Wireguard second peer not working

Hi there,

I just installed wireguard on OpenWrt. Works fine with one peer.
Now I tried to configure a second peer similar to the first one, with just another IPAdress. This one doesn't work.
Even on LuCI/Wireguard Status only the first one is shown.
Where can I have a look at to fix this ?

Thanks in advice

Give output of config file in /etc/config, corresponding to WireGuard.

in /etc/config there is nothing to find regarding wireguard

It's all in /etc/config/network

1 Like

Now I got it, thanks.
Here we go:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx='
	option listen_port '51821'
	list addresses '10.15.0.1/24'

config wireguard_wg0
	option description 'iPhone'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'xxx='
	list allowed_ips '10.15.0.3/16'

config wireguard_wg0
	option public_key 'xxx'
	list allowed_ips '10.15.0.4/16'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'test'

Change the allowed IPs for each peer from /16 to /32.

1 Like

no success at all. If I do a tcpdump on wg0 there is traffic running if I connect the first peer. And nothing to see using the second one...

Have you restarted the interface after making the change?

1 Like

yes. Including a reboot.

Ok, can you paste the output of:

uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru ; wg

Redact any sensitive info.

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd34:8628:b7b2::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '172.17.1.1'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config route
	option target '192.168.150.0'
	option netmask '255.255.255.0'
	option interface 'lan'
	option gateway '172.17.1.102'

config route
	option target '10.14.0.0'
	option netmask '255.255.255.0'
	option interface 'lan'
	option gateway '172.17.1.102'

config route
	option target '192.168.178.0'
	option netmask '255.255.255.0'
	option interface 'lan'
	option gateway '172.17.1.102'

config route
	option target '192.168.100.0'
	option netmask '255.255.255.0'
	option interface 'lan'
	option gateway '172.17.1.102'

config route
	option target '10.9.0.0'
	option gateway '172.17.1.102'
	option netmask '255.255.255.0'
	option interface 'lan'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '51821'
	list addresses '10.15.0.1/24'

config wireguard_wg0
	option description 'iPhone'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option public_key 'xxx'
	list allowed_ips '10.15.0.3/32'

config wireguard_wg0
	option public_key 'xxx'
	option description 'test'
	list allowed_ips '10.15.0.4/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

package firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option dest_port '51821'
	option src 'wan'
	option name 'wg'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option target 'ACCEPT'
	option name 'Allow-ISAKMP und Fritz!Fon'
	option dest_port '500 4000'

config include
	option path '/etc/firewall.user'

config redirect
	option dest_port '80'
	option src 'wan'
	option name 'NAS HTTP'
	option src_dport '80'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'NAS HTTPS'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '8081'
	option src 'wan'
	option name 'NAS 8081'
	option src_dport '8081'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'
	option enabled '0'

config redirect
	option dest_port '873'
	option src 'wan'
	option name 'NAS Rsync'
	option src_dport '873'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'

config redirect
	option dest_port '8899'
	option src 'wan'
	option name 'NAS RRTR'
	option src_dport '8899'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'

config redirect
	option dest_port '5001'
	option src 'wan'
	option name 'NAS WEBDAV'
	option src_dport '5001'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '51823'
	option src 'wan'
	option name 'wireguard WRT'
	option src_dport '51823'
	option target 'DNAT'
	option dest 'lan'
	list proto 'udp'
	option dest_ip '172.17.1.102'

config redirect
	option dest_port '51820'
	option src 'wan'
	option name 'Wireguard Pi'
	option src_dport '51820'
	option target 'DNAT'
	option dest_ip '172.17.1.95'
	option dest 'lan'
	list proto 'udp'

config rule
	option src 'wan'
	option name 'test wan to lan'
	list src_ip '172.16.1.1'
	option dest 'lan'
	option target 'ACCEPT'

config redirect
	option dest_port '873'
	option src 'wan'
	option name 'Rsync'
	option src_dport '873'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '8899'
	option src 'wan'
	option name 'RRTR'
	option src_dport '8899'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '5001'
	option src 'wan'
	option name 'WEBDAV'
	option src_dport '5001'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'
	list proto 'tcp'

config redirect
	option dest_port '8080'
	option src 'wan'
	option name 'HTTP 8080'
	option src_dport '8080'
	option target 'DNAT'
	option dest_ip '172.17.1.17'
	option dest 'lan'

config rule
	option dest_port '53'
	option src 'lan'
	option name 'DNS'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option name 'Cisco Anyconnect'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '4500 443 500'

config rule
	option src 'lan'
	option name 'Cisco Anyconnect 2'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '57339 57337 57350 57358'

