Wireguard and PBR - No rules being added to routing table

abeorch · May 28, 2026, 2:09pm

I've setup a test router with Openwrt 25.12.4 (lan interface 10.11.0.0/24) and installed PBR - I have a wireguard interface successfully handshaking to another router (lan 192.168.5.0/24. )

Both routers are locally sitting behind a local gateway / router on the same wan subnet (192.168.0.0/24)

My objective is to be able to connect from devices on the lan of the test router (lan interface 10.11.0.0/24) to the other router (lan interface 10.11.0.1) (and eventualyl vice versa) but I want to try and get the oneway connection working first.

My reason for using PBR is that I would like to eventually use PBR to have different local interfaces use either the local or remote router's as a wan gateway while being able to maintain connectivity for local traffic between each of the routers

I expected that when I added to the rule to PRB and made the WG interface a Supported Interface that I would see routes added to the routing table and for pings to the remote lan directed throught the WG interface however this doesn't appear to be happening.

By network and PBR configs are included below along with a copy of my routing table.

Network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9f:7397:e719::/48'
option dhcp_default_duid '000452a6c4828d3a493e9f8efd6fdd541190'
option packet_steering '1'

config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'

config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config device
option name 'lan1'
option macaddr '30:24:78:d8:1f:a8'

config device
option name 'lan2'
option macaddr '30:24:78:d8:1f:a8'

config device
option name 'lan3'
option macaddr '30:24:78:d8:1f:a8'

config device
option name 'lan4'
option macaddr '30:24:78:d8:1f:a8'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '10.11.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multipath 'off'

config device
option name 'dsl0'
option macaddr '30:24:78:d8:1f:a9'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option multipath 'off'

config interface 'WgWappingCl'
option proto 'wireguard'
option private_key '<REDACTED>'
list dns '192.168.5.1'
option multipath 'off'
list addresses '10.7.254.11/24'

config wireguard_WgWappingCl
option description 'Imported peer configuration'
option public_key '<REDACTED>'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host '<REDACTED>'
option endpoint_port '51720'
option persistent_keepalive '25'

Wireguard

PRB

config pbr 'config'
option enabled '1'
option fw_mask '00ff0000'
option ipv6_enabled '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
option nft_user_set_counter '0'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '0'
option resolver_set 'none'
option strict_enforcement '1'
option uplink_interface 'wan'
option uplink_interface6 'wan6'
option uplink_ip_rules_priority '30000'
option uplink_mark '00010000'
option verbosity '2'
list ignored_interface 'vpnserver'
list lan_device 'br-lan'
list resolver_instance '*'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option config_compat '25'
option config_version '1.2.2-r14'
option rule_create_option 'add'
option webui_show_ignore_target '0'
list supported_interface 'WgWappingCl'

config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'

config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'

config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'

config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'

config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'

config policy
option name 'WappingLAN'
option dest_addr '192.168.5.0/24'
option interface 'WgWappingCl'

Routing table displayed in LUCI

Routing

The following rules are currently active on this system.

IPv4 Neighbours

Entry	IP address	MAC address	Interface
#	192.168.0.33	2C:7B:A0:CE:A8:A6	wan
#	192.168.0.1	48:D3:43:DE:DE:A0	wan
#	10.11.0.102	5C:BA:EF:42:92:65	lan

Active IPv4 Routes

Device	Target	Gateway	Source	Metric	Table	Protocol
wan	0.0.0.0/0	192.168.0.1	-	-	pbr_wan
(WgWappingCl)	0.0.0.0/0	10.7.254.11	-	-	pbr_WgWappingCl
wan	0.0.0.0/0	192.168.0.1	192.168.0.51	-	main	static
WgWappingCl	10.7.254.0/24	-	10.7.254.11	-	main	kernel
lan	10.11.0.0/24	-	-	-	main
wan	86.22.119.54	192.168.0.1	-	-	main	static
wan	192.168.0.0/24	-	192.168.0.51	-	main	kernel
WgWappingCl	10.7.254.11	-	10.7.254.11	-	local	kernel
WgWappingCl	10.7.254.255	-	10.7.254.11	-	local	kernel
lan	10.11.0.1	-	10.11.0.1	-	local	kernel
lan	10.11.0.255	-	10.11.0.1	-	local	kernel
loopback	127.0.0.0/8	-	127.0.0.1	-	local	kernel
loopback	127.0.0.1	-	127.0.0.1	-	local	kernel
loopback	127.255.255.255	-	127.0.0.1	-	local	kernel
wan	192.168.0.51	-	192.168.0.51	-	local	kernel
wan	192.168.0.255	-	192.168.0.51	-	local	kernel

