[SOLVED] WireGuard vs OpenVPN

I have this type of installation between 3 OpenWRT

Can someone help to get the same with WireGuard instead of OpenVPN ?

Thanks in advance for the help

For each peer add in the allowed networks the internal prefix along with the tunnel IP address and select to add routing for the prefix.


Provided at least one of the clients have a public IP or port forward and can receive incoming requests from the other peer. Otherwise the traffic between the clients have to be routed through the server in the same way as with openvpn.


I am a little confused in the masquerading need of my FW zones, and also with the how to get the routes working like in openvpn push routes and iroutes.
I made a little testing platform with 2 boxes working in chained mode (not really the stars like mode I really need) and I can ping the both sides of my boxes from each others, but not the clients from the "dmz" isolated box side.

Hope I am clear in my explanations

No need, except for WAN-zone.

Use static routes.

Assuming the routing is correct, verify your firewall configuration.


I have added both LAN on FROM and OUT forward on the WG firewall zone on each OpenWRT.
Now I can ping clients from the openwrt sides from the openwrt routeurs.

Great ! thanks

Actually I still not ping from a client of the LAN sides to a client of the isolated side, nor to the IP of openwrt on the isolated side...
But all working from the openwrt routeur itself.

Use traceroute and tcpdump for troubleshooting.
Note that some cases may require MTU-tuning.

Or post the network and firewall configuration files.

all fixed in a second (real) test...
I am on a remote site, (no more on my "lab") and made the same like said configuration.
Peer IP of remote wireguard and the remote vlan wanted in each peer.
activated the routing without the need of any static routes.
opened zone FROM and TO lan in the WG firewall zone.
added a accept rule of the WG port used in both side (needed to have full communication of the tunnel).
Now in testing full benchmarks and useness tests.

Each clients of the LAN look having access to clients of the tunneled lan.
May do some more test when getting back to my "server" LAB, but fixed...

thanks for the quick and detailed help...

If your problem is solved, feel free to mark the relevant post as the solution; and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).


A huge problem of latency was with IPv6...
I completely disable and remove all IPv6 component, and settings, and I get now a fast and useable wireguard tunnelled and routed VPN from two distant sites.

To resume, Remember to add a FW Rule for the port and use fixed port number used by wireguard on each peer.
Add IN/OUT and accept all on the WG firewall zone.
remove ALL IPV6 from the peers.
Used routes allowed settings with remote IP of wireguard and remote VLAN (crossed them).

Thanks again for the helpfull advices...

I wouldn't consider disabling ipv6 a solution. Ipv6 shouldn't cause a huge latency problem in the tunnel (when configured correctly).

1 Like

i have to add Masquerading to the VPN firewall zone.
Now all works fine and I have access to all clients from all wireguard tunnel peers.
I use private vlan 172.x for wiregard and I already had 10.x and 192.168.x private vlans for my reals clients for the remotes sites.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.