[Solved] OpenWrt to PC Wireguard tunnel

Hi, how are you all doing?
I have this situation that I've been trying to fix, maybe someone more experienced can help me:

Internet ----> Main router ----> PC (running Wireguard)

Internet ----> Main router ----> OpenWRT router (running Wireguard) ----> various_devices

My question is: Is there a way for all the various_devices on PLACE "B" (connected through ethernet ports) to reach the PC on PLACE "A"? If there's a way, how can I make it work?

The thing is, I need the OpenWRT router to be portable, so I can take it somewhere else and connect a device through one of it's ethernet ports for reaching the PC at PLACE "A" through a VPN tunnel (I don't want to open ports to specific services on the Main router at PLACE "A", and neither can I install Wireguard on it). The OpenWRT router will be connected to a Main router on PLACE "B" through WiFi.

So, in essence:
1- Everything that enters the OpenWRT router through ethernet, should go through a VPN tunnel and reach the PC (where it would be decrypted).
2- The response from the PC should go through a VPN tunnel and reach the OpenWRT router again, (where that would be decrypted and sent to the correct ethernet port).

Let me know if I overcomplicated this explanation, english is not my main language!

Thanks to this great community in advance! :grin:

Are you willing to open/forward a port for WG at place A (i.e. forward the WG port on Place A's WAN > the PC)? If so, yes, this is not hard to do. It not, this will be much more difficult.

Yes, I should have mentioned it! I prefer to open only one port for the tunnel instead of many ports for many different services!

Yes that is how it works. The PC will hold an IP inside the tunnel. You can connect to multiple services with different ports on that IP. The encrypted packets all come in through one connection on one port. When they are decrypted and de-encapsulated the internal port number is used.

A site to site Wireguard does require one of the sites to have one port open to the Internet for the incoming encrypted packets. It would make sense to do this at A since B is not always the same place.

1 Like

Thank you both for the replies!

1- On the PC side, I should set the Wireguard Interface with it's own IP (for example:, and add a Peer with an IP (for example, which would be the OpenWRT router.
2- On the OpenWRT side, I should set the Wireguard Interface with IP ( and add the PC's public IP as Peer?

Basically, yes. I'd recommend making the peer /32 (instead of /24).

You'll also need to generate the private and public keys for each side, and then exchange the public keys, but that's all pretty straightforward.

1 Like

I got it working, but I'm not sure about the best firewall configuration for this case scenario

The firewall configuration depends on your goals... what is supposed to happen? Are you just accessing that one host at location A (from location B)? Or are you tunneling all of your internet access through that host? Or something else?

I'm just accessing from location B to A

I personally like to put the VPN into its own zone. Create a new zone and allow forwarding from your lan > wg zones. Also allow output. You can safely allow input and forward if you want, too.

You'll probably need masquerading enabled unless your host at location A has a static route assigned for the return traffic.

1 Like

And what should I do with the default created "wan" zone?

Leave it as-is. It's still going to be used whenever you connect to another network.

1 Like

You are right, well thank you so much for the help, I really appreciate it! :smile:

no problem.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.