Active IPv4 Rules

Rule	Priority	Ingress	Source	Src Port	Action	IP Protocol	Egress	Destination	Dest Port	Table
#	0	-	all	-	-	-	-	any	-	local
#	29998	-	all	-	-	-	-	any	-	main
#; Fwmark:0x20000	29999	-	all	-	-	-	-	any	-	pbr_WgWappingCl
#; Fwmark:0x10000	30000	-	all	-	-	-	-	any	-	pbr_wan
#	32766	-	all	-	-	-	-	any	-	main
#	32767	-	all	-	-	-	-	any	-	default

I would really apprecaite any input that anyone can provide on where I might be going wrong getting the local traffic to route across the VPN. As you can see I haven't just added the remote subnets as allowed IPs on the VPN because I want to be able to eventually send any remote IP (including public IP traffic across to the other router to deliver externaly via its gateway)

Should I be seeing the PBR rules being added to the routing status data I can see in LUCI?

egc · May 28, 2026, 2:42pm

No there are separate routing tables that is how PBR works

No need to set the WireGuard client as supported in PBR it is automatically supported unless you have set a listen port.

How to setup WireGuard:
WireGuard Server Setup Guide
WireGuard Client Setup Guide

PBR:

Lets have a look at your current setup also from the "server" side:
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:
"Client" side

service pbr support
ifconfig
ip route show table all
ip -6 route show table all

"Server" side"

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

abeorch · May 28, 2026, 3:08pm

For the 'client' side (no endpoint 10.11.0.1/24)

service pbr support

Setting counters and verbosity for diagnostics...

===== dhcp config =====

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list address '/wapping.lobsteropolis.net/10.7.0.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_preference 'medium'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'


===== firewall config =====

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WgWappingCl'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'


===== network config =====

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '***.*.*.*'

config globals 'globals'
	option ula_prefix '***::/48'
	option dhcp_default_duid '000452a6c4828d3a493e9f8efd6fdd541190'
	option packet_steering '1'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr '***'

config device
	option name 'lan2'
	option macaddr '***'

config device
	option name 'lan3'
	option macaddr '***'

config device
	option name 'lan4'
	option macaddr '***'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '10.11.0.1'
	option netmask '***.***.***.*'
	option ip6assign '60'
	option multipath 'off'

config device
	option name 'dsl0'
	option macaddr '***'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option multipath 'off'

config interface 'WgWappingCl'
	option proto 'wireguard'
	option private_key '********************************************'
	list dns '192.168.5.1'
	option multipath 'off'
	list addresses '10.7.254.11/24'

config wireguard_WgWappingCl
	option description 'Imported peer configuration'
	option public_key '********************************************'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host '*******.*************.***'
	option endpoint_port '51720'
	option persistent_keepalive '25'


===== pbr config =====

config pbr 'config'
	option enabled '1'
	option fw_mask '00ff0000'
	option ipv6_enabled '0'
	option nft_rule_counter '1'
	option nft_set_auto_merge '1'
	option nft_set_counter '1'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	option nft_user_set_counter '0'
	option procd_boot_trigger_delay '5000'
	option procd_reload_delay '0'
	option resolver_set 'none'
	option strict_enforcement '1'
	option uplink_interface 'wan'
	option uplink_interface6 'wan6'
	option uplink_ip_rules_priority '30000'
	option uplink_mark '00010000'
	option verbosity '2'
	list ignored_interface 'vpnserver'
	list lan_device 'br-lan'
	list resolver_instance '*'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	option config_compat '25'
	option config_version '1.2.2-r14'
	option rule_create_option 'add'
	option webui_show_ignore_target '0'
	list supported_interface 'WgWappingCl'

config include
	option path '/usr/share/pbr/pbr.user.dnsprefetch'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config dns_policy
	option name 'Redirect Local IP DNS'
	option src_addr '192.168.1.5'
	option dest_dns '*.*.*.*'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'WappingLAN'
	option dest_addr '192.168.5.0/24'
	option interface 'WgWappingCl'


===== ubus call system board =====
{
	"kernel": "6.12.87",
	"hostname": "OpenWrtBrisbane",
	"system": "xRX200 rev 1.2",
	"model": "BT Home Hub 5A",
	"board_name": "bt,homehub-v5a",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.4",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32933-4ccb782af7",
		"target": "lantiq/xrx200",
		"description": "OpenWrt 25.12.4 r32933-4ccb782af7",
		"builddate": "1778712129"
	}
}

===== /etc/init.d/pbr restart =====

===== /etc/init.d/pbr status (after restart) =====

pbr - environment
pbr 1.2.2-r14 on OpenWrt 25.12.4 r32933-4ccb782af7.
Uplink (IPv4): wan/wan/192.168.0.1.

