One VPN works, another almost identical one doesn't

molaf · April 7, 2026, 8:50pm

Ubuntu Support Template

Ubuntu Version: 25.10

Desktop Environment (if applicable): GNOME

Problem Description:
I have a Wireguard VPN I imported from a file. It works and it refers to a first peer set up on the Wireguard server, running on OpenWRT.

I used to have the same VPN settings (same peer) used by multiple devices because only one of them was active at the same time, but now that I need multiple devices connecting to the VPN, I decided to add a second peer on OpenWRT.

I basically duplicated everything from the first peer to a second peer, except for a newly generated key pair and preshared key, and I imported the corresponding configuration file into Ubuntu via System preferences GUI.

The first VPN works, the second one not.

The first one is “a52s”, the second one “mba”.

What I’ve Tried:
I compared the two peers on the OpenWRT config file named “network”:

config interface ‘vpn’
  option proto ‘wireguard’
  option private_key ‘KHg9…’
  option listen_port ‘51820’
  list addresses ‘192.168.4.1/24’
  list addresses ‘fd00:4::1/64’

config wireguard_vpn ‘wgclient’
  option public_key ‘JE+b…’
  option preshared_key ‘crMO…’
  option private_key ‘iPH2…’
  list allowed_ips ‘192.168.4.8/32’
  list allowed_ips ‘fd00:4::8/128’
  option description ‘A52s’

config wireguard_vpn
  option description ‘mba’
  option public_key ‘v4s0…’
  option private_key ‘UJL…’
  option preshared_key ‘ceV4…’
  list allowed_ips ‘192.168.4.9/32’
  list allowed_ips ‘fd00:4::9/128’

which seems to match each other besides the keys used.

The conf files for Ubuntu also match:

(for mba)
[Interface]
Address = 192.168.4.9/32
DNS = 192.168.3.5
PrivateKey = UJLi...

[Peer]
PublicKey = l4hd...
PreSharedKey = ceV4...
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = my_endpoint:51820

(for a52s)
[Interface]
Address = 192.168.4.8/32
DNS = 192.168.3.5
PrivateKey = iPH2...

[Peer]
PublicKey = l4hd...
PreSharedKey = crMO...
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = my_endpoint:51820

The “PublicKey” of the peers is identical, I guess it’s right if it’s generated by OpenWRT itself.

On Ubuntu I tried to investigate without success:

$ nmcli --show-secrets connection show vpn-a52s > vpn-a52s
$ nmcli --show-secrets connection show wg-vpn > wg-vpn
$ diff vpn-a52s wg-vpn
1,2c1,2
< connection.id:                          vpn-a52s
< connection.uuid:                        77fd98ff-...
---
> connection.id:                          wg-vpn
> connection.uuid:                        2d8b291a-...
5c5
< connection.interface-name:              vpn2
---
> connection.interface-name:              wg-vpn
11c11
< connection.timestamp:                   1775594747
---
> connection.timestamp:                   1775556299
39c39
< ipv4.addresses:                         192.168.4.8/32
---
> ipv4.addresses:                         192.168.4.9/32
105c105
< wireguard.private-key:                  iPH2...
---
> wireguard.private-key:                  UJLi...

So again nothing suspicious.

Neither the OpenWRT network config or the ubuntu configuration seem to indicate any issue, and yet when I start the VPN “a52s” I can browse, when I use the other one neither my server in the (remote) network or the web are reachable.

Is anyone able to help?

peterwhite23 · April 7, 2026, 8:57pm

This is just a hunch, since I have zero knowledge about Wireguard, but pre-shared key sounds like it should be the same for all peers that want to talk to each other.

kairis · April 7, 2026, 8:57pm

I would run each on terminal, openvpn file.ovpn with a bunch of verbose to see the traffic chat. Also have another terminal with tail -f /var/log/syslog to see what is posted there.

molaf · April 13, 2026, 7:30am

I don’t use openVPN but wireguard, what’s the closest alternative command to replace openvpn?

molaf · April 13, 2026, 7:32am

Thanks but no, that part is correct, it’s generated for each “peer” config and it’s used to enhance encryption for post-quantum safety

peterwhite23 · April 13, 2026, 11:56am

Then why is it called “pre-shared”? Looking at section 5.2 of the whitepaper:

In order to mitigate any future advances in quantum computing, WireGuard also supports a mode in which any pair of peers might additionally pre-share a single 256-bit symmetric encryption key between themselves, in order to add an additional layer of symmetric encryption.

g-schick · April 13, 2026, 1:09pm

Just a guess: There may be a mix-up with the keys. (see static addressing of wireguard tunnel)

molaf · April 15, 2026, 1:49pm

It also states it is only used to be mixed with private/pub keys, which are different already. I understand why you think it but the text does not mean it that way, once you check how they are actually used.

Anyway, they are optional.

peterwhite23 · April 15, 2026, 1:56pm

But once they are set, they are being used, so why not try without them? If one client can’t decode the packets, because it’s using the wrong PSK, that might explain things. But I am still kind of lost, what it actually is, you’re trying to do, BTW.

But I noticed this:

config interface ‘vpn’
  ...

config wireguard_vpn ‘wgclient’
  ...

config wireguard_vpn
  ...

That last one doesn’t have a “name”, or whatever the correct term is in OpenWRT config lingo, so maybe it simply doesn’t work and silently fails on your router? But that’s as far as I can go, because I have no knowledge of OpenWRT.

You may also be interested in some opinions on the whole “post-quantum” shebang:
https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
https://www.cs.auckland.ac.nz/~pgut001/pubs/heffalump_crypto.pdf