[SOLVED] Wireguard VPN client on secondary router - how do I route non-VPN local traffic to primary router / network?

Installed OpenWRT this weekend on a RT-N56U to get Wireguard VPN functionality, was using Padavan firmware previously.

I am impressed by the console commands on OpenWRT and is looking forward to learning more, until now I have used the GUI/admin to set things up... thank you to anyone who can help me out here...

I have the Wireguard VPN client running (yes!) on this secondary router with net 192.168.2.X behind the primary router with net 192.168.1.X

I've been trying for 48+hrs now to figure out how to get traffic for 192.168.1.X to go to WAN-port on the secondary router and hit the primary router - I have the NAS and media players and a lot of other stuff on 192.168.1.X

All traffic is now going over the Wireguard VPN interface, I can not ping anything on 192.168.1.X

Using vpn-policy-routing in the admin to get the to the WIREGUARD interface, adding to the WAN (which is the primary router...)

VPN Policy screenshot https://i.imgur.com/ESv4CAo.png is

Firewall config screenshot https://i.imgur.com/aEOx7Hh.png

I also have enabled static routes ... https://i.imgur.com/yRqLdK2.png which is not helping.

I'm thinking this is a Firewall config problem, where I need FORWARD somewhere,
Thankful for any ideas on where to look and understand how OpenWRT solves this

Here is my Firewall configuration... https://pastebin.com/vE1kzNG9

Also... possibly useful info for anyone attempting to flash Asus router: when using TFTP to flash the router in recovery mode there is very small time window to get the TFTP client to connect after starting the router in recovery mode. If you miss this time window the transfer will not start.

Post your configuration as text redacting the private parts:

uci show network; uci show firewall; uci show vpn-policy-routing; \
ip address show; ip route show table all; ip rule show; iptables-save

hi vgaetera,
Wireguard is working and I removed all private and shared keys

The text is too big for forum so it's on pastebin https://pastebin.com/UHt7z06y

I'm trying to get my head around Zones in the Firewall, and any relation to Routes..
Thank you for taking a look at this!!

1 Like

Wham! It's working, unfortunately I have no idea why. Possibly the static routes.
I need to figure out firewall/zones/routes on OpenWRT.

Also, I will try to configure Wireguardfrom command line/console...
uci set network.wgserver.preshared_key="${WG_PSK}"


1 Like

Actually, it should work by default if you disable vpn-policy-routing and use route_allowed_ips=1.
Or, add a static route to table 202 if you really need vpn-policy-routing.

In addition, change the WG interface mask to /24.

Indeed, it does!! I did a "Reset to defaults" since I can't have a configuration that I don't understand why it works. Also, I'm using the admin GUI...

This time I did the time NTP sync, set up the static routes to network and then installed Wireguard interface as wg0. Configured WG keys and peer and attached it to the WAN zone in firewall, and this time I selected "Route Allowed IPs". Saved, restarted and ... works like a dream.

  • I can access 192.168.1.X network
  • All traffic routed over Wireguard VPN

Thank you very much for your assistance, I'll post a step-by-step on this for other interested users.


1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.