Help with access point + wifi guest + wireguard (VPN)

HI, I am a newbee, but I get managed to use during last year an openwrt router as dumbap to have another wifi in my house.(main router and openwrt router joined by a rj45 cable)

Yesterday I get managed to configure a wireguard server in a virtual machine in google cloud, and my openwrt router as a client. But I CAN'T really use wireguard, as I can't redirect traffic to vpn.

My needs are like the image:

I want to keep my main wifi (wifi MR200), connect my openwrt router by a rj45 lan cable, and in openwrt router two wifis:

  1. normal wifi to connect to it with my laptop, for example.
  2. "domotic" wifi to connect "devices" to it (like tasmota) and , through wireguard, connect them with vpn as they are "local" to my virtual machine server. All traffic from this wifi has to go to internet though VPN.

Could you help me?

I would prefer to do it with LUCI.

Thank a lot

1 Like

Thanks, do I have to configure new interfaces or firewall tables or something like that?

Thanks, but I don't have a wan interface in openwrt router.

Hi, by reading this guide I have managed to have the 3 wifis created.

I have also known how to create a wireguard interface, but I dont know how to configure it so the guest wifi will use wireguard (all ips and all ports) so the devices connected to guest wifi will be in the same local lan as the google cloud virtual server).

Does anybody how to configure wireguard with luci-app-wireguard? I have a new wireguard interface and I have created a new firewall zone called WG0.

But how could I tell to my guest lan-wifi in openwrt to "USE" wireguard tunnel?


1 Like

Thanks I am going to try right now, I will begin with a clean configuration, make the step of
Create new wireguard interface, and try to read the link that you give me, thanks a lot.


Hi, I installed pbr package but it is very dificult for me as I am newbee.

I have wireguard correctly installed as I could make ping to my wireguard server

Just in case, I have updated my schema to better understanding.

I prefer tu use LUCI (I know that all of you are good with command line, rules, traffic zones, and so on. I know about ssh and command line, but general commands, I prefer to use LUCI, and then write what I am doing (step guide) and try to learn).

I have been reading all your links and a lot of more web pages, but I can't have it working.
I can't get managed with pbr package.

This is my schema:

Today, I have this working in my openwrt router:

  • VLAN:
  1. Only one, eth0.1
  • Interfaces:
  1. LAN: static address,, DNS, gateway and DHCP OFF, Firewall zone: LAN, and bridged with eth0.1 and WIFI0
  2. VPN: static address,, DNS and gateway blank, DHCP ON, firewall zone: VPN, I have no bridged interface, but in dropdown, WIFI_VPN is selected. (This is because I have done these steps
  3. WG0: Wireguard VPN,, WITHOUT firewall zone, and included my server as peer (remote ip, port, 25 seconds, and allowed IPs: and
  • Firewall zones:
    (it is the final step of the link "guestwifi_dumbap")

  • Traffic rules:

  1. Default ones: allow-dhcp-renew, allow-ping, allow-igmp, allow-dhcpv6, allow-mld, allow-icmpv6-input, forward, allow-ipsec-esp, allow-isakmp
  2. VPN DHCP: UDP 67-68 from VPN to "this device"
  3. VPN DNS: TCP/UDP 53 from VPN to "this device"

These are the final steps of the guide "guestwifi_dumbap", and one step more: create the wireguard tunnel with wireguard luci config app.

PINGS:         openwrt ssh    from laptop connected WIFI_VPN        ok                         ok                   ok                         bad        ok                         bad        ok                         bad          ok                         bad
internet           ok                         ok

What I want:

  1. Get all my trafic from 192.168.2.x devices "tunneled" with wireguard
  2. Not very important: avoid that 192.168.2.x devices "see" 192.168.1.x devices. It will be perfect if other way round is enabled: 1.x devices could see 2.x devices. (in order to access 2.x devices from my laptop whatever wifi I am connected to)
  3. Not very important: create a second VLAN to have a port connected to 192.168.2.x in order to access that subnet from one rj45 port.
  4. Is this configuration ok?: WireGuard's peer: Allowed IP's allowed IPs: and
  5. Not very important, as you can see in above ping table, I can't access to my openwrt router while I am connected to WIFI_VPN, I can only access to my MR200 router config web page (, probably because of firewall zone forwardings. It will be great to access to openwrt router LUCI ( also from WIFI_VPN, as I do from WIFI1 (

Point 2 and 3 are not important for me, and probably I would get managed to configure it, but Point 1 is very dificult for me and very important. Point 4 will be solved probably by solving point 1.

