How to setup Wireguard VPN at home with OpenWrt router and Android hotspot?

I have a flatrate 5G mobile SIM and currently I use it at home as the router by activating the Android hotspot to connect my laptops to the internet.
At home I have two routers GL-B1300 and TP-WR902AC with OpenWRT.
I can connect the B1300 and WR902AC to my Android hotspot and my devices at home can connect to those routers and have the internet access. With this setup I created two local LANs, for instance 192.168.8.X and 192.168.10.X, which differs to my Android hotspot (e.g. 192.168.100.X). So far so good.

Now, I would like to use the wireguard VPN. What is the appropriate setup for my situation if I don't want to pay the Wireguard VPN provider by installing a Wireguard server on one of my routers?

My first trial today has failed. I’ve just set up the wireguard server on B1300 (which connected to my Andorid hotspot), copy the configuration to my Ubuntu 22 laptop as /etc/wireguard/wg-b1300.conf , and start the wireguard client with wg-quick. The wg client runs without any error, but my laptop doesn’t have access to internet.

Is it possible to setup a Wireguard server with my hardware settings? If yes how?

Do you have a public IP on the WAN of your OpenWrt device? If not, you will not be able to achieve the goal you've described.

The quick way to find out is to look at the main status page of OpenWrt and find the 'IPv4 Upstream' section. Make a note of the IP address that is there. Then, Google "what's my IP" and see if they match. If in doubt, post the first to octets of your IPv4 upstream address (in bold: aaa.bbb.ccc.ddd)

If you do have a public IP, the next thing is to look at your configs...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

If my router can connect to my mobilephone's hotspot, does it mean that it has the public IP WAN, doesn't it?

I can't find the IPv4 upstream section.

Amended message

If your mobile ISP uses CGNAT, , then you won't be able to use your vpn server.

Normally to use separate VPN server connected to LAN port of main ISP router, I believe you have to set up port forwarding on the ISP router. This will not work if ISP uses CGNAT.

This will always return a public ip, even if the phone is behind nat/c-nat.

You need an app that will report the actual ip assigned to the cellular modem (unless you can find this in the system info). I have an app on iOS that does this called net analyzer. There are probably many others on both Android and iOS that will do the same thing.

RFC1918 ranges are,, and Carriers are not supposed to use these ranges for cg nat, but sometimes they do. Cgnat is

1 Like

Thank you for correcting me.

I've amended my earlier post.

ps. I can confirm 'network analyzer' from google play store also reports 10.x wan address for my android phone, and returns 82.x address.