Wireguard - not able to add another peer

Hello all,

Trying to configure the Wireguard. Followed this tutorial WireGuard setup [Turris wiki].

The details are below.

I added one peer for the Debian box(1st one) and seems it works within the LAN(don’t have a chance to test from the public).

And added 2nd peer for an Android device, using Android Wireguard, it doesn’t work neither within the LAN nor from the public. From the Android Wireguard logs I see that handshake fails.

‘wg show’ shows only just 1 peer.

/etc/config/network:
config interface ‘wg0’
option proto ‘wireguard’
option private_key ‘PRIVATE_KEY’
option listen_port ‘1234’
list addresses ‘10.0.10.0/24’

config wireguard_wg0
option public_key ‘CLIENT1_PUB_KEY’
option preshared_key ‘PRESHARED_KEY1’
option route_allowed_ips ‘1’
list allowed_ips ‘10.0.10.1/32’
option persistent_keepalive ‘25’
option description ‘client1’

config wireguard_wg1
option public_key ‘CLIENT2_PUB_KEY’
option preshared_key ‘PRESHARED_KEY2’
option route_allowed_ips ‘1’
list allowed_ips ‘10.0.10.1/32’
option persistent_keepalive ‘25’
option description ‘client2’

wg show
interface: wg0
public key: SERVER_PUB_KEY
private key: (hidden)
listening port: 1234

peer: CLIENT1_PUB_KEY
preshared key: (hidden)
allowed ips: 10.0.10.1/32
persistent keepalive: every 25 seconds

Did you restart the network service on the router when new peer has been configured?

Yes, several times. Even rebooted the router.

To me it appears that you have only one Wireguard interface wg0.
In my configuration all peers on the same interface use config wireguard_WG0 (upper case for me, should probably be lower case for you).
Additionally, to my knowledge, in /etc/config/network each client should have a distinct IP, e.g. 10.0.10.1/32 and 10.0.10.2/32 in your case.

Yes only 1 interface, and trying to add more clients to the same interface(btw I meant client by “peer”). In my case is above as I pasted. If needs to add a new interface for each client such as wg1 wg2 etc then it is overkill, then needs add firewall rules as well.

This I tried already, doesn’t work.

I still don’t understand what exactly these 2 lines mean
option route_allowed_ips ‘1’
list allowed_ips ‘10.0.10.1/32’

Let’s note for clarification:

  • Multiple Wireguard interfaces are possible - of course this impacts firewall rules etc.
  • Each Wireguard interface can have multiple peers/clients

Regarding allowed_ips:

a comma-separated list of IP (v4 or v6) addresses with CIDR masks from which incoming traffic for this peer is allowed and to which outgoing traffic for this peer is directed. The catch-all 0.0.0.0/0 may be specified for matching all IPv4 addresses, and ::/0 may be specified for matching all IPv6 addresses. May be specified multiple times.

(wg(8) — wireguard-tools — Debian unstable — Debian Manpages)

Regarding route_allowed_ips:

Automatically create a route for each Allowed IPs for this peer

([OpenWrt Wiki] Tunneling interface protocols)

Try the following configuration for /etc/config/network:

config interface 'WG0'
        option proto 'wireguard'
        option private_key 'PRIVATEKEYSERVER'
        option listen_port 'nnnnn'
        list addresses '10.0.10.0/24'

config wireguard_WG0
        option description 'CLIENT1'
        option public_key 'PUBLICKEYCLIENT1'
        option preshared_key 'xxxxx'
        list allowed_ips '10.0.10.1/32'

config wireguard_WG0
        option description 'CLIENT2'
        option public_key 'PUBLICKEYCLIENT2'
        option preshared_key 'yyyyy'
        list allowed_ips '10.0.10.2/32'

On Client 1:

[Interface]
Address = 10.0.10.1/32
PrivateKey = PRIVATEKEYCLIENT1
DNS = ???.???.???.???
[Peer]
PublicKey = PUBLICKEYSERVER
PresharedKey = xxxxx
AllowedIPs = 0.0.0.0/0

On Client 2:

[Interface]
Address = 10.0.10.2/32
PrivateKey = PRIVATEKEYCLIENT2
DNS = ???.???.???.???
[Peer]
PublicKey = PUBLICKEYSERVER
PresharedKey = yyyyy
AllowedIPs = 0.0.0.0/0

I assume that you have set traffic rules/firewall rules correctly.

3 Likes

Many thanks, this works :slight_smile:

So it seems client definitions should have same suffix “_interfaceName” for the given interface. My mistake was adding suffixes such as _wg0, _wg1 etc. for the interface wg0.

Wiki needs to be updated, it confuses.
From wiki:

# Change all occurences of "wireguard_wg0" to something else 
# (like wireguard_wg1, wireguard_wg2 and so on) for 
# subsequent clients after the 1st
uci add network wireguard_wg0
uci set network.@wireguard_wg0[-1].public_key="<your client's pubkey>"
1 Like

Just for the completeness;
The Network and Broadcast addresses(x.y.z.0 and x.y.z.255) shouldn’t be assigned to any host. I did set like below, so the router gets address 10.0.10.1

config interface ‘WG0’
option proto ‘wireguard’
option private_key ‘PRIVATEKEYSERVER’
option listen_port ‘nnnnn’
list addresses '10.0.10.1/24’

config wireguard_WG0
option description ‘CLIENT1’
option public_key ‘PUBLICKEYCLIENT1’
option preshared_key ‘xxxxx’
list allowed_ips '10.0.10.2/32’

config wireguard_WG0
option description ‘CLIENT2’
option public_key ‘PUBLICKEYCLIENT2’
option preshared_key ‘yyyyy’
list allowed_ips '10.0.10.3/32’

For some cases the addresses ending with 0 or 255 can be used. For example if 192.168.0.0/16 is given
then 192.168.0.255, 192.168.1.0 etc can be used.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.