OpenWrt WireGuard Client — “Route Allowed IPs” kills WAN. LuCI keeps forcing nohostroute and default route never installs

Installing and Using OpenWrt Network and Wireless Configuration
1

I’m on OpenWrt 24.10.4 (GL-MT6000) with multiple VLANs, but the issue happens even on a clean setup.

I import my Mullvad WireGuard config into LuCI.
Tunnel comes up, TX/RX works, but default route never switches to WG, even with:

AllowedIPs = 0.0.0.0/0, ::/0
route_allowed_ips = 1

Every time I enable Route Allowed IPs in the peer section, LuCI automatically injects:

option nohostroute '1'

That line blocks installation of the default route, and the moment it appears, my internet drops instantly.
If I delete it manually and restart networking, WAN returns — but as soon as I change anything in LuCI, it’s added again and the problem repeats.

Routing always looks like this after it breaks:

default via <ISP gateway> dev eth1

WireGuard never becomes the default route.

Symptoms:

  • Enabling Route Allowed IPs → WAN dies
  • LuCI silently adds nohostroute=1
  • Default route never installs
  • WG interface shows a red icon even with TX/RX traffic

Question:
Why is LuCI forcing nohostroute=1 on the WG interface when Route Allowed IPs is enabled, and how can I prevent that so WG can install a default route normally?

 ubus call system board
{
        "kernel": "6.6.110",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxxx'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan5'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option macaddr ''
        option peerdns '0'
        option dns '0.0.0.0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option dns '::'
        option peerdns '0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'

config interface 'lan10'
        option proto 'static'
        option device 'br-lan.10'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan2:u*'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan3:t'

config interface 'lan30'
        option proto 'static'
        option device 'br-lan.30'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'
        option force_link '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '70'
        list ports 'lan3:t'

config interface 'lan70'
        option proto 'static'
        option device 'br-lan.70'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan3:t'

config interface 'lan60'
        option proto 'static'
        option device 'br-lan.60'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'lan3:t'

config interface 'lan50'
        option proto 'none'
        option device 'br-lan.50'

config bridge-vlan
        option device 'br-lan'
        option vlan '20'
        list ports 'lan3:t'

config interface 'lan20'
        option proto 'static'
        option device 'br-lan.20'
        option force_link '0'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '99'
        list ports 'lan3:t'

config interface 'lan99'
        option device 'br-lan.99'
        option proto 'static'
        option ipaddr '10.xxx.xxx.1'
        option netmask '255.255.255.0'
        option force_link '0'
        option type 'bridge'

config interface 'wg_mullvad'
        option proto 'wireguard'
        option private_key ''
        list addresses '10.xxx.xxx.254/32'
        option route_allowed_ips '1'

config wireguard_wg_mullvad
        option description 'Imported peer configuration'
        option public_key ''
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::0/0'
        option endpoint_host '143.244.47.78'
        option endpoint_port '51820'
        option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel 'auto'
        option htmode 'HT40'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Hxxxxxx1'
        option encryption 'psk2+psk3'
        option key ''

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel 'auto'
        option htmode 'HE160'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Hxxxxx2'
        option encryption 'psk2+psk3'
        option key ''

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Hxxxxx3'
        option encryption 'psk2'
        option key ''
        option network 'lan10'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid ' *xxxxxxxx*'
        option encryption 'psk2'
        option key ''
        option network 'lan30'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid '*xxxxxxx*'
        option encryption 'psk2'
        option key ''
        option network 'lan70'

config wifi-iface 'wifinet5'
        option device 'radio1'
        option mode 'ap'
        option ssid '*xxxxxxxxx*'
        option encryption 'psk2'
        option isolate '1'
        option key ''
        option network 'lan60'

config wifi-iface 'wifinet6'
        option device 'radio0'
        option mode 'ap'
        option ssid '*xxxxxx*'
        option encryption 'psk2'
        option key ''
        option network 'lan70'

config wifi-iface 'wifinet7'
        option device 'radio1'
        option mode 'ap'
        option ssid '*xxxxxx*'
        option encryption 'psk2'
        option key ''
        option network 'lan20'

config wifi-iface 'wifinet8'
        option device 'radio1'
        option mode 'ap'
        option ssid '*xxxxxxx*'
        option encryption 'psk2'
        option key ''
        option network 'lan99'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option port '5xxx'
        option dnsforwardmax '1024'
        list server '127.0.0.1#5xxx'
        list server '::1#5xxx'
        list server '1.1.1.1'
        list server '1.0.0.1'
        option logqueries '1'
        option logdhcp '1'
        list interface 'lan'
        list interface 'lan10'
        list interface 'lan20'
        list interface 'lan30'
        list interface 'lan50'
        list interface 'lan60'
        list interface 'lan70'
        list interface 'lan99'
        option interface_done '1'

config dhcp 'lan10'
        option interface 'lan10'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan20'
        option interface 'lan20'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan30'
        option interface 'lan30'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan60'
        option interface 'lan60'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan70'
        option interface 'lan70'
        option start '20'
        option limit '200'
        option leasetime '12h'
        list dhcp_option '6,10.xxx.xxx.1'

config dhcp 'lan99'
        option interface 'lan99'
        option start '20'
        option limit '200'
        option leasetime '12h'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '24h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,10.xxx.xxx.1'
        list dhcp_option '3,10.xxx.xxx.1'
        list dns '::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'wg_mullvad'
        option interface 'wg_mullvad'
        option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'lan10'
        list network 'lan30'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'momnet'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'lan70'

