No WAN connection after Wireguard VPN

as379052 · October 14, 2025, 6:48pm

Hi!
After several years I decided to test OpenWRT again. I installed 24.10.3 on a Netgear R7800. I want to set up the following:

Network	Purpose	Internet path
STD (`br-lan`, 192.168.8.0/24)	normal home LAN	directly via WAN
GUEST (`br-guest`, 192.168.9.0/24)	guest Wi-Fi	directly via WAN
VPN (`br-vpn`, 192.168.10.0/24)	devices that must use VPN	through WireGuard

I hade all devices up and running without Wireguard yet. After setting up the wireguard interface, the VPN network works fine (low speed compared to my DD-WRT device though), no DNS leak.

But the other two devices stopped working. I read quite a lot, asked AI for help but I can’t find the problem nor the solution. I first thought it may be a DNS problem, but I can’t ping any IP address. Here is my network:


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd68:6a79:aa3f::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-vpn'
	option bridge_empty '1'

config interface 'guest_int'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.9.1'
	option netmask '255.255.255.0'

config interface 'vpn_int'
	option proto 'static'
	option device 'br-vpn'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'wg_int'
	option proto 'wireguard'
	option private_key 'key'
	list addresses '10.14.0.2/16'
	list dns '162.252.172.57'
	list dns '149.154.159.92'

config wireguard_wg_int
	option description 'Surfshark_FRA'
	option public_key 'key'
	list allowed_ips '192.168.10.0/0'
	option endpoint_host 'de-fra.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '30'
	option route_allowed_ips '1'

I guess the problem would be firewall rules, just now these are:


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest_int'
	option masq '1'

config forwarding
	option src 'guest_zone'
	option dest 'wan'

config rule
	option src 'vpn_zone'
	option name 'Allow-DHCP-VPN'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'guest_zone'
	option name 'Allow-DHCP-Guest'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'guest_zone'
	option name 'Allow-DNS-Guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'vpn_zone'
	option name 'Allow-DNS-VPN'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'vpn_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vpn_int'
	option masq '1'

config zone
	option name 'wg_zone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg_int'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'vpn_zone'
	option dest 'wg_zone'

config forwarding
	option src 'wg_zone'
	option dest 'wan'

Anyone having an idea what the problem would be? Really don’t understand why running interfaces stop working after setting up WG.

/Andreas

psherman · October 14, 2025, 7:04pm

You need policy based routing in order to accommodate your desired goals. Basically, the VPN becomes the default route for all of the networks, but only those that are permitted via the firewall to forward to the VPN have the ability to use that route. The others which have firewall permissions to forward out towards the wan would do so except that there is no route defined there (because the VPN is the default route).

To fix this, use PBR to define what should happen (in terms of routes) for each network.

Meanwhile, you have the allowed IPs wrong here, but it happens to work...

as379052:

config wireguard_wg_int
	option description 'Surfshark_FRA'
	option public_key 'key'
	list allowed_ips '192.168.10.0/0'
	option endpoint_host 'de-fra.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '30'
	option route_allowed_ips '1'

The allowed IPs there should be 0.0.0.0/0, but you've got it incorrectly defined as 192.168.10.0/0. As it turns out, though, the /0 is why it's working, as the subnet size here takes precedence.

egc · October 14, 2025, 7:06pm

Allowed ips should be 0.0.0.0/0

Disable Route Allowed IPs and research Policy Based Routing to route the desired interface/subnet via WireGuard

as379052 · October 14, 2025, 7:10pm

Thanks for prompt help!

config interface 'wg_int'
	option proto 'wireguard'
	option private_key 'key'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	list addresses '10.8.0.1/24'

config wireguard_wg_int
	option description 'Surfshark_FRA'
	option public_key 'key'
	list allowed_ips '10.8.0.2/32'
	option endpoint_host 'de-fra.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '30'
	option route_allowed_ips '1'

Changing the wireguard tunnel addresses and allowed IP accordingly solved the problem!