How to config wireguard on dualwan

Hello I'm new here and first time to use Openwrt. i used wireguard instead of the L2TP server on my router,but wireguard still cant access the internet and lan,how can i do next?

I use mwan3 and works fine.

default br-lan config page

wan1 not show in this page,device name is eth1.
use LAN1 as wan2 for PPPOE,

**ip route**
default via 192.168.235.254 dev eth1 proto static metric 100 
default via 172.16.0.1 dev pppoe-wan2 proto static metric 200 
172.16.0.1 dev pppoe-wan2 proto kernel scope link src 172.16.52.35 
172.17.22.0/24 dev docker0 proto kernel scope link src 172.17.22.1 linkdown 
192.168.123.0/24 dev br-lan.2 proto kernel scope link src 192.168.123.254 
192.168.235.128/25 dev eth1 proto static scope link metric 100 
**wireguard config**

[Interface]
PrivateKey = 8Hxv+tFB+cZfIlWmiU7Z6kcvuJSZuTSjHw7JOJfO7HM=
Address = 10.122.22.1
ListenPort = 27015
DNS = 192.168.123.254

[Peer]
PublicKey = hbZl55tD9kR5ZHWSsUrbIKtX3wv+qlT8MWwfkFv5wgQ=
# PresharedKey not used
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.235.149:27015
# PersistentKeepAlive not defined

Hello there!
I have many questions.

  1. What are you trying to achieve?
  2. Which device is running OpenWrt and what are the configurations of both devices?

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
  1. The diagram is overloaded with too much information for networks that don't matter.
  2. Why is there a Wireguard tunnel between 2 devices in the same lan?

Thank you. Following your instructions, my router generated the following information.

{
        "kernel": "5.15.150",
        "hostname": "ImmortalWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "CMCC RAX3000M eMMC version (custom U-Boot layout)",
        "board_name": "cmcc,rax3000m-emmc-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "ImmortalWrt",
                "version": "23.05.2",
                "revision": "r27625-416c8c5c91",
                "target": "mediatek/filogic",
                "description": "ImmortalWrt 23.05.2 r27625-416c8c5c91"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdde:29a1:5feb::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr 'xx:xx:xx:xx:e6:31'

config device
        option name 'lan2'
        option macaddr 'xx:xx:xx:xx:e6:31'

config device
        option name 'lan3'
        option macaddr 'xx:xx:xx:xx:e6:31'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:e6:34'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.235.149'
        option netmask '255.255.255.128'
        option gateway '192.168.235.254'
        option broadcast '192.168.235.255'
        option metric '100'
        list dns '192.168.168.164'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option proto 'static'
        option device 'br-lan.2'
        option ipaddr '192.168.123.254'
        option netmask '255.255.255.0'

config interface 'wan2'
        option proto 'pppoe'
        option device 'br-lan.1'
        option username 'xxxxxxxxx'
        option password 'xxxxxxxxxx'
        option ipv6 'auto'
        option metric '200'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxxxxxxxx'
        option listen_port '27015'
        list addresses '10.122.22.254'
        option metric '250'
        option ip4table 'default'