config forwarding
        option src 'momnet'
        option dest 'wan'

config zone
        option name 'Quarantine'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        list network 'lan60'

config forwarding
        option src 'Quarantine'
        option dest 'wan'

config zone
        option name 'vpnsendtotunnel'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan20'
        option mtu_fix '1'

config zone
        option name 'mgmt99'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan99'

config forwarding
        option src 'mgmt99'
        option dest 'wan'

config rule
        option name 'Allow-momnet-DNS'
        option src 'momnet'
        option proto 'tcp udp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-momnet-DHCP'
        option src 'momnet'
        option proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-Quarantine-DNS'
        option src 'Quarantine'
        option proto 'tcp udp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-Quarantine-DHCP'
        option src 'Quarantine'
        option proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-VPN20-DNS'
        option src 'vpnsendtotunnel'
        option proto 'tcp udp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-VPN20-DHCP'
        option src 'vpnsendtotunnel'
        option proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Allow-mgmt99-DNS'
        option src 'mgmt99'
        option proto 'tcp udp'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Allow-mgmt99-DHCP'
        option src 'mgmt99'
        option proto 'udp'
        option dest_port '67-68'
        option target 'ACCEPT'

config zone
        option name 'vpnzone'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg_mullvad'

config forwarding
        option src 'vpnsendtotunnel'
        option dest 'vpnzone'

I'm trying to get wireguard to work on a single VLAN and no matter what I do, I can't get the tunnel to install and work properly.

2

route_allowed_ips belongs in the peer section not the main wg interface. If you set this up by CLI, does it work? Note that route_allowed_ips on a 0.0.0.0/0 allowed_ips works like OpenVPN in that it splits the whole Internet into two /1 routes and leaves the /0 route via wan in the table, though this will never be used since traffic matches one of the /1 routes first.

Firewall rules alone will not allow you to set up "wireguard to work on a single VLAN." For source-conditional routing you need multiple routing tables, typically configured through pbr. In that case usually do not set route_allowed_ips, instead only install a default route via wireguard in the special table that handles packets from the one VLAN. Everything else, including the encrypted packets to the Wireguard server, will use the default route in the default table, which is wan.

Routing to a VPN (or not) is a two-step process. First the kernel consults the routing table(s) to determine the destination of the packet. Then the firewall is checked to see if such traffic is allowed or not. They both have to be set up.

1 Like
3

Hiding private RFC1918 ip addresses is not only useless as they are private but it makes it difficult to give the best possible support.

The behaviour you describe could be because of an overlap or collision of subnets.

4

I apologize. I'm new to doing this and just didn't want to share something I shouldn't.

5

I enabled pbr but I've never done this before and the tunnel still isn't working correctly...It seems to be transmitting more than it is receiving.

This is what my pbr rule looks like:

pbr2
pbr2966×667 21.3 KB

This is ai's summation just in case i'm forgetting anything:

:check_mark: What works:

  • WireGuard peer establishes and handshakes successfully.
  • pbr creates two routing tables (pbr_wan and pbr_wg_mullvad) correctly.
  • The VLAN20→WG policy applies cleanly:
ip saddr 10.192.117.0/24 goto pbr_mark_0x020000
  • ip rule shows fwmark lookup for the WG table, and the WG table contains the correct default route.

:cross_mark: The problem:

Even though routing is correct, no real traffic comes back through the tunnel.
VLAN20 clients cannot reach the internet through WireGuard.

After reviewing firewall configuration, we found that:

:fire: The firewall zone vpnzone (the zone intended to NAT and forward traffic through WireGuard) does not actually include the WireGuard interface.

The zone looks like this:

config zone
    option name 'vpnzone'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    option masq '1'
    option mtu_fix '1'
    # MISSING: list network 'wg_mullvad'

So although I created a dedicated firewall zone for the tunnel, the WG interface itself was never associated with it.

:police_car_light: Why this breaks everything:

  • pbr sends VLAN20 traffic to wg_mullvad → OK
  • wg_mullvad receives packets → partially OK
  • BUT because wg_mullvad is not inside any zone, the firewall:
    • prevents forwarding through the tunnel
    • prevents NAT on WG egress
    • causes return packets to be dropped
    • triggers the red status icon in LuCI

In other words, routing sends packets to the tunnel, but the firewall silently blocks the path.

:check_mark: Expected fix:

Adding this line should attach the WG interface to the vpnzone:

uci add_list firewall.@zone[6].network='wg_mullvad'
uci commit firewall
/etc/init.d/firewall restart

This should allow:

  • NAT/MASQ on the tunnel interface
  • MSS clamping
  • Forwarding from VLAN20 → vpnzone → WireGuard
  • Return traffic back from Mullvad
6

It is not entirely clear if it works or not?

For a correct setup of a WireGuard client there are several good guides on the forum, no need to use often hallucinating AI. I use this one:
WireGuard Client Setup Guide

For PBR using the PBR app like you are doing is fine. There is a link to the read.me in the PBR GUI.
Sending screenshots is not the best way to send information but what I see looks OK,
If you have implemented IPv6 then enable it in the PBR app and use the interface preceded with @ that will cover both IPv4 and IPv6