Could you help me ? Do I have to use "luci-app-vpn-policy-routing", or we need only firewall zones and traffic rules?

Thanks a lot

NOTE: After solving this I will try to write a guide or complete the guide already published with new steps for newbees.

LuCI > Network > Interfaces > WG0 > Edit

  • Peers > Route Allowed IPs > Uncheck
  • Peers > Allowed IPs:
    • ::/0

Save > Save & Apply

LuCI > VPN > VPN Policy Routing > Policies

  • Name: VPN
  • Local addresses:
  • Interface: WG0

Save & Apply

Thanks, I have applied this:

LuCI > Network > Interfaces > WG0 > Edit

Peers > Route Allowed IPs > Uncheck
Peers > Allowed IPs:
Save > Save & Apply
Restart interface WG0

LuCI > VPN > VPN Policy Routing > Policies
Add new one ...
Name: VPN
Local addresses:
Interface: WG0
Save & Apply
Enable and start service control VPN Policy Routing

VPN Policy Routing says me:

lan/br-lan/ ✓
The represents the default gateway.

Pings from laptop connected to WIFI_VPN: bad bad bad bad bad
Windows 10 says me that WIFI_VPN hasn't internet connection
I have tried to do tracert but

1     2 ms     2 ms     2 ms  OpenWrt.lan []
2     *        *        *     Tiempo de espera agotado para esta solicitud.
3     *     OpenWrt.lan []  informes: Protocolo de destino inaccesible. 

I am going to reboot router, just in case.....

Not luck, same "problems"

Will be a good way try to let me open a ssh session to from WIFI_VPN in order to try pings from the openwrt router itself? (I don't know exactly why I can't ping to from my laptop when it has a ip and it is connected to WIFI_VPN)

1 Like

Create a separate firewall zone for the WG0 interface with masquerading enabled.
And allow forwarding from the VPN zone to the WG0 zone.

Sorry, you have changed the reply. Wait 1 minute ...

I have not do anything from your deleted proposal.

interfaces-> wg0 -> firewall settings -> wg0 create
save & apply

Now I have the firewall as:

Do I have to edit the vpn=>lan or the wg0=>wan ?
Or create another "row" with vpn=>wg0 ?

(meanwhile I have add a traffic rule to let me ping from my laptop: Incoming from VPN, protocol ICMP to "this device". Also, to allow SSH: Incoming from VPN, protocol TCP port 22, to "this device")

1 Like

LuCI > Network > Firewall > General Settings > Zones > wg0 > Edit

  • Input: reject
  • Output: accept
  • Forward: reject
  • Masquerading > Check
  • MSS clamping > Check
  • Covered networks: WG0
  • Allow forward from source zones: vpn

Save > Save & Apply

After doing this, the vpn=>lan has changed to: (as we have done "allow forward from sources zones: vpn").


I have removed lan from here-


If I remove it, I can put masquerading and mss clampling.

So I have checked this:


Do I configure it well?

I connected my laptop to WIFI_VPN, it says no access to internet.
Pings: bad ok (probably because of the new trafic rule) ok (probably because of the new trafic rule) ok ok

Great !! Now I can ping to my server with
I understand that it is ok, I could send "packets" directly to my server. I don't have an IP like 10.50.0.x because I am behind my openwrt router.

Is that way good, or do I have to do exactly what you said (first image, vpn => lan&wg0) ?

