I added one peer for the Debian box(1st one) and seems it works within the LAN(don’t have a chance to test from the public).
And added 2nd peer for an Android device, using Android Wireguard, it doesn’t work neither within the LAN nor from the public. From the Android Wireguard logs I see that handshake fails.
‘wg show’ shows only just 1 peer.
/etc/config/network:
config interface ‘wg0’
option proto ‘wireguard’
option private_key ‘PRIVATE_KEY’
option listen_port ‘1234’
list addresses ‘10.0.10.0/24’
To me it appears that you have only one Wireguard interface wg0.
In my configuration all peers on the same interface use config wireguard_WG0 (upper case for me, should probably be lower case for you).
Additionally, to my knowledge, in /etc/config/network each client should have a distinct IP, e.g. 10.0.10.1/32 and 10.0.10.2/32 in your case.
Yes only 1 interface, and trying to add more clients to the same interface(btw I meant client by “peer”). In my case is above as I pasted. If needs to add a new interface for each client such as wg1 wg2 etc then it is overkill, then needs add firewall rules as well.
This I tried already, doesn’t work.
I still don’t understand what exactly these 2 lines mean
option route_allowed_ips ‘1’
list allowed_ips ‘10.0.10.1/32’
Multiple Wireguard interfaces are possible - of course this impacts firewall rules etc.
Each Wireguard interface can have multiple peers/clients
Regarding allowed_ips:
a comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses. May be specified multiple times.
So it seems client definitions should have same suffix “_interfaceName” for the given interface. My mistake was adding suffixes such as _wg0, _wg1 etc. for the interface wg0.
Wiki needs to be updated, it confuses.
From wiki:
# Change all occurences of "wireguard_wg0" to something else
# (like wireguard_wg1, wireguard_wg2 and so on) for
# subsequent clients after the 1st
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key="<your client's pubkey>"
Just for the completeness;
The Network and Broadcast addresses(x.y.z.0 and x.y.z.255) shouldn’t be assigned to any host. I did set like below, so the router gets address 10.0.10.1
config interface ‘WG0’
option proto ‘wireguard’
option private_key ‘PRIVATEKEYSERVER’
option listen_port ‘nnnnn’ list addresses ‘10.0.10.1/24’