My Wireguard setup is not working, need a second pair of eyes

This is my first time tying to set up a Wireguard on my home's router.

After following an old but seemingly comprehensive guide found on Reddit, I am stuck and need a second pair of eyes on what I am doing.

What doesn't work is – simply pinging a after connecting my phone to Wireguard VPN. (I'm using termux app on android)

Can someone spot what's wrong with configs here? If something is missing, I will update the post with more info. In the meantime, I've contacted my ISP to rule out possibility UDP ports are not getting blocked, inspired by this – they confirmed they are not blocking.

Perhaps there are known ways / checklist to diagnose possible issues with Wireguard?

In the end, this is what I've got:

  1. OpenWrt:

    root@OpenWrt:~# uci show | grep -e 'network.@wireguard_homevpn[0]' -e 'homevpn' -e '@rule\[9\]' -e '@zone\[0\]'
    firewall.@zone[0].network='lan homevpn'
    network.@wireguard_homevpn[0].description='Eugene'\''s Android phone'
  2. Android:

For context: I am away from home in a different country now. Would like to use a VPN, so that all traffic from my Android phone and MBP laptop would go through the VPN. In particular, I need this to be able to access some services that are only reachable from within my home country.

Can you ping
Did you configure forwarding from WG to WAN?

One mistake is the dest line. With this rule you allow forwarding from any zone to any zone. But you want to allow INPUT, so you need to remove the destination zone.

In the client allowed IPs you have ::/128, I am not sure if you intended that or not. Normally you should use ::/0
Also the address can be, although it won't matter much, since you route everything to the server.

Why not follow the up-to-date and tested guide from


One mistake is the dest line

Fixing this one did the trick. Thank you so much! For completeness, in order to do the fix from the web UI, I had to select "Device (input)"

In the client allowed IPs you have ::/128, I am not sure if you intended that or not. Normally you should use ::/0

Btw I am pretty sure I used ::/0 Not sure why it got changed to ::/128 :thinking:

Why not follow the up-to-date and tested guide from

Good question. At first I was committed to only using resources found on, but found a couple of issues:

  • the page you're linking to – it stumbled upon it as well – appears to be a high level guide, while I was on a lookout for something more detailed for both server and a client, but also dense enough to fit a screen,

  • while checking "WireGuard client" page, it immediately appeared a lot more detailed and seemingly what I need; after a closer look, I realized it covers a different use case, e.g. setting up WireGuard as a client inside OpenWRT, which is not what my scenario,

  • "WireGuard server" covers only server setup (I must admit I initially missed this one).

  • "Static addressing of WireGuard tunnel" looks like what I might have used after all, but the word "static" got me confused, e.g. is it related to static routing in some way or not?

Btw, in the past I've used Wireguard by setting it up via algo script. The end result would be a .conf or .png (QR code) file that can be seamlessly imported into a client (macOS and android are the ones that I've tried and which worked for me). Would it be naive to ask for a "Peers" tab to have a button that'd register a new peer & generate a QR code / .conf file automatically?

It is the main wiki page for wireguard, a bit lower there are the Internal links with the various functions.

Indeed you want a server, not a client.

This is not really needed, as it is covered by the server and client guides.

I think I have seen it before, but I don't remember if it was for WG or OpenVPN or IPSEC.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.