Setup Wireguard Network properly

Hello OpenWrt Community,

I want to start using Wireguard and I need help in setting it up properly.

I have understood Wireguard itself (so far) and I'm able to set it up (tested it already with a simple setup between 2 devices).

My problem is (for my specific setup) to make it right in terms of security.
I'm not so fimilar with natting/routing/firewalling and vlan/zones/interfaces etc.

My setup looks like that:


What i want to achive is to have a tunnel to my LAN clients accessing their services/data(-exchange).

The first thing I want to know what is the best approach? Is it better to use Interfaces only or work with VLANs?

Then I would need help to setup the routing/firewalling properly.
On my tests (with a simple WG-interface (own IP Range) assigned to LAN zone) I've got a connection but no acces to my clients. :confused:

I hope somebody is in the mute to guide me a bit.

Kind regards,

The words are synonymous in OpenWrt-terms - or more clearly, a VLAN is an Interface.

That's odd, you should have if you were in the LAN zone. You did make a route to the subnet on the other router, correct?

1 Like

Thank your for your reply lleachii. :slight_smile: And sorry for the delay answering.

Finally I have found my error. -.-

If something does not work as expected you begin checking everything twice ... But you miss one thing all the time ... Fucking trees :smiley:

Everything was setup right so far. But i made 2 mistakes.

1st: My incomming port is 4500/udp. My firewall rule was to restrictive. It was set like:

config rule
option enabled '1'
option target 'ACCEPT'
option src 'wan'
option dest 'wireguard0'
option name 'Wireguard-IN-4500'
option dest_port '4500'
option proto 'udp'

After I had removed > option dest 'wireguard0' < I've got the ping back.

2nd mistake was that my clients were configured to restrictive:

e. g. smb.conf:

hosts allow = localhost
(This is needed for the Notebook, cause it is used public too) was missing. That's why I've got a ping back but no data ...

Anyways ... All is working right now.

But I have some questions left:

1.) I have decided to separate the wireguard interface from the lan zone and placed it into his own wg-zone.
Is this for you guys O. K. Or would you recommend other settings? For setting things up.


2.) Do I have to adjust the mtu for the route wg<->lan to wireguard recommend 1420?

3.) The above mentioned firewall rule for the port 4500. Why is it wrong to forward only to wg-zone. Now it's hitting the device. I have a guess but I'm unsure.

4.) I'm running unbound on this device. All DNS traffic is redirected to localhost/unbound and dns out from lan-zone to wan-zone is forbidden.
If I look into the traffic it seems that wireguard clients are using unbound. So, is it necessary to block outgoing dns traffic for the wg-zone too?

Thanks for your help so far. :slight_smile: