I having an issue setting Wireguard VPN client setup on my router!

Here is the information of my complete setup

Wire-guard Point to Point server is on cloud with Linux 18.4 OS

I connected other computer as client based on Windows and Linux they work just fine, Good connection and speed.

But when I am trying to setup Openwrt router Device information:

TP-Link Archer C7 v5

It won't work at all . Once connection was established as per implementation provide on openwrt.org, Packets were going back and fourth but no IP change.
Firewall setting I made as per WAN port.
In this setup I have my main router and a TPlink router as DHCP client on WAN port.

Now My Questions are ?
Do I need to setup this router as Client or Server ?

Please give me an advise Thank you...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

I apologies

I am new with openwrt can please tell me how to get this option

Ssh into the router, then issue the commands. You can use an any ssh application - many people use the Linux command line terminal for Linux or Mac, putty for windows.

Thank-you for your reply

Wire-Guard Server is located in Germany over the cloud
And I am setting up client at my home network.

We need to see the setup on your home network. We may also need to see how the cloud is configured. Otherwise we cannot help at all.

I assume you have an OpenWrt router with a LAN, all the users in the house are on the LAN side of this router, and the WAN side of this router is connected to your ISP router but nothing else is connected directly to the LAN side of the ISP router. In that case just consider the ISP router as part of the Internet, and the VPN will tunnel through it. No special configuration is needed on it.

Your other clients were road warriors, meaning they were a single machine with a single IP on the VPN. Now you're setting up a whole network on the client side. So on the server, you need to add your LAN IP subnet as allowed_ips for this client. On the router, allowed_ips is since you want any site on the Internet to come back through the VPN.

Another approach (used with commercial VPN services where you can't configure the server) is to NAT the local LAN into the VPN tunnel, treating it like an ISP. That is achieved simply by placing the VPN tunnel in the wan firewall zone instead of lan. In that case your road warriors won't be able to reach the local LAN unless you forward ports in the firewall.

  public key: V8Ap9GsIm0Fcn5rvEhuMrZDwkAE+Eg2nanbQdexEWwM=
  private key: (hidden)
  listening port: 51820
  fwmark: 0xca6c

peer: 3hrbjb/MQnHMlZUwZHnw5cSKbG3VR3JEq24l2uxUB1g=
  allowed ips:

peer: S6EnxWC+vUOU3P60ZtWQ3OVg0+qVXPTBopBpFyrc3Cw=
  allowed ips:

WG0 configuration

Address =
SaveConfig = true
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
ListenPort = 51820
FwMark = 0xca6c
PrivateKey =

PublicKey = 3hrbjb/MQnHMlZUwZHnw5cSKbG3VR3JEq24l2uxUB1g=
Endpoint =

PublicKey = 3hrbjb/MQnHMlZUwZHnw5cSKbG3VR3JEq24l2uxUB1g=
AllowedIPs =

PublicKey = S6EnxWC+vUOU3P60ZtWQ3OVg0+qVXPTBopBpFyrc3Cw=
AllowedIPs =
Endpoint =

Which of these is from OpenWrt? Can you please post the complete network and firewall files from that device, as requested (redact any sensitive information, of course).

It appears there are multiple peers with the same public key. There has to be a unique key for each peer.

1 Like

I would also guess that the allowed IPs here are completely wrong, but it is hard to tell because we don't really have the right context of what you're showing us.

Fist one has status for WireGuard Server

And second is the configuration file..

From the cloud "server" setup??

Although not a hard rule, typically the "server" listens for a connection that is initiated by the "client" -- so if this is the server, it is strange how it is formatted. Aside from this, the network definitions are going to be problematic, for sure. I think your 'server' (if that's what we are looking at) needs to be completely overhauled.

Can you please post your OpenWrt network/firewall config files?


That is the Image of interface setup

In this Image you can see packets Under WG interface.
But still my IP hasn't change

PING ( 56 data bytes
64 bytes from seq=0 ttl=64 time=0.277 ms
64 bytes from seq=1 ttl=64 time=0.318 ms
64 bytes from seq=2 ttl=64 time=0.258 ms
64 bytes from seq=3 ttl=64 time=0.258 ms
64 bytes from seq=4 ttl=64 time=0.257 ms

--- ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.257/0.273/0.318 ms

This is what we need:

Realize that Wireguard does not push IPs, routes, or other configuration to the clients like OpenVPN does. Local static configuration is needed on both ends.

1 Like

Lan port or WAN port


please, for the love of all things OpenWrt... just post your config. We could have solved your issue by now if you would have done that when I asked the first 5 times.

Entire configuration for client