Hey im sorry i just doublechecked and set up my phone again and it works. Im sorry for the fuss...
Without VPN it works!
OK so try with VPN enabled and with making the route and rule I referred to.
when you have done so then show the output of:
ifstatus wan | grep nexthop
ip route show table 101
ip rule show
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
That Worked!
But... I only have access to my router, not to the internet... I assume thats a solvable firewallproblem. 
root@OpenWrt:~# ifstatus wan | grep nexthop
"nexthop": "192.168.178.1",
root@OpenWrt:~# ip route show table 101
default via 192.168.178.1 dev wan
root@OpenWrt:~# ip rule show
0: from all lookup local
32765: from all sport 55443 lookup 101
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7f:0959:af62::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'xxxxxxxxxxx'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '194.242.2.3'
list dns '194.242.2.9'
list dns '103.86.96.100'
config interface 'OPENVPN'
option proto 'none'
option device 'tun0'
config interface 'wgserver'
option proto 'wireguard'
option private_XXXXXXXXXXXXXXXXXXXXX'
option listen_port '55443'
list addresses '172.22.22.1/24'
config wireguard_wgserver
option description 'JPhone'
option public_key 'XXXXXXXXXX'
option private_key 'iXXXXXXXXXXXXXXXXXX'
list allowed_ips '172.22.22.2/32'
option route_allowed_ips '1'
option endpoint_port '55443'
option persistent_keepalive '24'
config wireguard_wgserver
option description 'JPhonework'
option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXX'
option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
list allowed_ips '172.22.22.3/32'
option route_allowed_ips '1'
option endpoint_port '55443'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'OpenVPN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'tun+'
config forwarding
option src 'lan'
option dest 'OpenVPN'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Force DNS'
option src 'wan'
option src_dport '53'
option dest_port '53'
config rule
option name 'Allow-55443'
list proto 'udp'
option src 'wan'
option dest_port '55443'
option target 'ACCEPT'
config nat
option name 'SNAT-WGserver'
list proto 'all'
option src 'lan'
option src_ip '172.22.22.0/24'
option target 'MASQUERADE'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
config zone
option name 'wgserver'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wgserver'
config forwarding
option src 'wgserver'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wgserver'
config forwarding
option src 'wgserver'
option dest 'wan'
root@OpenWrt:~# ip route show
default via 10.46.76.1 dev tun0
10.46.76.0/22 dev tun0 proto kernel scope link src 10.46.78.198
172.22.22.0/24 dev wgserver proto kernel scope link src 172.22.22.1
172.22.22.2 dev wgserver proto static scope link
172.22.22.3 dev wgserver proto static scope link
176.10.106.7 via 192.168.178.1 dev wan
192.168.3.0/24 dev br-lan proto kernel scope link src 192.168.3.1
192.168.178.0/24 dev wan proto kernel scope link src 192.168.178.21
root@OpenWrt:~# wg show
interface: wgserver
public key:xxxxxxxxxxxxxxxxxxxx
private key: (hidden)
listening port: 55443
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
endpoint: 194.xxx.xxx.157:27521
allowed ips: 172.22.22.2/32
latest handshake: 1 minute, 55 seconds ago
transfer: 156.29 KiB received, 653.05 KiB sent
persistent keepalive: every 24 seconds
peer: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
allowed ips: 172.22.22.3/32Great.
You need a firewall rule to allow traffic from wgserver zone to OpenVPN zone:
config forwarding
option src 'wgserver'
option dest 'OpenVPN'
1 Like
It works 
But... If i reboot i have to type that again 
... Otherwise my devices will not connect anymore
Can i script that somehow that it will automatically come up?
And another question...
I have a stereo in that network running moode audio. It uses spotify connect to be controlled over the network.
Now the wireguard tunnel works but i cant control that device... is there a way so the mobile devices can communicate with the devices physically plugged by the network?
Yes you can but that will have to wait till tomorrow it is past my bedtime.
It depends maybe you can use the IP address of the device to connect to it but if you have to discover the device then depending on the type of discovery you might need Avahi/mDNS and/or SMC Route or it might even only work if it is on the same subnet for which you might need to create a layer two bridge with gretap or vxlan.
Bottom line try to use the IP address to control the device and if that does not work you are out of luck for now
First of all thank you that you beared with me here 
I didnt think that would be such a hassle!
Could you imagine spotify connect on that moode audio machine to have a portforwarding problem? Spotify Connect typically uses TCP and UDP port 4070 for communication as i just read. The machine itself has the ip 192.168.3.141. Maybe its that simple.
To be honest i would just setup portforwarding but im afraid that wireguard will stop working even if this might be irrational xD
To automatically add the script after a reboot the simple solution is to add the script to system startup, add in: /etc/rc.local or via LuCI > System > Startup > Local Startup
Although this is persistent between reboots this is not persistent between network restarts, if the network is restarted either by yourself (service network restart) or by a process, the changes are gone.
A more sophisticated way is to use a hotplug script an here is an example.
But I would save that for another thread and just add the script to system startup, test if everything is working and if you are satisfied and your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! 
1 Like
The if i just paste the command in lucy just like that it wont work at all. Now i tried using the hotplug script by
root@OpenWrt:~# nano /etc/hotplug.d/iface/98-pbr-via-wan.sh
.
