Wireguard and mwan3 configuration issue

Hi, there. I have a working Wireguard set up, in a sense that my router successfully connects to a Wireguard server and routes everything perfectly from LAN. However traffic initiated within the router on Wireguard interface doesn't go anywhere. So this times out for me:

ping -c1 -I wg0

it was not bothering me until I wanted to set up mwan3 for failback. mwan3 uses above to check if an interface is up and running, so it detects wg0 interface as down and switches routing from it.

Is there any firewall setting I need to do to make this work?( between of the server and of the peer). just pinging works fine without specifying an interface...

Please post the output of:

ip route get from

Lets see where this traffic is actually going, first.

(I tested on mine, and found it was using WAN...I know why...but obscure your gateway IP if such is the case with you too.)

I get this: from dev wg0

Did you enable IPv4 forwarding (i.e. make it a router) and masquerading (create the NATed LAN) from on the server?

Enter on server:

sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -s -j MASQUERADE

yes, I did that on the server already, otherwise the whole tunnel would not be working. I can use internet from LAN via wg0 with no issues.

one other thing I noticed - I can't ping peer from the server - get "destination port unreachable" (not host), but I attribute that to firewall...

Try instead:

ping -c1 -I

Oh my...let me know if that ping works...I think you're missing something grand...

EDIT: YES, you do have to ALLOW OUTPUT on wg0 (i.e. its Firewall Zone).

yes, ping above works! so why does interface name doesn't?

I was afraid this is this case...allow me to ask you one question...

Not counting the WAN that wg0 uses, name the other (REAL, not virtual) WAN you plan to failover to?

I hope I understand the question correctly (it's all a bit new to me). Currently second wan is just main wan based on eth0.2 (in the future it will be second Wireguard connection, but I haven't set it up yet).

I don't think there's an "issue" with your Wireguard configuration then. In fact, I think it's configured properly!

Simply...because the interface is not real. It has no "gateway" (in the Layer 2 sense). Your WAN physically connects to equipment on the remote-end, your Wireguard interface uses the same WAN.

You mentioned:

Well, I'm not sure if you can configure mwan3 for this....but you must use some sort of script instead to undo the routes, configs, etc. on the LEDE when it doesn't detect something on wg0 (e.g. a ping to

hmm... I do read some success stories about using mwan3 with Wireguard, so it must be possible, but I wonder how :slight_smile:

1 Like

I'll be honest, I hope others read; and I hope you have further success using Wireguard.

I will continue to follow this, as I'm interested. I'll admit, I have no knowledge of mmwan3, or using it with VPNs (or other tunneled interfaces); and Wireguard is my VPN of choice to use on LEDE.

Perhaps...you wish to edit the title to reflect is's an mmwan3 issue more clearly (or say this is solved and make a new thread)?

oh, well. I suppose there is always an option of hacking mwan3 - I came across mwan3track sources where it does the ping and source IP already available there for me to use. I'll recompile and see if that works :slight_smile:

ok, so it turned out mwan3track is just a shell script, which I modified to check the interface name and replace with IP for pinging. Its obviously hardcoded with ip and interface name, but would be nice to solve this more generically (like maybe do a check if its a virtual interface and get its IP, which I don't think I have knowledge to write).

An update. I had it working perfectly with the change in the script but then dunno where exactly but things went wrong and I can no longer connect via wireguard at all. I was building my builds myself experimenting with different compilers and had to reflush my device from scratch few times... I thought my build is now wrong, so I got image builder and got everything prebuilt with it, still not working. The only things that has chnaged is that trunk revision is obviously about a week ahead of where I started initially. Can someone confirm that wireguard client is working OK for them on their own in today's/yesterdays build?

P.S. A curios thing that my wg server's IP address get blacklisted(I can't even ping it through another wan interface) as soon as I try creating a new interface for it even if I stop interface and reboot. Only if I complete delete it and reboot then it starts to work again...

What does this mean?

  • How can you ping a VPN interface from the WAN (unless it's a peer of the VPN or on the same LAN)?
  • Could this be because you have ICMP-Echo-Request blocked on the WAN?
  • Did you re-open the firewall?
  • Did you place this wg instance on a new port?
  • Did you use a new a different Private Key?

Just removed mwan3 packages completely and its still not working...
In fact I had to remove all wg modules to get basic wan working again.
I then reinstalled wg and still nothing, had to remove wg modules again

P.S. I did use different private key for the peer as my configuration has gone after reflashes, same everything else though

and about pings - that is from LAN. I would have thought that if you are not using WG interface and another WAN one is active and working (for me that was possible when mwan3 was installed, otherwise I never could use another wan with WG set up, even if its not activated), then all the traffic goes through working wan and I could reach my server directly. But for some reason as soon as you specify an IP in Luci settings for WG then its blocked even if WG is not active (i.e. when wg0 interface is stopped, I can't SSH for example to my server to check things from there) - very painful.

The VPN's tunnel IP??? If that's the cause, you must be using an invalid IP (i.e. the WAN IP, the IP of another interface or network on the LEDE, or the IP of your ISP's gateway). The VPN IP should be a private network that only exists between both devices, or a public address assigned from the Server Provider.

  • I'm lost...why are you pinging your second WAN from LAN???
  • Why would the first WAN be online if you failed over to the second WAN?

Did you change the Public Key at the remote end too?

I know it sounds complicated (and may not really be related to the problem of wireguard stopped working for me) but here it is. Lets say we have two wan interfaces, wan_main over physical wan port (that on its own is a LAN in my case as I use separate vdsl modem in front of it) and wg0 over wireguard. Obviously at the start wg0 doesn't exist so we just have wan_main. All traffic from LAN/wifi is being routed through wan_main using appropriate zoning setting of firewall section of Luci (I don't use command line for anything that I do). To set up remove wireguard server host (lets say with IP x.y.z.k, a real internet IP) I obviously have to ssh to it and traffic goes via LAN->wan_main route for that connection. As soon as I set up wg0 (along with corresponding firewall zone) which list x.y.z.k IP as peer then my LAN-wan_main routing stops working and since wireguard doesn't work for me now I do not have internet access via my router at all. So at this point I install and configure mwan3 with the rules that if wan_main is working then go via it otherwise try wg0 (which is not working anyway). At this point I get internet access back as routing via wan_main is restored and I try to ssh (or even ping) to my wg server with IP x.y.z.k and can't. Access to that is not restored until I remove wireguard packages via opkg (disabling or deleting wg0 interface completely doesn't help).

And moreover I had everything working only a week ago and now its just stopped...