OpenWRT as WireGuard server partially working for Android client

I have been working on setting up a WireGuard server within OpenWRT using the luci-proto-wireguard (and thus wireguard-tools) package. I followed this OpenWRT wiki page, which with the exception of it not mentioning that for any given peer "Route Allowed IPs" should be enabled, seems to have worked without a hitch on my laptop, Wireshark confirms traffic is tunneling.

The issue I'm trying to solve here is that my phone (GrapheneOS for the curious) is not playing so nicely. When I load up the peer config onto it (using the bog standard WireGuard app, no third party apps), I do get some promising behavior, but not everything is working. I can see that it is:

• Handshaking at the expected interval
• Sending DNS queries into my DNS server
• Able to reach my LAN router, even when I am on mobile data, confirming it is tunneling and not leaking
• Pinging it from my desktop gets a reply

However, curiously if I try any of the following, I get a behavior consistent with packets being sent, but no response coming back:

• Trying to reach my DNS server's admin panel (it's a pihole so I can just plug the DNS address into a browser with "/admin/login" on the end of it to get the admin panel
• Trying to reach WAN websites, e.g. ipleak.net

Now, my laptop was at first doing the same exact thing. Wireshark showed TCP SYN packets were going out like mad, but being lost in the void with not a single ACK coming back. As soon as I enabled "Route Allowed IPs", then suddenly I began getting ACK packets, everything came to life. I repeated this with my phone's peer config... Nothing.

I've been switching around IPs, ports, trying to just see if I could find something that sticks out. Disabling MAC randomization on my phone. Nothing. I'm kinda running out of ideas here. If anyone knows what might be different about Android that's causing the tunnel to only see my gateway and no other LAN or WAN destinations, I am all ears.

WireGuard interface:

image1336×1300 99.8 KB

If the peer configs are also helpful to know please say so, as a newbie I only get one media embed it seems.

This is a key clue. The problem might be on the PiHole. Make sure that it is set to accept connections from another subnet:

Settings > DNS > Interface Settings > Potentially dangerous options > Permit all origins

If that doesn't solve the issue, let's see the config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

First of all, thanks for the reply!

Unfortunately no dice on the PiHole settings. I didn't think to check my Home Assistant server before (also localhosted, same IP, same box as the PiHole, just addressed by a specific port instead) and it is inaccessible as well.

For what it is worth, I went out earlier to a different place where I also have a network config set up on my phone, and after switching my DNS in my WireGuard config file to that network's gateway address (192.168.1.1), it did snap to life and start tunneling. Caveat being I was using that network's upstream DNS (just the ISP). So I'm starting to wonder if I've actually made a complete bodge of the subnet and need a lesson in how to go about this practically so that I can properly tunnel in, talk to the DNS server, and also talk to Home Assistant.

Nonetheless, outputs are as follows:

ubus call system board
{
        "kernel": "6.12.74",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "OpenWrt One",
        "board_name": "openwrt,one",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.2",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32802-f505120278",
                "target": "mediatek/filogic",
                "description": "OpenWrt 25.12.2 r32802-f505120278",
                "builddate": "1774469393"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted_because_this_is_my_ipv6_ULA'
        option dhcp_default_duid 'redacted_because_this_seems_important'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option broadcast '1'
        option peerdns '0'
        list dns '192.168.1.162'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option norelease '1'
        option peerdns '0'
        list dns 'redacted_because_this_is_my_ipv6_ULA'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'private_key_goes_here'
        option multipath 'off'
        option listen_port '27318'
        list dns '192.168.1.162'
        list addresses '192.168.1.110/24'

config wireguard_wg0
        option description 'laptop'
        option public_key 'public_key_goes_here'
        option private_key 'private_key_goes_here'
        list allowed_ips '192.168.1.142/32'
        option endpoint_port '27318'
        option persistent_keepalive '25'
        option route_allowed_ips '1'

config wireguard_wg0
        option description 'phone'
        option public_key 'public_key_goes_here
        option private_key 'private_key_goes_here'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_port '27318'
        list allowed_ips '192.168.1.140/32'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'WireguardVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'WireguardVPN'
        option dest 'lan'

config forwarding
        option src 'WireguardVPN'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'WireguardVPN'

config rule
        option src 'wan'
        option name 'WireGuard-incoming'
        list proto 'udp'
        option dest_port '27318'
        option target 'ACCEPT'

The Wireguard interface's subnet conflicts with your lan:

Every network must use a unique and non-overlapping subnet. Therefore, change this to something else -- for example 192.168.14.1/24 and the peers to 192.168.14.x where x is a unique number for every peer.

The DNS entry in the Wireguard interface has no function -- you can delete it.
You can also delete the endpoint port from each of the peers.

Don't forget to update the interface addresses on each of the peers to match the new address you set here.

Also, remove masquerading from the WireguardVPN firewall zone.

Reboot and test again when you're done with all the changes.

Some behavior changed, unsure if net positive or not. For the laptop peer, DNS queries are now showing as coming from my router rather than the individual client, and the occasional DNS over HTTPS query is leaking from the local address rather than tunneled. The latter I think makes some sense though? DNS over HTTPS is weird so I'm willing to chalk that up as not an issue.

My phone however is still not having it. Whether on the LAN or on mobile data, it seems to now refuse to send DNS queries in, no longer appearing in PiHole at all. I have OpenWRT set to use the PiHole server on both WANs and LAN, as well as DNS advertisements, so I'm not sure what that really means here.

The one good sign is I had ipleak.net in DNS cache as I connected to it while WireGuard was disabled, and navigating to it does seem to be able to connect! So at this point I am suspecting this is now down to DNS resolution over the tunnel being borked.

Edit: I am a fool, and undid the change in PiHole. That plus the prior steps has it working! Doing some further sanity checks before I mark a solution but I think it's done.

Edit 2: Yeah, this is resolved. Thank you very much!