Just set up wireguard VPN for a remote access and all devices connet but one specific device (please help)

This is the material I used to set up:

After everything was complete on the openWRT router, only my SYNOLOGY NAS CAN'T be accessed through it remotely.


I have a very simple setup:


When answering, please understand that I am new to openWRT and have "okay" experience with Linux CLI
(Preferably, I'd like to use the luci GUI if possible to resolve this issue.)

Please provide "step-by-step" instructions as I have issues with a lot of the wiki pages in understanding what to do in different scenarios

Your NAS might have its own firewall which will not allow traffic from foreign subnets like the WG subnet.

Tweak the firewall of the NAS to allow the WG subnet or for testing disable the firewall.

1 Like

Looks like the firewall isn't even active to begin with.

  • Does your NAS have a gateway IP (of you OpenWrt) configured on it?
  • I assume this means that other devices are accessible?
1 Like

I'd assume so since it has a static leases

And I'm able to access it locally via its IP address

It's also capable of accessing the Synology store locally so I know it's getting an internet connection

That is correct

Also bad screenshot the default gateway is the (LAN2)

We'll need to see the network and firewall configs. Please login to the OpenWrt via SSH and provide the output of:

cat /etc/config/network


cat /etc/config/firewall

:spiral_notepad: Alternatively, you can make a backup of your config using the web GUI - and extract the 2 files from the generated archive file.

All right guys, I figured it out:

I have a VPN provider providing VPN services

The problem I think happen:
I used the default port of 51820 for wireguard when making the configuration file for their services.

I decided to delete the configuration after mirroring it side by side to make sure I got all the configurations right as well as watching the video on that topic directly below. BUT THIS TIME, before watching the video, WHEN MAKING THE FILE I CHOSE ANOTHER PORT NUMBER AS my PROVIDER GIVES me THE OPTION TO DO THAT. IN MY CASE INSTEAD OF THE DEFAULT 51820 I chose another.

THIS IS KEY BECAUSE SOME DEVICES and applications. DON'T PLAY NICE WITH NON-STANDARD USUAL PORTS IT'S EXPECTING. (With the exception of using a VPN to just browse the internet.)

Video 1:

(Note 1: I select all, copied, and pasted the contents of the VPN providers .conf file instead of populating everything myself I did however have to do the peer section which was very easy when following the video)

(Note 2: I set interface to 25 for NAT for my provider's VPN interface on my router under the "peer section" when editing it as usual BUT NOT for VPN design for remote access BACK HOME THAT WAS LEFT AT 0)

(Note 3: if you are using split tunneling like me TWO IMPORTANT THINGS. NUMBER 1: it is important that if you have a Synology NAS or device with two or more ports, you separate at least two interfaces(so if you have four you probably can still pair them together Don't quote me on that lol) to make them individuals AKA no bond or link aggregation. This is because you'll need one for the VPN interface for your VPN providers tunnel services on the internet which is directly tied and redirected via PBR (policy based routing service) because based on my setup of having only one device using the routers VPN with others using the application (or app), I have given it a lower priority metric (ex:30) than the WAN (ex:10) THAT ALL OTHER DEVICES USE.(Lower numbers have higher priority than higher numbers)
and the other interface on the Synology is designed for regular internet access to the WAN allowing you to easily access it remotely via wireguard VPN interface for remote access. NUMBER 2: UNLESS YOU KNOW WHAT YOU'RE DOING DO NOT USE ANY DNS LEAK PROTECTION ON YOUR WAN IF YOU'RE USING SPLIT TUNNELING IN FACT USE A PUBLIC ONE LIKE: ,,,, etc. This is because there's a good chance that unless you're going through the VPN tunnel to Your VPN provider's DNS server, most likely you may not be able to access it through your regular WAN connection directly without establishing a connection with their VPN server first. therefore your regular connection is going to need a public DNS)


(NOTE BEFORE CONTINUING: since he's likely using an older version make sure to put in where it shows in the video where he likes to SAY AND skips over 51820 because HIS WAS POPULATED ALREADY in a greyed out fashion while mines was blank and said optional underneath the box in the usual openWrt tip put under every box which is a good thing.

Lastly I thought this was important but make sure you leave the DNS to whatever you router may populate such as "" located in the the peer section when generating configuration file (or QR code) as well as on the device that accepts it (to be honest I'm not sure if this matters but I think it should be said because that's what worked And I haven't tried it without it as his shows)

After all this, (sitting done) and everything was saved as described, before rebooting, I restart my PBR policy because I have split tunneling, my wireguard interface for remote access, and then rebooted the router.

I checked and everything is working properly

I hope this really helps someone when setting up theirs because some of these "helpers" just aren't breaking it down enough for me. :disappointed: I'm old-fashioned in that sense.