VPN (WireGuard) clients can only access the OpenVPN Device itself

I have a Netgear R7800 running OpenWRT 21.02 which is configured as a Dumb AP at "". I installed and configured WireGuard Server ( with one peer ( The connection seems to work, but the online device I can reach using VPN is the OpenWRT device itself at "" I cannot reach any other device on the network (e.g. NAS drive at

You encrypted your LAN with Wireguard?

If this is for test, you will have to attempt your connection from the network you'll actually use in real life with Wireguard (e.g. the Internet/WAN).

  • Where is the network?
  • Where is the network?
  • Can we see the WG config (omitting the keys, of course)?
  • Do you get a handshake?

Thank you for you qick response. Maybe a diagram illustrates better what I want to achieve:
Untitled Diagram.drawio
I had already used the "old" setup. The home server is a Debian server which is part of my network. I had a WireGuard server running on this server ( with port forwarding on the Cable Modem to enabled. With this setup I had access to my home network (
As the home server is not always on I wanted to transfer the WireGuard Server to the OpenWrt AP. But as mentioned before, while WireGuard is able to connect, I do not have access to the whole network.

The setup I used on the debian server was similar to the guide for OpenWRT, but there was some additional configuation which seems to set up the routing.

sysctl net.ipv4.conf.%i.forwarding=1 net.ipv4.conf.$(ip r l 0/0 | mawk '{print $5;exit}').forwarding=1
iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -s -o $(ip r l 0/0 | mawk '{print $5;exit}') -j MASQUERADE

If I understand, and if firewalls are OK, your OpenWrt will just need to masquerade WG traffic destined to your LAN using

1 Like

Masquerading would be the best solution if the OpenWRT device was the only one I can configure. As I can also configure the Cable Modem the best solution for me was to
...set a static route on the Cable Modem

Dest Subnet Gateway

...configure the firewall zone

config zone
    option name 'lan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    list network 'lan'
    list network 'vpn'
    option forward 'ACCEPT'