The DHCP address of the client's router WAN is 121.185.53.xxx.
I have this through wireguard to 192.168.1.2 on the server's LAN
Requests that the computer connected to the server display 121.185.53.xxx.
list allowed_ips needs changing to '0.0.0.0/0'. On the 'client' device you need to add a forward from the wireguard zone to the wan zone.
1 Like
I also tried this method.
The result is the same.
But let's try again......
Do I understand correctly that the host 192.168.1.2 in server's lan must browse the internet and be visible to others with the IP 121.185.... that the client side wan has?
Is it only for outgoing traffic or you want incoming too?
1 Like
You only need to use 121.185 internet only at 192.168.1.2 address. ^^
On server side fix it like this:
In client add wg->wan forwarding in firewall.
Remove the masquerade and mtu from lan and wg zones.
Remove unnecessary forwards (wan-> wg or lan) and REJECT input and forward in wan zones.
1 Like
Thank you very much for your efforts. I solved it. I will donate for the penguin! Link Please.
Also please tell me how to return the original address when replacing 192.168.1.2/32 with 192.168.1.1/32 IP on computer. (192.168.1.1-> 14.50.148.XXX)
Not sure if I understood the question. If you change the IP of the PC from 1.2 to 1.1 then the above rule will not take place and will be routed as usual.
1 Like
Changed from 1.2 to 1.1. Internet is not working.
In addition, using the 10.66.66.10/32 address value does not work. /32 If I need to change the value, what should I do? Sorry for the many questions.
Post here again the
uci export network; uci export firewall; ip -4 addr; ip -4 ru; ip -4 ro
from both client and server.
1 Like
Server network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:5672:3a87::/48'
option multipath 'disable'
option mptcp_path_manager 'fullmesh'
option mptcp_scheduler 'default'
option mptcp_checksum '0'
option mptcp_debug '0'
option mptcp_syn_retries '5'
option mptcp_fullmesh_num_subflows '1'
option mptcp_fullmesh_create_on_err '1'
option mptcp_ndiffports_num_subflows '1'
option congestion 'cubic'
config interface 'wan'
option proto 'dhcp'
option multipath 'off'
option peerdns '0'
option ifname 'eth0'
config interface 'lan'
option proto 'static'
option multipath 'off'
option netmask '255.255.254.0'
option ipaddr '192.168.0.40'
option ifname 'eth1'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
option private_key '<KEY>'
option multipath 'off'
list addresses '10.66.66.1/24'
config wireguard_wg0
option description 'Client'
option public_key '<KEY>'
list allowed_ips '0.0.0.0/0'
config rule
option in 'lan'
option src '192.168.1.2/32'
option lookup '100'
config route
option interface 'wg0'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
Server firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'lan'
option mtu_fix '1'
config zone
option name 'wan'
option network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option mtu_fix '1'
config redirect
option enabled '1'
config rule
option enabled '1'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_port '80'
config redirect
option target 'DNAT'
option name '2'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'wan'
option dest_port '80'
config zone
option name 'wg0'
option output 'ACCEPT'
option mtu_fix '1'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'wg0'
option masq '1'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
Client network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:5672:3a87::/48'
option multipath 'disable'
option mptcp_path_manager 'fullmesh'
option mptcp_scheduler 'default'
option mptcp_checksum '0'
option mptcp_debug '0'
option mptcp_syn_retries '5'
option mptcp_fullmesh_num_subflows '1'
option mptcp_fullmesh_create_on_err '1'
option mptcp_ndiffports_num_subflows '1'
option congestion 'cubic'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option private_key '<KEY>'
option listen_port '51820'
option multipath 'off'
list addresses '10.66.66.2/24'
config wireguard_wg0
option description 'mobile'
option public_key '<KEY>'
option route_allowed_ips '1'
list allowed_ips '10.66.66.11/32'
config wireguard_wg0
option description 'server'
option public_key '<KEY>'
option endpoint_host '<host ip>'
option endpoint_port '51820'
option route_allowed_ips '1'
list allowed_ips '192.168.1.2/32'
list allowed_ips '10.66.66.1/32'
config interface 'lan'
option proto 'static'
option multipath 'off'
option ifname 'eth0'
option ipaddr '192.168.0.1'
option netmask '255.255.254.0'
Client firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_port '80'
config redirect
option target 'DNAT'
option name '2'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'wan'
option dest_port '80'
config zone
option name 'wg0'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'LAN'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'LAN lan'
Thank you very much for your efforts.
