Rubin Shrestha
Rubin Shrestha
Blog

Why does the WireGuard tunnel connect on all devices, but works only on latest in the list?

by |Published

I have 3 devices connecting over wan interface to wg0 WireGuard VPN interface. Relevant internal interfaces are LAN IPv4: 192.168.5.1/24 and wg0 IPv4: 10.14.0.1/24. It used to work for ‘macOS Device 1’.

I added two devices. Restarted the interface. Now it works only for the last added device. I tried rebooting both the rooter and the client devices. I confirmed that reordering the wireguard_wg0 device list e.g. moving macOS Device 1 to last in the list fixes the problem for this device and breaks the other two.

I can’t understand what I may be doing wrong. My goal is to enable each device to access internet via this VPN and have access to all other clients in the wg0 interface network and LAN router gateway when connected.

Setup:

  • router
# cat /etc/os-release

NAME="OpenWrt"
VERSION="24.10.2"

# uci show | grep -i wg0

firewall.@zone[0].network='lan' 'wg0'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='xxx'
network.wg0.listen_port='xxx'
network.wg0.addresses='10.14.0.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='MacOS Device 1'
network.@wireguard_wg0[0].public_key='xxx'
network.@wireguard_wg0[0].private_key='xxx'
network.@wireguard_wg0[0].route_allowed_ips='1'
network.@wireguard_wg0[0].allowed_ips='10.14.0.3/24'
network.@wireguard_wg0[1]=wireguard_wg0
network.@wireguard_wg0[1].description='Mobile 1'
network.@wireguard_wg0[1].public_key='xxx'
network.@wireguard_wg0[1].private_key='xxx'
network.@wireguard_wg0[1].route_allowed_ips='1'
network.@wireguard_wg0[1].allowed_ips='10.14.0.4/24'
network.@wireguard_wg0[2]=wireguard_wg0
network.@wireguard_wg0[2].description='Mobile 2'
network.@wireguard_wg0[2].public_key='xxx'
network.@wireguard_wg0[2].private_key='xxx'
network.@wireguard_wg0[2].route_allowed_ips='1'
network.@wireguard_wg0[2].allowed_ips='10.14.0.5/24'

# uci show firewall.@zone[0]

firewall.cfg02dc81=zone
firewall.cfg02dc81.name='lan'
firewall.cfg02dc81.input='ACCEPT'
firewall.cfg02dc81.output='ACCEPT'
firewall.cfg02dc81.forward='ACCEPT'
firewall.cfg02dc81.network='lan' 'wg0'
  • Client ‘macOS Device 1’
    Configuration
[Interface]
PrivateKey = xxx
Address = 10.14.0.3/24
DNS = 192.168.5.1

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx:xxx

WireGuard client logs:

2025-12-28 18:25:43.613907: [APP] Tunnel 'MacOS Device 1' connection status    changed to 'connecting'
...
2025-12-28 18:25:48.611213: [APP] Status update notification timeout for tunnel    'MacOS Device 1'. Tunnel status is now 'connected'.
2025-12-28 18:25:54.146705: [NET] peer(saJA…Bwl0) - Receiving keepalive packet
2025-12-28 18:26:04.469827: [NET] peer(saJA…Bwl0) - Receiving keepalive packet

No ping to anything including 10.14.0.1 or 10.14.0.3. Client receives only 92B data in first 10s…

  • Client ‘Mobile 1’: Same as macOS device. wireguard active, no connection to anything.
  • Client ‘Mobile 2’: Works as expected.

Configuration:

[Interface]
PrivateKey = xxx
Address = 10.14.0.5/24
DNS = 192.168.5.1

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint = xxx:xxx

You may also like