config wireguard_wg0
        option public_key 'xxxxxxxxxxxxxxxxxxxx'
        option private_key 'xxxxxxxxxxxxxxxxxx'
        option description 'day'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_port '27015'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '8000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option min_cache_ttl '3600'
        option dns_redirect '1'
        option ednspacket_max '1232'
        list rebind_domain 'xxxxx.com'
        list rebind_domain 'xxxxx.com'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option fullcone '1'
        option synflood_protect '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '22'
        option family 'ipv4'
        option src 'wan'
        option src_dport '8022'
        option dest_port '22'
        option dest_ip '192.168.123.254'
        list proto 'tcp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '80'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8088'
        option dest_ip '192.168.123.254'
        option dest_port '80'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wan'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan2'
        option masq '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '8989'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8989'
        option dest_ip '192.168.123.254'
        option dest_port '8989'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option src 'wan'
        option dest_port '27015'
        option target 'ACCEPT'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.235.149/25 brd 192.168.235.255 scope global eth1
       valid_lft forever preferred_lft forever
11: br-lan.2@br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.123.254/24 brd 192.168.123.255 scope global br-lan.2
       valid_lft forever preferred_lft forever
14: pppoe-wan2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 172.16.26.210 peer 172.16.0.1/32 scope global pppoe-wan2
       valid_lft forever preferred_lft forever
17: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    inet 172.17.22.1/24 brd 172.17.22.255 scope global docker0
       valid_lft forever preferred_lft forever
21: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.122.22.254/32 brd 255.255.255.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.235.254 dev eth1 table 1 proto static metric 100 
172.17.22.0/24 dev docker0 table 1 proto kernel scope link src 172.17.22.1 linkdown 
192.168.123.0/24 dev br-lan.2 table 1 proto kernel scope link src 192.168.123.254 
192.168.235.128/25 dev eth1 table 1 proto static scope link metric 100 
default via 172.16.0.1 dev pppoe-wan2 table 2 proto static metric 200 
172.16.0.1 dev pppoe-wan2 table 2 proto kernel scope link src 172.16.26.210 
172.17.22.0/24 dev docker0 table 2 proto kernel scope link src 172.17.22.1 linkdown 
192.168.123.0/24 dev br-lan.2 table 2 proto kernel scope link src 192.168.123.254 
172.17.22.0/24 dev docker0 table 3 proto kernel scope link src 172.17.22.1 linkdown 
192.168.123.0/24 dev br-lan.2 table 3 proto kernel scope link src 192.168.123.254 
default dev wg0 table default proto static scope link metric 250 
10.122.22.254 dev wg0 table default proto static scope link metric 250 
default via 192.168.235.254 dev eth1 proto static metric 100 
default via 172.16.0.1 dev pppoe-wan2 proto static metric 200 
172.16.0.1 dev pppoe-wan2 proto kernel scope link src 172.16.26.210 
172.17.22.0/24 dev docker0 proto kernel scope link src 172.17.22.1 linkdown 
192.168.123.0/24 dev br-lan.2 proto kernel scope link src 192.168.123.254 
192.168.235.128/25 dev eth1 proto static scope link metric 100 
local 10.122.22.254 dev wg0 table local proto kernel scope host src 10.122.22.254 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.16.26.210 dev pppoe-wan2 table local proto kernel scope host src 172.16.26.210 
local 172.17.22.1 dev docker0 table local proto kernel scope host src 172.17.22.1 
broadcast 172.17.22.255 dev docker0 table local proto kernel scope link src 172.17.22.1 linkdown 
local 192.168.123.254 dev br-lan.2 table local proto kernel scope host src 192.168.123.254 
broadcast 192.168.123.255 dev br-lan.2 table local proto kernel scope link src 192.168.123.254 
local 192.168.235.149 dev eth1 table local proto kernel scope host src 192.168.235.149 
broadcast 192.168.235.255 dev eth1 table local proto kernel scope link src 192.168.235.149 
0:      from all lookup local
1001:   from all iif eth1 lookup 1
1002:   from all iif pppoe-wan2 lookup 2
1003:   from all iif wg0 lookup 3
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2003:   from all fwmark 0x300/0x3f00 lookup 3
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
3003:   from all fwmark 0x300/0x3f00 unreachable
10000:  from 10.122.22.254 lookup default
20000:  from all to 10.122.22.254 lookup default
32766:  from all lookup main
32767:  from all lookup default
90021:  from all iif lo lookup default
lrwxrwxrwx    1 root     root            16 Mar 26 13:51 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May 10 15:04 /tmp/resolv.conf
lrwxrwxrwx    1 root     root            35 May 10 15:04 /tmp/resolv.conf.auto -> /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root           192 May 10 15:04 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            51 May 10 15:04 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           192 May 10 15:04 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.auto <==
# Interface wan2_6
nameserver 2409:8057:2000:2::8
nameserver 2409:8057:2000:6::8
# Interface wan
nameserver 192.168.168.164
# Interface wan2
nameserver 211.136.192.6
nameserver 120.196.165.24

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 211.136.192.6
nameserver 120.196.165.24

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan2_6
nameserver 2409:8057:2000:2::8
nameserver 2409:8057:2000:6::8
# Interface wan
nameserver 192.168.168.164
# Interface wan2
nameserver 211.136.192.6
nameserver 120.196.165.24

I used unencrypted L2TP with 2 wans connection about 6 years with my old router. I got a new router use openwrt last month.Now i use WireGuard to replace the unencrypted L2TP tunnel.

I want to use the tunnel from my workpplace's network,computer and mobile devices.

All traffic through wireguard to the internet with PPPOE,and LAN must include my workplaces network.Because some site useful inside workplace network,and dont need the internet connection from workplace in wireguard.
I tested with L2TP tunnel,MWAN3 is running correctly.

