OpenWrt & Wireguard - No Access to Internal IPs

Hello all,

I have been playing and experimenting with my router now for weeks (literally!), but I can't get my desired setup to fully work as intended, so please allow me to ask for your help.

I did quite some searching for past forum discussions, but none of the ones I found seems to fit my problem, at least I couldn't make any sense in a way that lead me to a solution.

I have the following components that I need to work together:

  • OpenWrt router (provides wireless, firewall, wireguard interface etc.)

  • LET stick (Internet access, firewall disabled, client IP of OpenWrt router in DMZ)

  • A Raspberry PI attached to the router via both Ethernet and Wifi

Router IP:

Wireguard Interface:

Raspberry Pi: (Wifi), (Ethernet)

Firewall configuration:

WG port (I chose to go with 1195) is open in the firewall.

What I got to work:

  • I can connect to the WG interface with various clients from external networks
  • The peers can connect to the router IP
  • The peers can connect to the Internet

What I did not succeed in getting to work so far:

  • A WG peer connected to the WG interface, able to access the router IP as well as the Internet, cannot connect to the Raspberry on either internal IP.

What am I doing wrong? I am stuck, please help me!

If you are using on the LAN interface then you can't use on the wireguard interface since they are overlapping. Devices on the LAN won't be able to talk to wireguard peers. Either you use on the LAN, or you use for example, which don't overlap whith

I would like to keep for the router address.

What would I have to use for the WG interface address in that case?

You can keep the address, just change the subnet mask to /24. The reason they are overlapping is that you are using a /16 on that interface. Unless you actually need to access 65K hosts on your network, the /16 is just unnecessary.

Also, in your firewall, add forwarding from Wireguard > LAN.

If that doesn't work, please post your WG configs (both on the OpenWrt side and one of the remote peers; sanitize by removing keys and public IP addresses, but don't change your private IP addresses and please make it very clear what you have redacted as to avoid confusion).


Alright, I think I reconfigured everything both of you suggested:

Wireguard config:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxx='
	option listen_port '1195'
	list addresses ''

config wireguard_wg0
	option public_key 'xxxxx='
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips ''

Forgot to mention: there is no firewall active on the Pi.

You haven't mentioned the peer's config yet.

So I'm guessing you still can't reach the LAN with these configs?

Absolutely correct, my bad. It's an iPhone, no idea how to export in plain text, so here's a summary:


Allowed IPs:
Keepalive: 25

You assume correctly: still not working.

Change to /24

Try turning off masquerading and MSS clamping in the WG firewall zone.

DNS and should work.

I did, no luck - still cannot access

Contrary to that, I can access from my laptop ( which is connected to my Wifi.


This is the same network, this should work.

To be clear, where are you testing the iPhone from?

  • Laptop: connected via (internal) Wifi to the router (

  • Raspberry ( connected to internal Wifi

  • iPhone: external LTE network, connected to the router's WG interface - I can access, but not

I know it's weird. As I said in my first post, has been bothering me and driving me crazy for weeks now, I am clueless.

Not weird. Turn off masquerade on WG firewall zone. The phone currently only sees

Still no luck, please see firewall zones and phone config below.

  • I thought you were told to remove the duplicate DNS server?
  • Do you have a static route configured in the OpenWrt for pointing toward the WG interface?
config route
	option interface 'wg0'
	option target ''
	option netmask ''

Sorry! :fearful:
I missed the post that said to remove the DNS. I did so now, no change.

I put the route config part into /etc/config/network and issued /etc/init.d/network restart after that.

Again, no change.

Btw, I am disconnecting and reconnecting to WG from the phone after each config change to be on the safe side.

Shouldn't the netmask be

No, doesn't make a difference.

  • Yes,
  • Can you start showing us the results of your tests?
  • Can we see the results of the WG command?