config rule
	option src 'lan'
	option name 'Mail'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '587 25 465 993 995 110'

config rule
	option src 'lan'
	option name 'HTTP(s)'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option dest_port '80 443 8080'

config rule
	option dest_port '123'
	option src 'lan'
	option name 'NTP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'

config rule
	option src 'lan'
	option name 'wireguard'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '51820 51821 51823'

config rule
	option src 'lan'
	option name 'SIP'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'udp'
	option dest_port '5060 5062 5063 7082 7083 7078'

config rule
	option src 'lan'
	option name 'Fritz!Fon App'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '1900 4006 4008 49000 49443 5060 7079 7083 7086 7087 5062 5063'

config rule
	option src 'lan'
	option name 'SIP out'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '5062'
	list proto 'udp'
	list proto 'icmp'
	option enabled '0'

config rule
	option dest 'wan'
	option src 'lan'
	option name 'Block all'
	option target 'REJECT'

config redirect
	option dest_port '5060-5062'
	option src 'wan'
	option name 'Pohner LIte'
	option src_dport '5060-5062'
	option target 'DNAT'
	option dest_ip '172.17.1.54'
	option dest 'lan'
	list proto 'udp'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.50.40/24 brd 192.168.50.255 scope global eth1
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.1.1/24 brd 172.17.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
11: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.15.0.1/24 brd 10.15.0.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.50.1 dev eth1 proto static src 192.168.50.40 
10.9.0.0/24 via 172.17.1.102 dev br-lan proto static 
10.14.0.0/24 via 172.17.1.102 dev br-lan proto static 
10.15.0.0/24 dev wg0 proto kernel scope link src 10.15.0.1 
10.15.0.3 dev wg0 proto static scope link 
10.15.0.4 dev wg0 proto static scope link 
172.17.1.0/24 dev br-lan proto kernel scope link src 172.17.1.1 
192.168.50.0/24 dev eth1 proto kernel scope link src 192.168.50.40 
192.168.100.0/24 via 172.17.1.102 dev br-lan proto static 
192.168.150.0/24 via 172.17.1.102 dev br-lan proto static 
192.168.178.0/24 via 172.17.1.102 dev br-lan proto static 
broadcast 10.15.0.0 dev wg0 table local proto kernel scope link src 10.15.0.1 
local 10.15.0.1 dev wg0 table local proto kernel scope host src 10.15.0.1 
broadcast 10.15.0.255 dev wg0 table local proto kernel scope link src 10.15.0.1 
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
broadcast 172.17.1.0 dev br-lan table local proto kernel scope link src 172.17.1.1 
local 172.17.1.1 dev br-lan table local proto kernel scope host src 172.17.1.1 
broadcast 172.17.1.255 dev br-lan table local proto kernel scope link src 172.17.1.1 
broadcast 192.168.50.0 dev eth1 table local proto kernel scope link src 192.168.50.40 
local 192.168.50.40 dev eth1 table local proto kernel scope host src 192.168.50.40 
broadcast 192.168.50.255 dev eth1 table local proto kernel scope link src 192.168.50.40 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
interface: wg0
  public key: xxx
  private key: (hidden)
  listening port: 51821

peer: xxx
  endpoint: xxx:62015
  allowed ips: 10.15.0.3/32
  latest handshake: 1 minute, 1 second ago
  transfer: 2.66 KiB received, 6.79 KiB sent
  persistent keepalive: every 25 seconds

The fact the second peer isn't showing up at all would suggest a misconfiguration issue somewhere. The bits I can see look ok. Have you double checked you copied the new peer key correctly?

I have. I just tried to add a second peer on my Test-Router (just changed IPs, Port and public key of server). That one worked at once.
So I also believe that something on the configuration is not working.
Maybe I have to reinstall and start from scratch

1 Like

Have you tried to connect both clients in series, not simultaneously?

yes, I have. I guess wg doesn't accept the second peer. It is not shown in the Wg-Status on LuCI and even a tcpdump on the wg-interface recognizes no traffic from the second IP

A route seems to have been added for the second peer, so it appears it's recognising there is a second entry but that it's failing to come up all the way. Have you tried regenerating keys for the second peer? Worth a try just to rule out any key based issues.

I did. I tried the same keypair on my test-machine.
I also configured a complete new second peer

Does your second peer connect without first one, I don't understand? Does it work solely?

I guess my explanations are confusing at this point. sorry.
I have two devices running OpenWrt.
One (FB 4040) is my productive one
Two (FB7412) is my test device

Both running wireguard. Than I tried to add a second peer on the 4040, that doesn't work.
I took the same keypair and created a second peer on the 7412. That one is working fine

Does second peer work on 4040, when no other peers are connected?