Fix: Wireguard connects from Linux / PC, but not from Android

 —  James Oakley
Wireguard

So, I set up a Wireguard server to use as a personal VPN.

I created a client (peer) on my laptop that allowed my laptop (Fedora) to connect to my Wireguard server. All worked fine.

I then installed the Wireguard app on my Android phone, and created a new connection, choosing the “from scratch” option. The fields on the Android screen matched the entries in the configuration file on my Linux laptop, so it seemed intuitive what to put into each box.

It did not work

Error bringing up tunnel: Unable to turn tunnel on (wgTurnOn returned -1)

Error message shown on Wireguard for Android

What had I done wrong?

Configuration

Here was the configuration I had used successfully on my Laptop PC:

[Interface]
Address = 10.0.0.2/24
ListenPort = 989
PrivateKey = {snip}

[Peer]
PublicKey = {snip}
Endpoint = {snip}:989
AllowedIPs = 0.0.0.0/0

Roughly translated: This device will have internal IP address 10.0.0.24, on a /24 network. It will communicate with the rest of the network on UDP port 989. To connect to the rest of the network, it is to connect to my personal VPN server at the endpoint shown, also using port 989. Any traffic destined for 0.0.0.0/0 is to be sent over this network; that is, all traffic.

So I simply set the phone up to use the equivalent settings, obviously this time I used 10.0.0.3.

Android configuration screen for Wireguard

As I said above, the fields on the Android configuration screen resemble (almost exactly) the configuration entries I had just used successfully.

The Solution

I checked and rechecked my public and private keys, checked port numbers, checked firewalls had the right ports open, and searched multiple reddit discussions and old usenet posts, and none of them helped.

Finally, I landed on the problem, mbltj. On Android, you don't need to specify the port number that the device will listen on. If you specify an endpoint that uses port 989, it will simply assume that your Android phone also needs to listen on that same port.

Leave the “listen port” field empty, and it works fine.

Populate it, and it may fail. I say may fail, not will fail, because after putting the port number back into that box it continued to work for a while, until it didn’t. So the safest configuration, and the one that solved the problem I was having, is to leave “listen port” blank.

Blog Category:
Technology
Add new comment
The content of this field is kept private and will not be shown publicly.
About text formats