okay, I have reset settings to try and fix the double zone issue
then redid the interface and firewall settings using the ecg guide
though we may be going in the right direction because I am still able to connect to the internet now - and it looks like im actually getting handshakes now / traffic on the interface
this is what the firewall for wan looks like
my apologies - I did not know it was an issue with the firewall until I figured it out
Let's review the latest config...
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.119",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "OpenWrt One",
"board_name": "openwrt,one",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5b:3471:deac::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'xxx'
list addresses 'xxx'
list addresses 'fc00:bbbb:bbbb:bb01::7:7204/128'
list dns '100.64.0.7'
option defaultroute '0'
config wireguard_WGINTERFACE
option description 'WG IMPORTED PEER'
option public_key 'xxx'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::0/0'
option endpoint_host '185.213.193.3'
option endpoint_port '51820'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
and then wgshow:
root@OpenWrt:~# wg show
interface: WGINTERFACE
public key: xxx
private key: (hidden)
listening port: 44887
peer: xxx
endpoint: 185.213.193.3:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 5 seconds ago
transfer: 15.00 KiB received, 55.29 KiB sent
persistent keepalive: every 25 seconds
Assuming you’re not using PBR…
Remove the last line:
And then you need to add a line (below) to this section:
Add:
option route_allowed_ips '1'
Reboot and test again.
lumilumi:
option defaultroute '0'
is this how I would format the command for this?
uci delete <config>[.<interface 'WGINTERFACE'
>[[.<option defaultroute
>][=<'0'>]]]
that doesn't look right but i'm struggs a bit to use the uci interface -
or wait - could I export the config file and edit with a text editor?
(also this config was set up with ecg's guide, so not sure um . . why there would b issues)
Personally, I directly edit the configs using the built-in vi editor (you can also install nano). Or you can do the same thing by copying the files to a computer, using a text editor, and then copying them back.
As a result, I'm personally not as well versed at using the UCI command structure.
FWIW, the same things can be accomplished with the LuCI web interface -- in this case, it's simple checkboxes for each of these items.
I am having trouble finding a checkbox for
lumilumi:
option defaultroute '0'
do you know how I can export my config file as .txt?
I tried using the export backup feature, but that doesn't seem to be a text file
there is also this page, but it doesn't seem to have an export as .txt so I don't think that's the right spot
where is the built in vi editor?
oh wait, is this the option i'm lookin for?
Network > Interfaces > [edit your WG interface] > Advanced Settings > Use default gateway
The above should be checked.
Network > Interfaces > [edit your WG interface] > Peers > [edit the peer config] > Route Allowed IPs
This one should also be checked.
When you export a backup, it a tar.gz compressed archive that contains all of the relevant config files for your system. You can expand it, edit the file, then re-(tar-gz) the file.
Or you can use scp to copy the specific file in question from the router to the computer and then back after editing.
1 Like
solution:
Network > Interfaces > [edit your WG interface] > Advanced Settings > Use default gateway
Network > Interfaces > [edit your WG interface] > Peers > [edit the peer config] > Route Allowed IPs
plus following ECG's guide -- https://raw.githubusercontent.com/egc112/OpenWRT-egc-add-on/main/notes/OpenWRT%20WireGuard%20Client%20Setup%20guide%20using%20LuCi.pdf
FWIW, the two things I told you to fix are set and noted properly in the guide.
3 Likes
frollic
January 10, 2026, 5:37am
93
.... and VPN doesn't do anything for your internet privacy.
1 Like
