further) until i’ve confirmed with them that there is something off with the bananapi r4 side of things.
In my case it was a stupid error in the configuration. I also added a new peer after the upgrade to 25.12, but by accident I re-used the same ip address of another peer (copy-paste mistake). I noticed the mistake while collecting the requested info:
# wg show
interface: wg
public key: (removed)
private key: (hidden)
listening port: 51820
peer: (removed)
preshared key: (hidden)
endpoint: X.X.X.X:X
allowed ips: (none)
latest handshake: 5 minutes, 52 seconds ago
transfer: 148 B received, 156 B sent
peer: (removed)
preshared key: (hidden)
allowed ips: 10.0.0.7/32
As you can see, the first peer (the problematic windows laptop) was able to handshake, but I guess no further communication is possible because the allowed ips is empty. I suspect because the last peer has the same ip address, it happened to "win" in this conflict and "steal" the ip address from the first peer. After correcting the ip address of the second peer, the connection works again for the first peer!
