Port forward wireguard server from behind wireguard client


I am relatively new to networking and I would like to run a Wireguard-Server on my NAS, inside my LAN. My LAN is behind a Wireguard client running on my OpenWrt router, which was setup using this guide: https://mullvad.net/en/help/running-wireguard-router

I have been trying for 3 days but I can not figure out how to port forward the wg-server to my OpenWrt WAN. Adding WAN to the LAN forwards (I don't know if this is even safe) did not work and neither did my attempts at adding traffic rules.

To be clear, are you trying to port forward thru Mulivad WG assigned IP/interface or to your ISP-assigned address?

You have setup your WG client with a "kill switch" meaning you block output via the WAN.

You have to allow traffic from LAN to WAN for your NAS with a firewall traffic rule e.g.:

config rule
        option name 'allow-to-wan'
        option src 'lan'
        list src_ip 'IP-of NAS'
        option dest 'wan'
        option target 'ACCEPT'

You can restrict it to a certain port also to make it more specific

Next problem is that you also have to make sure that the WG traffic is going out via the WAN and not via the VPN.
For this you need Policy Based Routing (PBR).
You can install the full PBR package which has a handy setting just for that purpose, see:

or install PBR manually e.g. https://github.com/egc112/OpenWRT-egc-add-on/tree/main/pbr-via-wan


Unfortunately Mullvad stopped allowing port forward via the VPN it was abused for hiding a lot of criminal activities :frowning:

1 Like

Do i have to remove my current configuration and switch to PBR or is PBR compatible with my current configuration?

The ISP assigned interface

PBR should be compatible with your current situation

OK I'll look into it thank you for your help

1 Like

I tried setting this up by forwarding a docker container with a web GUI I can open inside a browser to test if it is working.

This is the configuration I got right now which does not work (all redacted IPs are the same NAS IP and the port is constant as well):

In the port forwards tab:

PBR config (default gateway is the wg-client):

Inside the traffic rule tab:

Every time I refresh my browser I can see that under status -> firewall the Rule container chain "dstnat_wan" grows by 120 bytes. Which from my limited understanding means that the forward into the LAN zone probably works.

Any Ideas what could be doing wrong? I also tested my config with the wire-guard interface down which should from my research temporarily fix the routing issues, but that is not working either. Which leads me to believe that some firewall rule is blocking the connection.

I already tried every imaginable combination off traffic rules with my NAS IP and the application port and I am kinda out of ideas on this front. Would running the wire-guard server on my router make things easier? Do I need to enable forwarding from my LAN to my WAN zone or does the port forward / traffic rules take care of that?