Help with configuring wireguard via wi-fi

Hello everyone. Now my device has internet via Wi-Fi (the internet comes in via the ethernet and goes out via Wi-Fi). There is also a configured and working wireguard connection on my device. Tell me what needs to be configured so that my Wi-Fi clients can also go through the wireguard connection. Thank you.

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.10.221",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 2 (v7l)",
        "model": "TI AM335x BeagleBone Black",
        "board_name": "ti,am335x-bone-black",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.7",
                "revision": "r20341-591b7e93d3",
                "target": "omap/generic",
                "description": "OpenWrt 22.03.7 r20341-591b7e93d3"
        }
}

root@OpenWrt:~#  cat /etc/config/network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde7:9c55:33d1::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.8.2'
        option gateway '192.168.8.1'
        list dns '192.168.8.1'
        option metric '0'

config interface 'wg0'
        option proto 'wireguard'
        list addresses '10.8.0.34/24'
        list dns '1.1.1.1'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option metric '0'
        option auto '0'

config wireguard_wg0
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'XX.XXX.XXX.XX'
        option persistent_keepalive '25'
        option endpoint_port '51820'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

root@OpenWrt:~#  cat /etc/config/wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ocp/47400000.target-module/47401c00.usb/musb-hdrc.1/usb1/1-1/1-1:1.0'
        option band '2g'
        option htmode 'HT20'
        option channel '9'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt_AP_2G'
        option encryption 'psk2'
        option key '12345678'

root@OpenWrt:~#  cat /etc/config/firewall 

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'lan'
        option forward 'ACCEPT'

config zone
        option name 'wg'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        list network 'wg0'
        option input 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wg'

root@OpenWrt:~#  ping -I wg0 eth0.me
PING eth0.me (172.67.168.150): 56 data bytes
64 bytes from 172.67.168.150: seq=0 ttl=59 time=65.455 ms
64 bytes from 172.67.168.150: seq=1 ttl=59 time=70.655 ms
64 bytes from 172.67.168.150: seq=2 ttl=59 time=66.170 ms
64 bytes from 172.67.168.150: seq=3 ttl=59 time=66.730 ms
64 bytes from 172.67.168.150: seq=4 ttl=59 time=74.117 ms
^C
--- eth0.me ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 65.455/68.625/74.117 ms

This has been discussed many times.

Currently, your wireless clients are directly bridged to the main router, bypassing the wireguard tunnel.

You need to create a separate wireless network and the easiest way is to follow the guide Guest Wi-Fi on a Dumb Wireless AP.

Thanks for this guide. I reconfigured my device according to this guide. Internet on my wi-fi client appeared. But when I turn on wireguard, the Internet disappears. At the same time, ping from my wi-fi client shows the following.

PING google.com (209.85.233.113) 56(84) bytes of data.
From _gateway (192.168.2.1) icmp_seq=1 Destination Port Unreachable
From _gateway (192.168.2.1) icmp_seq=2 Destination Port Unreachable
From _gateway (192.168.2.1) icmp_seq=3 Destination Port Unreachable
From _gateway (192.168.2.1) icmp_seq=4 Destination Port Unreachable
From _gateway (192.168.2.1) icmp_seq=5 Destination Port Unreachable
^C
--- google.com ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4006ms

root@OpenWrt:~#  cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde7:9c55:33d1::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.8.2'
	option gateway '192.168.8.1'
	list dns '192.168.8.1'
	option metric '0'

config interface 'wg0'
	option proto 'wireguard'
	list addresses '10.8.0.34/24'
	list dns '1.1.1.1'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option metric '0'
	option auto '0'

config wireguard_wg0
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option endpoint_host '94.142.137.88'
	option persistent_keepalive '25'
	option endpoint_port '51820'
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

root@OpenWrt:~#  cat /etc/config/firewall

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option input 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'lan'
	option forward 'ACCEPT'
	option masq '1'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'
	option input 'REJECT'

config forwarding
	option src 'guest'
	option dest 'lan'

config rule
	option name 'Guest_DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Guest_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Block_Guest_from_Lan'
	option src 'guest'
	option dest 'lan'
	list dest_ip '192.168.8.0/24'
	option target 'REJECT'

root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ocp/47400000.target-module/47401c00.usb/musb-hdrc.1/usb1/1-1/1-1:1.0'
        option band '2g'
        option htmode 'HT20'
        option channel '9'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt_AP_2G'
        option encryption 'psk2'
        option key '12345678'
        option network 'guest'

Add wg0 to the lan firewall zone.

Thank you. It's working! But for some reason some sites do not open from my Wi-Fi client, for example:

 curl html.duckduckgo.com -vvv
* Host html.duckduckgo.com:80 was resolved.
* IPv6: (none)
* IPv4: 52.142.124.215
*   Trying 52.142.124.215:80...
* Connected to html.duckduckgo.com (52.142.124.215) port 80
> GET / HTTP/1.1
> Host: html.duckduckgo.com
> User-Agent: curl/8.8.0
> Accept: */*
> 
* Request completely sent off
* Recv failure: Connection reset by peer
* Closing connection
curl: (56) Recv failure: Connection reset by peer

From observations. When I pre-trace. Then after this the site begins to open.

 tracepath -n html.duckduckgo.com
 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.2.1                                           2.790ms 
 1:  192.168.2.1                                           1.638ms 
 2:  192.168.2.1                                           1.572ms pmtu 1420
 2:  10.8.0.1                                             91.008ms 
 3:  no reply

And after site is open

curl html.duckduckgo.com -vvv
* Host html.duckduckgo.com:80 was resolved.
* IPv6: (none)
* IPv4: 52.142.124.215
*   Trying 52.142.124.215:80...
* Connected to html.duckduckgo.com (52.142.124.215) port 80
> GET / HTTP/1.1
> Host: html.duckduckgo.com
> User-Agent: curl/8.8.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Tue, 04 Mar 2025 19:51:30 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https://html.duckduckgo.com/
< Permissions-Policy: interest-cohort=()
< Content-Security-Policy: default-src 'none' ; connect-src  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; manifest-src  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; media-src  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; script-src blob:  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com 'unsafe-inline' 'unsafe-eval' ; font-src data:  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; img-src data:  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; style-src  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com 'unsafe-inline' ; object-src 'none' ; worker-src blob: ; child-src blob:  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; frame-src blob:  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; form-action  https://duckduckgo.com https://*.duckduckgo.com https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ https://spreadprivacy.com ; frame-ancestors 'self' https://html.duckduckgo.com; base-uri 'self' ; block-all-mixed-content ;
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1;mode=block
< X-Content-Type-Options: nosniff
< Referrer-Policy: origin
< Expect-CT: max-age=0
< Expires: Wed, 04 Mar 2026 19:51:30 GMT
< Cache-Control: max-age=31536000
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host html.duckduckgo.com left intact

That all looks normal. Like many sites, the web server refuses to use http instead it promoted the connection to https. It should have continued to connect to https://duckduckgo.com If you specify https in the first place, does it just fail immediately? That could be the VPN server blocking that site.

Try enabling MSS clamping on the lan zone or lowering the wireguard MTU.

Thanks everyone! The site started opening when I activated MSS clamping on the lan zone or you could also set MTU < 1500 on the clients (for example 1420). In the end, I left MSS enabled.
I have one last question about setting up my device. How can I make the web panel available from the guest network?

Set the default input policy of the guest zone to ACCEPT, or create a traffic rule allowing connections on tcp destination ports 80 and 443.