Trying to route traffic for a wireless network through a wireguard client

Hi there,

So far I have set up and they work

  • A wireless client (device name phy0-ap1)
  • A wireguard client (device name UKBHA)
  • My firmware verson OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8
  • pbr version 1.1.1-7

I am trying to route all the traffic from phy0-ap1 -> UKBHA.

I am using PBR to try and get things working. I have added a new policy and populated it with

Enabled : ticked
Local Addresses / Devices : phy0-ap1 (I assume from the documentation that this should be @phy0-ap1 but it will not accept that)
Local ports : blank
Remote addresses / domains : blank
Remote ports : blank
Protocol : all
Chain : prerouting
Interface : UKBHA

I have set this up
When using the policies targeting physical devices, make sure you have the following packages installed: kmod-br-netfilter, kmod-ipt-physdevandiptables-mod-physdev. Also, if your physical device is a part of the bridge, you may have to set net.bridge.bridge-nf-call-iptablesto1in your/etc/sysctl.conf.

The wifi connection works with this setup but it looks to me (after checking dnsleaktest) like the wireless traffic is not going through the wireguard client.

Have I missed anything?


Any clues?

  • Please provide information on how you configured your clients to use DNS
  • Where/what device did you perform the leak test?
1 Like

So, my clients use Pi Hole which my router points to which in turn is running on a container on the same subnet. I tested an Android phone, visiting

I was watching the network interface for my wireguard client and I did not see the traffic increase (when I was pulling some data) so there is definitely something wrong.

  • Is PBR configured to send Pi Hole DNS query traffic via the WG tunnel?
  • How did you configure clients to use the Pi Hole for DNS requests?

When I set up an IP address in PBR to use a wireguard client, all the DNS requests are sent down the tunnel. My problem is telling PBR to use a device, in this case the WiFi device I have set up, I am not sure I have the syntax correct as the PBR screen will not accept @phy0-ap1 as a device but it is fine with phy0-ap1.

I have set up pihole in Network / DHCP and DNS / DNS forwardings

I can set this up in



config policy                              
        option name 'lan24'                    
        option src_addr '@phy0-ap1'         
        option interface '<my-wireguard-client>'
        option enabled '1'

And it will work. I cannot put the physical device name in the "Local adresses / devices" box on the PBR screen.