Remove these from server lan zone.
Add in server wan zone:
option masq '1'
Remove these from server wg0 zone:
Lan interface on client is conflicting with lan interface on server. I told you to fix that before.
In client wan zone, add the mtu_fix
In client lan zone is named with capital letters, should be small. Also remove masq and mtu_fix, and remove LAN network, only lan exists.
1 Like
Unfortunately, the wire guard system does not work again. Please tell me how to fix it. Thank you !
Server network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:5672:3a87::/48'
option multipath 'disable'
option mptcp_path_manager 'fullmesh'
option mptcp_scheduler 'default'
option mptcp_checksum '0'
option mptcp_debug '0'
option mptcp_syn_retries '5'
option mptcp_fullmesh_num_subflows '1'
option mptcp_fullmesh_create_on_err '1'
option mptcp_ndiffports_num_subflows '1'
option congestion 'cubic'
config interface 'wan'
option proto 'dhcp'
option multipath 'off'
option peerdns '0'
option ifname 'eth0'
config interface 'lan'
option proto 'static'
option multipath 'off'
option netmask '255.255.254.0'
option ifname 'eth1'
option ipaddr '192.168.0.39'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
option private_key '<KEY>'
option multipath 'off'
list addresses '10.66.66.1/24'
config wireguard_wg0
option description 'Client'
option public_key '<KEY>'
list allowed_ips '0.0.0.0/0'
option endpoint_host '222.114.48.XX'
option endpoint_port '51820'
config rule
option in 'lan'
option src '192.168.1.2/32'
option lookup '100'
config route
option interface 'wg0'
option target '0.0.0.0'
option netmask '0.0.0.0'
option table '100'
Server firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
config redirect
option enabled '1'
config rule
option enabled '1'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_port '80'
config redirect
option target 'DNAT'
option name '2'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'wan'
option dest_port '80'
config zone
option name 'wg0'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'wg0'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
config forwarding
option src 'wg0'
option dest 'wan'
config forwarding
option src 'wg0'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg0'
config forwarding
option src 'wan'
option dest 'wg0'
Client network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd15:5672:3a87::/48'
option multipath 'disable'
option mptcp_path_manager 'fullmesh'
option mptcp_scheduler 'default'
option mptcp_checksum '0'
option mptcp_debug '0'
option mptcp_syn_retries '5'
option mptcp_fullmesh_num_subflows '1'
option mptcp_fullmesh_create_on_err '1'
option mptcp_ndiffports_num_subflows '1'
option congestion 'cubic'
config interface 'wan'
option ifname 'eth0'
option proto 'dhcp'
config interface 'wg0'
option proto 'wireguard'
option listen_port '51820'
option multipath 'off'
list addresses '10.66.66.2/24'
option private_key '<KEY>'
config wireguard_wg0
option description 'server'
option endpoint_host '14.50.148.XX'
option endpoint_port '51820'
option public_key '<KEY>'
list allowed_ips '192.168.1.2/32'
list allowed_ips '10.66.66.1/32'
config interface 'LAN'
option proto 'static'
option ifname 'eth1'
option multipath 'off'
option ipaddr '192.168.2.1'
option netmask '255.255.254.0'
Client firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config include 'unblockmusic'
option type 'script'
option path '/var/etc/unblockmusic.include'
option reload '1'
config redirect
option target 'DNAT'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_port '80'
config redirect
option target 'DNAT'
option name '2'
option proto 'tcp udp'
option src 'wan'
option src_dport '80'
option dest 'wan'
option dest_port '80'
config zone
option name 'wg0'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option network 'wg0'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '51820'
option name 'Allow-Wireguard-Inbound'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config rule
option proto 'tcp udp'
option src 'wan'
option target 'ACCEPT'
config forwarding
option src 'wg0'
option dest 'wan'
config forwarding
option src 'wg0'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg0'
config forwarding
option src 'wan'
option dest 'wg0'
- You didn't add the mtu_fix in server wan zone.
- In client you changed the lan interface from small letters to capitals but in firewall lan zone only the small letter lan network is in zone. Case must be the same in all configs.
1 Like
I stupidly switched the switch on the client side. This completes the solution. Thank you for your next project. Thank you very much.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.