But now I have a doubt: from my laptop I can't tracert (for example) as I don't have any DNS configured. I can't also see my public ip address to confirm that it is the ip of my cloud server. This is to confirm that I am "inside the tunnel". I have tried to tracert, but not luck:

1     2 ms     3 ms     3 ms  OpenWrt.lan []
2     *        *        *     Tiempo de espera agotado para esta solicitud.

How could I check if I am really in tunnel?

What is the real reason because of I haven't got internet access trought WG0 ? is it because any configuration in server side (I am thinkg that I am reaching my server but it can't "foward" to internet?), or in openwrt client side? (Today is not very important, but as I am going to use some devices that sometimes nees update from internet, it will be great to know the reason, so I could activate/deactive the trafic rule or firewall zone or whatever to update my devices. Is the problem server side? or cliente side? Probably I could solve it by joining again VPN=>LAN, but I prefer to understand where the problem could be.

Probably next days I will ask you about traffic rules, as I am going to try to comunicate with my sever with different ports (MQTT, ...). Probably all of they works, so no more questions.

After that, I will try "the other points not very important" that I said some post above, and try to write steps.

Thanks a lot @vgaetera, you have helped me a lot. Much more than anyone could expect. What about these last questions?

Thanks a lot again.

1 Like

You should perform diagnostics using CLI:

uci show network; uci show wireless; uci show firewall; uci show dhcp; \
uci show vpn-policy-routing; \
grep -v -e ^# -e ^$ /etc/firewall.user; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*; \
ip address show; ip route show table all; ip rule show; iptables-save

Post the output to redacting the private parts.

Hi, I know a little about ssh thanks.
Here you have (I have get it with my laptop connected with lan rj45 cable to openwrt router)

1 Like

Disable masquerading in the vpn firewall zone.

It's best to disable masquerading in the wg0 zone too.
Just add to the allowed IPs in the WG peer settings on the server side.

If you need this, then allow traffic forwarding from the firewall zone vpn to lan.

Perform traceroute from the client and/or check out some sites that show your IP such as

Make sure that IPv4 forwarding is enabled on the server side.


  • Disable masquerading in the vpn firewall zone: done & restart VPN interface
  • Disable masquerading in the wg0: done & restart wg0 interface
    (I understood here to enable it, sorry for my misunderstanding: Help with access point + wifi guest + wireguard (VPN)).
  • Add to the allowed IPs in the WG peer settings on the server side: done in server. I had Allowed IPs =, now I have Allowed IPs =,

Now I can see in my server side ( mosquitto broker an address like 192.168.2.x connected to, not always Thanks a lot. It is much better.

  • Ping "If you need this, then allow traffic forwarding from the firewall zone vpn to lan." It is not important for me, as I can connect to WIFI1 so I am in It was only for information. May be it is risky for me to allow traffic forwarding from vpn to lan. That way I am not sure if vpn will "go" to lan or to wg0. So I dont change anything here.

  • About "Perform traceroute from the client and/or check out some sites that show your IP such as" I cant check it as I can't connect to internet when I am in WIFI_VPN. Let's check if with next step I could reach internet and then, I could check with traceroute

  • "Make sure that IPv4 forwarding is enabled on the server side" I have read in google cloud this: You can only enable IP forwarding when you create an instance, and enabling IP forwarding alone is not sufficient to cause the instance to forward packets. Its guest operating system must be configured as well.

So at this moment, I prefer not to do it. It is important, but not very important. Without internet access then I supposed that my devices are in the tunnel, aren't they?

Thanks a lot @vgaetera I think I have reach my "limit" :joy:.

May be in a few days I could create another google cloud instance with IP4 forwarding to check what you said, only to learn about it. (but I need also to configure debian in google coud instance)

I need to write also the guide for everyone else.

Thanks a lot.


It is required only when using a commercial VPN provider.
No need for redundant masquerading on the client side with your own VPN server.
But you should enable masquerading on the server side in any case.

1 Like