Routing question. OpenWrt as a Wireguard Client

I have recently installed wireguard client on my TP-Link TL-MR3420 v5, that already has an OpenWRT. The wireguard link to my external sever works great, even all clients that conenct via wlan0 on openwrt also get connection via wireguard. What i want to achieve is a "private router". Wherever I travel I can bring it with me ad don't have to set up wireguard clients for each device.

I have three problems related to that:

  1. Because of routing table created by wireguard module itself, connection to my wireguard server ( is passing through the regular WAN interface, all other conenctions to any other IPs are actually going through wireguard server. What kind of routing (or policy based vpn routing) shall I apply to fix that ?
  2. Signal messenger doesn't work when connected via wlan0, seems like mix of double NATing and that it's protocol switches between random UDP ports kills it (ref. Signal official page)
  3. DNS leaks, wlan0 client obtain DNS server address of my openwrt router. This is the least problematic case, I should find it digging in various DNS options on openwrt .
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *              U     0      0        0 wg0        *        U     0      0        0 wg0
X.X.X.X UGH   0      0        0 br-wan     *        U     0      0        0 br-wan     *        U     0      0        0 wlan0

X.X.X.X - my remote wireguard server - internal wireguard ip range -ISP router ip range - OpenWRT router ip range

I appreciate any help,

Don't set as allowed IPs the whole internet ( Set only the IPs you want to route via the wireguard tunnel.

That is very vague to provide any solution. Double NAT should not be a problem. There could be a problem if the port Signal is trying to use is already taken, but this could happen with single NAT too.

1 Like

I have tried playing with allowed ips in wireguard but no luck. Instead of I have set up,, but then there is no internet connection at all. What do you suggest setting it to?

This is not a valid network, should be .0/24

Only the IPs from the wg server side that should be reachable via the tunnel.

1 Like

My bad, I meant
If i understand correctly, that means setting allowed ips to and nothing more? My whole wg network is based on iprange

That would be one. The other is to add any network connected to the wg server, which you want to access.

1 Like

I tried setting allowed ips in wireguard only to, but that updated my routing table in such way that now no traffic is going through wireguard, all goes through WAN. Shall I maybe combine it with forwarding rules or zones in openwrt ?

My current routing table setup:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 br-wan        *        U     0      0        0 wg0 UGH   0      0        0 br-wan     *        U     0      0        0 br-wan     *        U     0      0        0 br-lan

Isn't that what you wanted?

1 Like

Actually when I read my first post now it is confusing for me as well.

I meant that this line:

I suspect it is causing that if I traceroute ANY ip address (except for my wg server ip address X.X.X.X) I get connection through wireguard, but when I want to use any service on my wg server X.X.X.X it gets connected via normal WAN (traceroute shows that it ommits internal ip range and goes directly through WAN). This routing table line mentined above is probably mandatory for wireguard to work, but is there any fix for that ?

Edit. Additionally on my wireguard server I see all connections to for example apache http, as coming from ISP IP address, not wireguard.

This line is mandatory, otherwise the tunnel cannot work. Everything goes via the wg tunnel, but to reach the public IP of the wg server you must use the regular wan interface, therefor this route is installed.
You can use the tunnel IP if you want to access the server via the tunnel. In case it doesn't work, make sure you have the wg interface in lan firewall zone (or any other zone with proper forwardings).


Right I see, then I have to live with it and use only.

Another thing I have observed that might be related to my 2nd point (signal messenger not working when I have double NAT plus wireguard), when I try to reach my openwrt via wireguard (openwrt IP in wireguard network is, then sftp doesn't really work and I get connected to ssh terminal but I get constant interruption, it's not blocked but very limited connectivity. I'm also not able to to reach openwrt default site via wireguard at all.
What could be the cause ?

mtu, measure it and adjust it for the tunnel. For linux instead of -f use -M do

1 Like

Thank you I'll try that out

1 Like

Thank you taht solved all the issues !

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.