Unable to assign WIFI interface to Wireguard

quoka1 · July 27, 2025, 7:22am

Hi everyone, I am fairly new to openwrt, and ran into an issue.
Hopefully somebody got some advice for me.

I am using the new router modell (OpenWRT One), with Luci.
I installed Wireguard, and imported my Wireguard configuration for a certain VPN connection.

I followed some guidelines on the Internet, and my VPN connection is working through the (wired) LAN interface.
So far so good.

What I actually wanted to achieve is to not have the VPN connection available through the wired LAN port, but solely through a dedicated wireless port.

My standard wireless port btw is working, but it is just not assigned to the Wireguard VPN.

What I want to achieve is to have the wireless port directly assigned to the VPN, and not to the LAN.

I cannot figure out how to do this.

thank you

egc · July 27, 2025, 8:04am

Make a guest wifi:

Then use Policy Based Routing to route only that guest wifi via the VPN:

quoka1 · July 27, 2025, 8:25am

Thank you, I will try that

quoka1 · July 27, 2025, 8:42am

I think I am out of luck. I tried the page for PBR, but the details are quite vage, so I can't follow.
Unfortunately there are only guides how to set up a (wireguard)-VPN for the wired LAN port, but not for WIFI.

egc · July 27, 2025, 8:44am

Lets see if we can get you going, for that it will help if you show us your configs and tell us which interface you want to route via the VPN.
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

quoka1 · July 27, 2025, 9:07am

thank you egc, I appreciate your help.
Just for you to know, I reset the router to factory settings, and only added the interface for my Wireguard VPN.
Here is the output of the 5 commands:

_____________________________________________________
-----ubus call system board-----
{
"kernel": "6.6.93",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "OpenWrt One",
"board_name": "openwrt,one",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.2",
"revision": "r28739-d9340319c6",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.2 r28739-d9340319c6",
"builddate": "1750711236"
}
}
_____________________________________________________
-----cat /etc/config/network-----

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdf5:4d10:10d7::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'

config interface 'wan'
option device 'eth0'
option proto 'dhcp'

config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'

config interface 'wguk'
option proto 'wireguard'
option private_key 'hidden'
list addresses 'hidden'
list dns 'hidden'

config wireguard_wguk
option description 'Imported peer configuration'
option public_key 'hidden'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'hidden'
option endpoint_port 'hidden'

_____________________________________________________
-----cat /etc/config/firewall-----

config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

_____________________________________________________
-----ip route show-----
default via 192.168.1.1 dev eth0 proto static src 192.168.1.25 
149.xx.xx.xx via 192.168.1.1 dev eth0 proto static 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.25 
192.168.2.0/24 dev br-lan proto kernel scope link src 192.168.2.1 

_____________________________________________________
-----wg show-----
interface: wguk
  public key: hidden
  private key: (hidden)
  listening port: hidden

peer: hidden
  endpoint: 149.xx.xx.xx:xxxxx
  allowed ips: 0.0.0.0/0, ::/0

_____________________________________________________

quoka1 · July 27, 2025, 9:12am

BTW, just additonal info.....

192.168.1.1 is my main home router for the Internet connection
192.168.2.1 is my OpenWRT router

egc · July 27, 2025, 9:37am

Your WG client is not working because you need to add the WG interface to the wan firewall zone

You did not enable Route Allowed IPs on the WG peer which is good in this case as you want normal traffic default via the wan.

For the record this is how i setup a WG client: WireGuard Client Setup Guide

If you have created the guest wifi according to the wiki you can simply make an alternate routing table via the VPN and a rule to add the guest wifi interface to use this alternate routing table:

Make alternate routing table with table number 100 with default route via the WG interface
/etc/config/network:

config route
	option interface 'wguk'
	option target '0.0.0.0/0'
	option table '100'

Make rule to let the guest interface use this alternate routing table:

/etc/config/networking:
config rule
	# for interface
	option in 'guest'
	#table number to use for lookup
	option lookup '100'

I am working on some more elaborate instructions but not yet done, for a peak preview see:

quoka1 · July 27, 2025, 9:47am

Thank you very much.

That is true. I did not yet enable any routing nor any firewall zones. Just added the wireguard interface.
The reason why I haven't enabled anything yet is because there are so many guidelines out there, all with a different approach. And none of them worked so far.

I will try again with the guest wifi, but I am also looking forward to your instructions that you are currently working on.

Just for my understand....Do you think it is easier to set up an OpenVPN via wifi than Wireguard via wifi ?

It seems there are more guidelines on the Internet (and on the VPN provider's websites) about OpenVPN than Wireguard.

egc · July 27, 2025, 10:15am

Sure but start with the guest wifi this is needed in all cases

No WireGuard is the easier and more performant choice

quoka1 · July 27, 2025, 10:16am

Your guidelines for the guest wifi worked perfectly and are well documented.
thanks.
So that is already working

quoka1 · July 27, 2025, 10:24am

I need to leave for today, but will continue tomorrow.
thanks for your help so far.

egc · July 27, 2025, 10:25am

Next setup WireGuard.
To check if it is working enable Route Allowed IPs, reboot the router and check with e.g. ipleak.net from the guest wifi that you are using the VPN (are in the UK).

Then disable Route Allowed IPs and add the alternate routing table and rule to /etc/config/networking see my earlier post

If it does not work then lets see the configs again (no need to redact private IP addresses):

cat /etc/config/network
cat /etc/config/firewall
ip route show
ip route show table all
ip rule
wg show

quoka1 · July 27, 2025, 10:26am

thanks, will do that

quoka1 · July 28, 2025, 5:24pm

Hi, I tried to follow all the guidelines (didn't expect so many settings.. ).
In any case, I am not there yet, and it is not working yet. Probably I missed someting.
I am a bit overwhelmed with all the settings.

I will keep trying this week to see how far I get.

thanks for your help so far.

egc · July 28, 2025, 7:43pm

Feel free to post your configs again so that we can see what is wrong

quoka1 · July 31, 2025, 8:34am

Hi egc, thanks for all your help.
I think I have to give up.

This morning I followed the official guideline for guest wifi from "openwrt one".
After that, I could no longer connect to the router.

I somehow managed to flash the router, so now I can connect again via SSH, but not Luci

Running updates through SSH result in an error "ADB block error".
And I can't fix that.
Which also means can't continue with anything else.

This is sooooo annoying.

So, thanks for the details. Not sure if I ever can get the router up and running again.

egc · July 31, 2025, 9:05am

Are you sure you are using Openwrt 24.10.2 ?
That error indicates you are using a Main/Snapshot build which is not recommended

quoka1 · July 31, 2025, 10:06am

You really have a great background knowledge.
You are right. Because of my attempts to flash the router, I accidentially used a snapshot build, and not OpenWRT 24.10.2.
I have finally managed to install everything, firmware, upgrade etc.
So I am back in the game.

I now need to follow your guidelines again. Let's see how far I get.

If I get stuck, I will reach out to you again.

Thank you

quoka1 · July 31, 2025, 10:24am

I now know what the issue was before I could no longer connect to the router.
When I followed the guide for the guest wifi, I looked at the very last step for troubleshooting, where it says:
----------"Your device is unable to connect to the guest-AP: This might be caused the device doesn't get a IP address assigned by the DHCP-server. Please check that the DHCP-server on your OpenWrt-router is configured to listen to the “guest”-interface.

Go-to “Network → DHCP and DNS → (tab) Devices & Ports”.
If “non-wildcard” is enabled, ensure that the “guest”-interface is added to “Listening interfaces”."----------
So I added the guest interface to the listening interface, and voila, lost the connection to the router altogether.