I’m trying to set up a WireGuard VPN client on my OpenWrt router (WRT1900ACS v2) to route all internet traffic through the VPN tunnel. I’ve installed the necessary packages and imported the configuration file using the LuCI web interface. However, after adding the WireGuard interface, it doesn’t show any activity, and there’s no handshake. Notably, the same configuration file works perfectly on my laptop and phone. Additionally, I followed this YouTube tutorial and this one to the letter, but neither resolved the issue. I’ve also rebooted the router and restarted the WireGuard interface, but I still see no packets sent or received and no handshake. Here’s what I’ve done so far:
My Setup:
OpenWrt Version: 23.05
Router Model: WRT1900ACS v2
Steps Taken:
Installed WireGuard Packages:
Installed the necessary packages (wireguard-tools, kmod-wireguard, luci-proto-wireguard) via the LuCI web interface.
Imported Configuration via LuCI:
Went to Network > Interfaces > Add new interface > WireGuard VPN.
Imported the configuration file. This should have automatically configured both the interface and the peer.
Firewall Configuration:
Assigned the wg0 interface to the VPN zone.
Enabled Masquerading and allowed forwarding from LAN to VPN.
Issue:
After adding the WireGuard interface, it doesn’t show any activity (no RX/TX packets).
There’s no handshake between my router and the VPN server.
The connection doesn’t seem to be established.
What I’ve Tried:
Double-checking the Private Key, Public Key, and Endpoint in the imported configuration for accuracy.
Ensuring the firewall rules are correctly configured.
Verifying that the wg0 interface is assigned to the VPN zone.
Rebooting the router and restarting the WireGuard interface, but still no packets are sent or received, and there’s no handshake.
Important Note:
The same configuration file works perfectly on my laptop and phone, so the issue seems to be specific to the OpenWrt setup.
Questions:
Why is there no activity or handshake after importing the configuration on OpenWrt?
Are there any additional steps required to activate the WireGuard interface on OpenWrt?
How can I verify that the VPN tunnel is properly configured and active?
Are there any known issues with WireGuard on OpenWrt 23.05 that might be causing this?
Should I consider downgrading or upgrading to another version of OpenWrt to resolve this issue?
Request:
I’d appreciate any guidance on how to resolve this issue. If anyone has successfully set up WireGuard on OpenWrt 23.05 with a similar configuration, please share your insights or configuration details.
The best way to troubleshoot is to look at the text configs.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
Thank you for your prompt response. I wanted to mention something that might be relevant. When I followed the YouTube video or the IVPN tutorial (https://www.ivpn.net/setup/router/openwrt-wireguard/), they manually set up the configuration by checking the Route Allowed IPs option, setting Persistent Keep Alive to 25 , and clicking Save in the peers configuration. However, when I tried this, my router became unresponsive, and I couldn’t even connect to it via SSH. The only way I could regain control was by unplugging the RJ45 cable connecting it to the main router and restarting it. After that, I deleted the interface and reconfigured it as described in my original post to generate the logs I'm sharing with you below.
-----------------------------------------------------
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACS",
"board_name": "linksys,wrt1900acs",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda4:1d22:dfdf::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr '16:91:82:2a:73:4f'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg'
option proto 'wireguard'
option private_key 'sensitive_info'
list addresses '192.168.27.65/32'
list dns '212.27.38.253'
config wireguard_wg
option description 'Imported peer configuration'
option public_key 'sensitive_info'
list allowed_ips '0.0.0.0/0'
list allowed_ips '192.168.27.64/27'
list allowed_ips '192.168.1.0/24'
option endpoint_host 'sensitive_info'
option endpoint_port '44249'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'myvpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wg'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'myvpn'
root@OpenWrt:~# wg show
interface: wg
public key: sensitive_info
private key: (hidden)
listening port: 57924
peer: sensitive_info
endpoint: sensitive_info:44249
allowed ips: 0.0.0.0/0, 192.168.27.64/27, 192.168.1.0/24
root@OpenWrt:~#
another thing why is it in the new 23.05 on the interface config it asks for a public key which wasn't the case before and also it's not provided by the vpn provider ?
You're not getting a handshake... so there are a few possible causes:
Make sure you have disabled WG on any other devices -- each connected peer must be unique, so if any of your other devices are using the same keys and address, that will conflict.
You may have a key issue.
The private key is all that is required on the interface side. The public key is derived from the private key. So you can (and should) leave the public key blank.
Make sure that the private key and address information you got from the provider is populated here:
then make sure that the public key, endpoint host, and endpoint port are properly populated from the information the provider gave you:
the above goes into:
Make sure that the keys are do not have any errors.
Thank you for your suggestions. I’ve carefully reviewed and tested everything multiple times before reaching out. The only aspect I couldn’t verify is leaving the Public Key field empty in the Interface wg General Settings, as the web interface requires it to be filled—it’s a mandatory field. I’m not entirely sure why this is the case, but I wanted to mention it for clarity. as of now i don't know what steps should i take
that's true, and LuCi page is already doing that when importing the configuration, but still i have no RX/TX traffic on this newly created interface. am sure my configuration file isn't wrong since using it directly on wireguard app works fine.
do you know why the tutorials said i have to manually set up the configuration by checking the Route Allowed IPs option & setting Persistent Keep Alive to 25 in peers configuration. i tried that two times and everytime i loose control over the router.
yes that was the reason why my router stoped responding . THANK YOU SO MUCH.
now i have the vpn handshake, i have assigned it to firewall zone wan. and all my traffic is going through it and when i stop the interface wg vpn the internet stops working, i've managed to accidentally implement the killswitch without planning to