.
.
#!/bin/sh
# Name: 98-pbr-via-wan
# Version: 1.0.2 24-oct-2024 by egc
# Description: OpenWRT hotplug script routing a specific source port, local IP address or interface etc. via the WAN
# Usage: e.g. When running a concurrent VPN client and VPN server or port forwarding via the WAN and needing to route the port via the WAN back and/or
# when excluding some local IP addresses from using the VPN
# Installation:
# Set the VPN client interface as MYINTERFACE, this interface will be used as trigger for this script
# Remove the first # of the SPORT/IPADDR/ADDLOCALROUTES line to enable it, if desired
# Adapt the port (e.g. your local VPN server port) and/or local IP addresses you want to route via the WAN
# Copy script to /etc/hotplug.d/iface/
# Reboot or restart network (service network restart)
MYINTERFACE="wg0" # set the interface you are using for your VPN client interface, e.g. wg0 or tun0,
# for OpenVPN the tun interface has to be defined in the network config
SPORT=55443 # adapt the port number e.g 1194 for OpenVPN 51820 for WireGuard
IPADDR="" # adapt list of IP address with CIDR notation, space delimited
ADDLOCALROUTES= # uncomment/comment to enable/disable adding local routes to pbr table
#DEBUG=; set -x; logger -t hotplug $(env); # uncomment/comment to enable/disable debug mode
TID=101
{
get_gateway4() {
GATEWAY4="192.168.178.1" # Set the gateway IP directly
}
valid_ipv4()
{
local addrmask="$1"
local addr="${addrmask%/*}"
local mask="${addrmask#*/}"
local N
local OIFS
case "${addr}" in
*[!0-9.]* | *..* | .* | *. ) #
return 1
;;
esac
OIFS="${IFS}"
IFS=.
set -- $addr
IFS="${OIFS}"
if [ $# -ne 4 ]; then
return 1
fi
for N in "$@"; do
if [ "${#N}" -lt 1 -o "${#N}" -gt 3 ]; then
return 1
fi
if [ "$N" -gt 255 ]; then
return 1
fi
done
[[ -n "$mask" ]] && [[ "$mask" -gt 32 || "$mask" -lt 0 ]] && return 1 || return 0
}
set_routes() {
if [ "$INTERFACE" == "wgserver" ]; then
if [ "$ACTION" == "ifup" ]; then
get_gateway4
ip route add default via $GATEWAY4 table $TID
echo "pbr: default route via $GATEWAY4 added to table $TID on ifup of $MYINTERFACE"
if [[ ${ADDLOCALROUTES+x} ]]; then
echo "pbr: adding local routes to table $TID"
ip route show | grep -Ev '^default |^0.0.0.0/1 |^128.0.0.0/1 ' | while read route; do
ip route add $route table $TID >/dev/null 2>&1
done
fi
[[ -n $SPORT ]] && ip rule add sport $SPORT table $TID
echo "pbr: rule $SPORT added to table $TID"
if [[ -n "$IPADDR" ]]; then
for ip in $IPADDR; do
if valid_ipv4 "$ip"; then
ip rule add from $ip table $TID
echo "pbr: rule $ip added to table $TID"
else
echo "pbr: Could not add rule $ip to table $TID"
fi
done
fi
fi
if [ "$ACTION" == "ifdown" ]; then
while ip rule delete from 0/0 to 0/0 table $TID >/dev/null 2>&1; do true; done
ip route flush table $TID
echo "pbr: clean up on ifdown of $MYINTERFACE"
fi
fi
}
set_routes
} 2>&1 | logger $([ ${DEBUG+x} ] && echo '-p user.debug') \
-t $(echo $(basename $0) | grep -Eo '^.{0,23}')[$$] &
root@OpenWrt:~# chmod +x /etc/hotplug.d/iface/98-pbr-via-wan.shThen i rebooted... no hands shaking after 3 minutes
Did i make a misktake there?
I think your gateway is 192.168.178.1
But you can check with ifstatus wan | grep nexthop
If so then this is what you have to add to your startup:
If you use LuCi then take note of the accompanying text:
This is the content of /etc/rc.local. Insert your own commands here (in front of 'exit 0') to execute them at the end of the boot process
You can check with:
ip route show table 101
ip rule show
Note after a change in Network these changes are gone so after changing things you have to reboot
I put the content in lucy before exit 0
and now
root@OpenWrt:~# cat /etc/rc.local.
ip route add default via 192.168.178.1 table 101
ip rule add sport 55443 table 101No shaking hands after reboot, only when i type it manual via ssh...
What is wrong about that hotplug script?
I modified it (also with 192.168.178.1 as Gateway) but it wont work eather...
Did you check after a reboot if the table and rule are made?
If they are not made then add as first line in system startup:
sleep 20
this will let the startup script sleep some time maybe it needs to wait for the setup of the routing is done
You need to debug the hotplug script to see what is going on as you altered things.
Start with the log, it writes to the log and if it does not write anything to the log then the hotplug action might not take place.
The hotplug script advises to use the VPN client as trigger (the wan might also work) you chose the wgserver that might not work.
I updated my entire fireware to the latest and installed pbr... then everything worked as a charm!
Thank you for your help @egc .... i would have never made that work without your help 