Allowing two OpenWrt routers to talk directly to each other over wireguard?

decentralize · April 13, 2026, 9:34pm

I’ve got two OpenWRT routers setup with site 2 site Wireguard VPN. I followed the docs on how to setup and it’s been working well for over a year now. I’m now trying to enable kerberos servers on both routers to support NFS and I’m setting it up so the primary will replicate to the secondary but I’m running into issues with kprop because it defaults to using the IP address of the wireguard interface 10.10.0.2 instead of the routers LAN ip address 192.168.1.1

One router has a lan zone in subnet 192.168.1.0/24 the other has a lan zone in subnet 192.168.10.0/24

On the device running kprop I ran tcpdump and can see the following:

root@e8450-f339:~# tcpdump -i wg_s2s_339 port 754
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg_s2s_339, link-type RAW (Raw IP), snapshot length 262144 bytes
17:00:42.250110 IP 10.10.0.2.49236 > 192.168.10.1.754: Flags [S], seq 3232009414, win 64860, options [mss 1380,sackOK,TS val 537764737 ecr 0,nop,wscale 7], length 0
17:00:43.315104 IP 10.10.0.2.49236 > 192.168.10.1.754: Flags [S], seq 3232009414, win 64860, options [mss 1380,sackOK,TS val 537765802 ecr 0,nop,wscale 7], length 0
17:00:44.355077 IP 10.10.0.2.49236 > 192.168.10.1.754: Flags [S], seq 3232009414, win 64860, options [mss 1380,sackOK,TS val 537766842 ecr 0,nop,wscale 7], length 0
17:00:45.395096 IP 10.10.0.2.49236 > 192.168.10.1.754: Flags [S], seq 3232009414, win 64860, options [mss 1380,sackOK,TS val 537767882 ecr 0,nop,wscale 7], length 0

On the destination route I ran the same dump and I don’t see any packets coming through. I have no trouble talking to either router from devices on the LAN zones.

An added clue if I ping 192.168.10.1 there is 100% packet loss but if I do ping -I 192.168.1.1 192.168.10.1 I get a ping.

I’ve tried:

changing firewall rules to allow incoming packets from any source to port 754 but that didn’t have any effect.
Adding a 192.168.1.x IP to the wireguard interface but it still preferred the 10.10.0.2 address.
Enabling logging on the vpn zone on the receiving side but nothing showed up in the system log so I think perhaps wireguard is filtering these out before it gets to the firewall on the secondary.

I think I just need to convince it to send these packets from the LAN IP address, but I’m not really sure how to do that, maybe a route would work.

Any advice would be appreciated thanks!

_bernd · April 13, 2026, 11:00pm

You need to set a source address on a route. I.e for 192.168.0.0/16

decentralize · April 14, 2026, 1:57am

Thanks! I forgot routes could specify source addresses.

I added routes and now ping works without the -I option, and I can see the connection getting through with the right IP.

I’ve upgrade from kprop: Operation timed out while connecting to server to kprop: Connection refused while connecting to server