Double WireGuard Setup on OpenWrt Remote Access & Outbound VPN Routing

PerkelSimon · January 7, 2026, 2:58pm

I am configuring a GL.iNet Flint 2 (MT6000) running OpenWrt 24.10 to act as both a VPN Server and a VPN Client simultaneously. The goal is to have a Pixel 9 connect remotely to my home network via WireGuard and have its traffic routed through a commercial VPN provider (ProtonVPN) before hitting the internet.

The Architecture:

Remote Client: Pixel 9 running the WireGuard app.

Inbound (Server): WireGuard Server instance on the router (Port 51820).

Outbound (Client): WireGuard Client instance connected to a commercial VPN (ProtonVPN).

DNS: AdGuard Home running locally on the router for network-wide filtering.

DDNS:DuckDNS for maintaining connectivity to a dynamic home IP.

Network Flow:

Pixel 9 Home Router (WG Server) AdGuard Home (DNS) ProtonVPN (WG Client) Internet

Current Configuration:

Network Interface

Created an interface for the WG Server(10.0.0.1/24) to accept the Pixel 9.

Created an interface for the WG Client (proton_vpn) with 0.0.0.0/0 in Allowed IPs.

Firewall Setup

Zones: LAN zone that includes both the physical lan and the wg_server interface.

VPN zone (vpn_client) for the outbound ProtonVPN tunnel.

Forwarding: Configured a rule to forward traffic from lan (which includes the remote Pixel) to vpn_client.

Input Rule: Opened UDP port 51820 on the WAN to allow the inbound handshake.

The Goal

I want to ensure that the routing is "leak-proof." When the Pixel 9 is connected, it should:

Resolve DNS via the router's AdGuard Home.
Route all traffic through the ProtonVPN tunnel rather than the local ISP WAN.
Maintain a stable handshake when switching between mobile data and external Wi-Fi.

So, I would like to know if it is ok so far? (secure etc?)
thanks

Firewall .

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'server_vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn_client'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'proton_vpn'

config forwarding
	option src 'lan'
	option dest 'vpn_client'

config rule
	option name 'Allow-WireGuard-Inbound'
	option src 'wan'
	option proto 'udp'
	option dest_port '51820'
	option target 'ACCEPT'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000452460f3f2b7047da93c1e9018a667785'
	option ula_prefix 'fdf1:661:c855::/48'
	option packet_steering '2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option name 'eth1'
	option mtu '1495'

config interface 'server_vpn'
	option proto 'wireguard'
	option private_key 'aFh9q2cSbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_server_vpn
	option description 'pixel9'
	option public_key '8K1Zu6+uqwy3xxxxxxxxxxxxxxxxxxxxxxag+c6OHE='
	list allowed_ips '10.0.0.2/32'
	option route_allowed_ips '1'

config interface 'proton_vpn'
	option proto 'wireguard'
	option private_key 'sNeT3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxVcOkw='
	list addresses '10.2.0.2/32'
	list dns '192.168.1.1'

config wireguard_proton_vpn
	option description 'mtl'
	option public_key 'nLx6LJxxxxxxxxxxxxxxxxxxxxxxxxxxxGCpN3lolm1I='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '176.xx.xxxx.82'
	option endpoint_port '51820'
	option route_allowed_ips '1'

PerkelSimon · January 7, 2026, 6:28pm

like yesterday, same thing today, after I made all of those steps, when I start wg on my pixel phone, I only have tx data, no rx..... so no internet on my pixel....

pavelgl · January 7, 2026, 7:43pm

For starters, stop the proton_vpn interface and check if your phone gets a successful wireguard handshake and access to the internet.

Next, you will need to create a pbr rule that returns replies destined to port 51820 (on the router) via the wan interface.

PerkelSimon · January 10, 2026, 2:01pm

ok, finally, when I rebooted the router, I lost internet, I really don't understand what is going on.
Also, I use adguardhome, but s I said, 2 days ago, everything was working even my tunnel between my cellphone and the server on my router. I give you again my setup.
thanks for helping me

root@Flint2-James:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '000452460f3f2b7047da93c1e9018a667785'
	option ula_prefix 'fdf1:661:c855::/48'
	option packet_steering '2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'
	option delegate '0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option delegate '0'

config device
	option name 'eth1'
	option mtu '1495'

config interface 'server_vpn'
	option proto 'wireguard'
	option private_key 'aFh9iUE='
	option listen_port '51820'
	list addresses '10.0.0.1/24'
	option delegate '0'

config wireguard_server_vpn
	option description 'pixel9'
	option public_key 'zBbtwo='
	list allowed_ips '10.0.0.2/32'
	option route_allowed_ips '1'

config interface 'proton_vpn'
	option proto 'wireguard'
	option private_key 'sNeT3eyVcOkw='
	list addresses '10.2.0.2/32'

config wireguard_proton_vpn
	option description 'mtl'
	option public_key 'nLx6Llm1I='
	option endpoint_host 'xxxxxx.82'
	option endpoint_port '51820'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

root@Flint2-James:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '1'
	option port '54'
	option nonwildcard '0'
	option noresolv '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.1.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

root@Flint2-James:~# cat /etc/config/firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'server_vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn_client'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'proton_vpn'

config forwarding
	option src 'lan'
	option dest 'vpn_client'

config rule
	option name 'Allow-WireGuard-Inbound'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

also, the beginning of my AdGuardHome setup:

root@Flint2-James:/opt/AdGuardHome# cat AdGuardHome.yaml
http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:8080
  session_ttl: 720h
users:
  - name: yum
    password: yum
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
    - 127.0.0.1
    - 192.168.1.1
  port: 53

pavelgl · January 10, 2026, 3:13pm

Remove - 127.0.0.1 and - 192.168.1.1(leaving only - 0.0.0.0), restart AGH and test again.

If it doesn't help, switch to dnsmasq to see if that makes a difference.

service adguardhome stop
uci set dhcp.@dnsmasq[0].port='53'
uci set dhcp.@dnsmasq[0].noresolv='0'
service dnsmasq restart

These commands do not make permanent changes to the configuration.
Restarting the router will restore AGH.

PerkelSimon · January 10, 2026, 10:32pm

the problem was about wireguard, error in the key, I created a new one, and it is fine.
thanks again

PerkelSimon · January 10, 2026, 11:45pm

But, why it did not work when I stopped the vpn and the PBR

lleachii · January 11, 2026, 1:18pm

(Wireguard is always-on.) How did you "stop the VPN"?

How did you configure and stop PBR?

You're asking before or after you fixed the key?

PerkelSimon · January 11, 2026, 1:43pm

finaly, the problem, the last problem was about the wrong key, so now everything is working but I wondered, why even if I disabled vpn wg and the pbr, Why the Internet Wouldn't Come Back, and btw, with the do not enforce policies (Strict enforcement).... but yes it was before I understand the problem with the key. But without the wrong key, I guess I would have internet back with services disable?