Wireguard took me almost a month to config the router.referred a lot of documentations,but wireguard but still unable to run.
1.WireGuard traffic cant through the router gateway.
2.devices outside the wireguard tunnel cant ping the wireguard client.
3.WireGuard client traffic can only operate within the router subnet.

Trendy,question3. "Why is there a Wireguard tunnel between 2 devices in the same lan?"
I used L2TP tunneling like this before.I think it call "VPN borrow line" ?

If I understand correctly, the tunnel is merely used to provide the OpenWrt as gateway to the wireguard client.
Hence the configuration of wireguard on OpenWrt is wrong.
Change allowed_ips:

remove ip4table

Also masq and mtu_fix are not needed in lan zone.

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Offical versions supported my router,i will try it later,thanks.

Source code here : https://github.com/immortalwrt/immortalwrt

list allowed_ips '10.122.22.1/32'
This is wireguard client config,I replaced this,wireguard cannot handshake and access everything.

USE:
list allowed_ips '10.122.22.0/24,192.168.123.0/24'
OR
list allowed_ips '0.0.0.0/0'
And this command
iptables -t nat -A POSTROUTING -s 10.122.22.0/24 -o br-lan.2 -j MASQUERADE

Under the router subnet devices and Wireguard client can access each other.

But the network traffic cant through the wan,I will try to use offical openwrt firmware

The modifications I wrote earlier apply to OpenWrt with Wireguard server.

Hello,I flashed the newest stable firmware of openwrt,and the config output below.

{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "CMCC RAX3000M",
        "board_name": "cmcc,rax3000m",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mediatek/filogic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fde3:0d89:e153::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'

config device
        option name 'lan1'
        option macaddr 'xx:xx:xx:xx:e6:31'

config device
        option name 'lan2'
        option macaddr 'xx:xx:xx:xx:e6:31'

config device
        option name 'lan3'
        option macaddr 'xx:xx:xx:xx:e6:31'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.123.254'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:e6:34'

config interface 'wan'
        option device 'eth1'
        option proto 'static'
        option ipaddr '192.168.235.149'
        option netmask '255.255.255.128'
        option gateway '192.168.235.254'
        option broadcast '192.168.235.255'
        option metric '100'
        list dns '192.168.168.164'

config interface 'wan2'
        option proto 'pppoe'
        option device 'lan1'
        option username 'xxxxxx'
        option password 'xxxxxx'
        option ipv6 'auto'
        option metric '200'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxQOHf5yGg='
        option listen_port '27015'
        option metric '250'
        list addresses '10.22.22.254/24'

config wireguard_wg0
        option description 'day'
        option public_key 'xxxxxxxxxxxxGc/uZnE='
        option private_key 'xxxxxxxxxxnvWpX00='
        option route_allowed_ips '1'
        option endpoint_port '27015'
        list allowed_ips '0.0.0.0/0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list rebind_domain 'xxxxxx.com'
        list rebind_domain 'xxxxxx.com'
        list rebind_domain 'xxxxxx.com'
        list rebind_domain 'xxxxxx.com'
        list rebind_domain 'xxxxxx.com'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan2'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '80'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8088'
        option dest_ip '192.168.123.254'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '22'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8022'
        option dest_ip '192.168.123.254'
        option dest_port '22'

config rule
        option name 'Allow-Wireguard'
        list proto 'udp'
        option dest_port '27015'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '7681'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '7681'
        option dest_port '7681'
        option dest_ip '192.168.123.254'

