Help setting up and/or understanding the right NAT/wg setup for my scenario

Hi everyone,

I hope someone can help me understand if what I'm trying to do is doable via openwrt or if a better approach exists.

I have a working openwrt setup that I'd like to extend to allow me to fulfill one specific requirement.
Currently, there are the following interfaces defined:

  • wan ( - for connection to the ISP router
  • lan ( - internal subnet for home devices
  • dmz ( - a host in this subnet ( is used for web and vpn server connections.

The "dmz host" ( currently has openvpn server set up on it and that works fine. I can connect form the internet to the forwarded port, etc.

I am trying to additionally set up a "call-back" Wireguard tunnel from a remote host in my wife's parent's home to the dmz host. The remote host is connected to the internet behind a CG-NAT, therefore, no port forwarding is an option. For that reason, remote host is reaching out to the dmz host to establish the connection and that works successfully.

Now, what I'm struggling with is to allow to a host in lan subnet ( to be routed through that wg tunnel. I was thinking about setting up a "virtual IP" in lan subnet on openwrt, which would be a representation of dmz host ( -> and vice versa). Ultimately, host in lan subnet would be able to use as their gateway.

Another option might be to use the physical dmz host IP for routing, but I failed to make that work.

Can anyone please comment and advise on whether this can work or should I go back to the drawing board?

Thanks a lot in advance!

I think you can trust your wireguard setup so why not set it up on the router?

But otherwise make a portforward rule to redirect traffic from with destination your parents home to

Thank you for a quick reply and for the advice on setting up wg on openwrt router directly. At this time, I'd like to try to make this work without exposing router directly to the internet (even for a subset of the functionality, like wg).

So, if I understand correctly, I should create a port forward rule for "any" protocol. I guess source zone should be lan, internal IP address, destination zone dmz, external IP address Right?

Maybe something like this:

config redirect
	option target 'DNAT'
	option name 'DNAT-example'
	option src 'lan'
	option dest 'dmz'
	option src_ip ''
	option src_dip ''
	option dest_ip ''
	list proto 'all'

For option src_dip '' you substitute the local LAN subnet of your parents.

If it works it should route all traffic with destination of your parents router coming from to the VPN server (

But if it works it is only half of the solution, your VPN server has to have a route to your parents and if it is setup as a regular site-to-site setup (by setting your parents subnet in the Route allowed IPs and enabling Route allowed IPs) the route should already be there.

Important note/disclaimer make a backup first so that if something goes wrong
you can reset

I am traveling so not always on line