config nat
        option name 'wireguard'
        option src 'lan'
        option target 'MASQUERADE'
        list proto 'all'
        option dest_ip '10.122.22.0/24'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet 192.168.235.149/25 brd 192.168.235.255 scope global eth1
       valid_lft forever preferred_lft forever
9: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.123.254/24 brd 192.168.123.255 scope global br-lan
       valid_lft forever preferred_lft forever
13: pppoe-wan2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    inet 172.16.24.229 peer 172.16.0.1/32 scope global pppoe-wan2
       valid_lft forever preferred_lft forever
17: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.22.22.254/24 brd 10.22.22.255 scope global wg0
       valid_lft forever preferred_lft forever
default via 192.168.235.254 dev eth1 table 1 proto static metric 100 
192.168.123.0/24 dev br-lan table 1 proto kernel scope link src 192.168.123.254 
192.168.235.128/25 dev eth1 table 1 proto static scope link metric 100 
default via 172.16.0.1 dev pppoe-wan2 table 2 proto static metric 200 
172.16.0.1 dev pppoe-wan2 table 2 proto kernel scope link src 172.16.24.229 
192.168.123.0/24 dev br-lan table 2 proto kernel scope link src 192.168.123.254 
default dev wg0 table 3 proto static scope link metric 250 
10.22.22.0/24 dev wg0 table 3 proto static scope link metric 250 
192.168.123.0/24 dev br-lan table 3 proto kernel scope link src 192.168.123.254 
default via 192.168.235.254 dev eth1 proto static metric 100 
default via 172.16.0.1 dev pppoe-wan2 proto static metric 200 
default dev wg0 proto static scope link metric 250 
10.22.22.0/24 dev wg0 proto static scope link metric 250 
172.16.0.1 dev pppoe-wan2 proto kernel scope link src 172.16.24.229 
192.168.123.0/24 dev br-lan proto kernel scope link src 192.168.123.254 
192.168.235.128/25 dev eth1 proto static scope link metric 100 
local 10.22.22.254 dev wg0 table local proto kernel scope host src 10.22.22.254 
broadcast 10.22.22.255 dev wg0 table local proto kernel scope link src 10.22.22.254 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.16.24.229 dev pppoe-wan2 table local proto kernel scope host src 172.16.24.229 
local 192.168.123.254 dev br-lan table local proto kernel scope host src 192.168.123.254 
broadcast 192.168.123.255 dev br-lan table local proto kernel scope link src 192.168.123.254 
local 192.168.235.149 dev eth1 table local proto kernel scope host src 192.168.235.149 
broadcast 192.168.235.255 dev eth1 table local proto kernel scope link src 192.168.235.149 

0:      from all lookup local
1001:   from all iif eth1 lookup 1
1002:   from all iif pppoe-wan2 lookup 2
1003:   from all iif wg0 lookup 3
2001:   from all fwmark 0x100/0x3f00 lookup 1
2002:   from all fwmark 0x200/0x3f00 lookup 2
2003:   from all fwmark 0x300/0x3f00 lookup 3
2061:   from all fwmark 0x3d00/0x3f00 blackhole
2062:   from all fwmark 0x3e00/0x3f00 unreachable
3001:   from all fwmark 0x100/0x3f00 unreachable
3002:   from all fwmark 0x200/0x3f00 unreachable
3003:   from all fwmark 0x300/0x3f00 unreachable
32766:  from all lookup main
32767:  from all lookup default

lrwxrwxrwx    1 root     root            16 Mar 22 22:09 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May 13 02:33 /tmp/resolv.conf
-rw-r--r--    1 root     root           192 May 13 02:02 /tmp/resolv.conf.d/resolv.conf.auto
-rw-r--r--    1 root     root            51 May 13 02:02 /tmp/resolv.conf.ppp

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           192 May 13 02:02 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.ppp <==
nameserver 211.136.192.6
nameserver 120.196.165.24

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan2_6
nameserver 2409:8057:2000:2::8
nameserver 2409:8057:2000:6::8
# Interface wan
nameserver 192.168.168.164
# Interface wan2
nameserver 211.136.192.6
nameserver 120.196.165.24

But wireguard traffic only stay on router subnet and no internet connection.

Wireshark tracking the laptop in router subnet with ssh remote capture.


You are configuring a Wireguard server, not a client.

Thank you trendy. Wireguard is working correctly now.I misunderstood the meaning earlier.
After install wireguard,my router go into the recovery mode,i thought it was going to break.but running normally after the power off.

No need to add the wireguard interface in mwan3 ,just add the input rule for Wireguard port.

That's right! I'm glad you got it working well now :slight_smile:

Yes,but wireguard cant use the dns server of router's (192.168.123.254),maybe DNS Proxy needed?

Did you configure it in the wireguard client correctly?
image

OpenDNS ip is working in client,I tried each wan's dns server ip ,they all working correct. Client can access router subnet,but router local DNS not work in client

Apply this and try it again.

uci set dhcp.@dnsmasq[0].localservice="0"
uci commit dhcp
service dnsmasq restart

Local DNS worked, thanks very much.

as luci network => DHCP/DNS =>Filter => deselect Local service only

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Router is down again,I cant remote it,last time is about 12 hours before,maybe router entered the recovery mode.I have never encountered this before since router flashed openwrt 23.05.3 :upside_down_face: :upside_down_face:

I just installed:

luci-app-mwan3
luci-proto-wireguard
luci-app-ttyd
luci-app-attendedsysupgrade
tcpdump
block-mount