Dnsmasq version 2.91  Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_dstnat {}
add chain inet fw4 pbr_forward {}
add chain inet fw4 pbr_output {}
add chain inet fw4 pbr_prerouting {}

insert rule inet fw4 dstnat jump pbr_dstnat
add rule inet fw4 mangle_prerouting jump pbr_prerouting
add rule inet fw4 mangle_output jump pbr_output
add rule inet fw4 mangle_forward jump pbr_forward

add rule inet fw4 pbr_forward counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_output counter meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_prerouting counter meta mark & 0x00ff0000 != 0 return
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000 counter meta mark set (meta mark & 0xff00ffff) | 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000 counter meta mark set (meta mark & 0xff00ffff) | 0x020000
add rule inet fw4 pbr_mark_0x020000 return
add rule inet fw4 pbr_prerouting ip daddr { 192.168.5.0/24 } counter goto pbr_mark_0x020000 comment "WappingLAN"

pbr chains - policies
	chain pbr_forward { # handle 69
		counter packets 263 bytes 308452 meta mark & 0x00ff0000 != 0x00000000 return # handle 717
	}
	chain pbr_output { # handle 70
		counter packets 41 bytes 6480 meta mark & 0x00ff0000 != 0x00000000 return # handle 718
	}
	chain pbr_prerouting { # handle 71
		counter packets 318 bytes 323103 meta mark & 0x00ff0000 != 0x00000000 return # handle 719
		ip daddr 192.168.5.0/24 counter packets 0 bytes 0 goto pbr_mark_0x020000 comment "WappingLAN" # handle 724
	}
	chain pbr_dstnat { # handle 68
	}

pbr chains - marking
	chain pbr_mark_0x010000 { # handle 79
		counter packets 0 bytes 0 meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 720
		return # handle 721
	}
	chain pbr_mark_0x020000 { # handle 82
		counter packets 0 bytes 0 meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 722
		return # handle 723
	}

pbr nft sets

pbr tables & routing
IPv4 table main routes:
    default via 192.168.0.1 dev wan proto static src 192.168.0.51 
    10.7.0.1 via 192.168.0.1 dev wan proto static 
    10.7.254.0/24 dev WgWappingCl proto kernel scope link src 10.7.254.11 
    10.11.0.0/24 dev br-lan proto kernel scope link src 10.11.0.1 
    192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.51 
IPv4 table main rules:
    29998:	from all lookup main suppress_prefixlength 1
    32766:	from all lookup main

IPv4 table 256 (pbr_wan) routes:
    default via 192.168.0.1 dev wan 
IPv4 table 256 (pbr_wan) rules:
    30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 (pbr_WgWappingCl) routes:
    default via 10.7.254.11 dev WgWappingCl 
IPv4 table 257 (pbr_WgWappingCl) rules:
    29999:	from all fwmark 0x20000/0xff0000 lookup pbr_WgWappingCl

abeorch · May 28, 2026, 3:09pm

if config

WgWappingCl Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.7.254.11  P-t-P:10.7.254.11  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:368 errors:0 dropped:240 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:54464 (53.1 KiB)

br-lan    Link encap:Ethernet  HWaddr 30:24:78:D8:1F:A8  
          inet addr:10.11.0.1  Bcast:10.11.0.255  Mask:255.255.255.0
          inet6 addr: fd9f:7397:e719::1/60 Scope:Global
          inet6 addr: fe80::3224:78ff:fed8:1fa8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28176 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72104 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9193402 (8.7 MiB)  TX bytes:75903598 (72.3 MiB)

eth0      Link encap:Ethernet  HWaddr 30:24:78:D8:1F:A8  
          inet6 addr: fe80::3224:78ff:fed8:1fa8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1508  Metric:1
          RX packets:72701 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31528 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:74263909 (70.8 MiB)  TX bytes:9291966 (8.8 MiB)

lan1      Link encap:Ethernet  HWaddr 30:24:78:D8:1F:A8  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:4 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan2      Link encap:Ethernet  HWaddr 30:24:78:D8:1F:A8  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan3      Link encap:Ethernet  HWaddr 30:24:78:D8:1F:A8  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan4      Link encap:Ethernet  HWaddr 30:24:78:D8:1F:A8  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:462 errors:0 dropped:0 overruns:0 frame:0
          TX packets:462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:40508 (39.5 KiB)  TX bytes:40508 (39.5 KiB)

phy0-ap0  Link encap:Ethernet  HWaddr 30:24:78:D8:1F:AB  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:32523 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73713 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9789532 (9.3 MiB)  TX bytes:77780559 (74.1 MiB)

phy1-ap0  Link encap:Ethernet  HWaddr 30:24:78:D8:1F:AA  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1783 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:297870 (290.8 KiB)

wan       Link encap:Ethernet  HWaddr 30:24:78:D8:1F:AC  
          inet addr:192.168.0.51  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::3224:78ff:fed8:1fac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:72668 errors:0 dropped:0 overruns:0 frame:0
          TX packets:31495 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:74696385 (71.2 MiB)  TX bytes:9137960 (8.7 MiB)

abeorch · May 28, 2026, 3:10pm

ip route

default via 192.168.0.1 dev wan table pbr_wan 
default via 10.7.254.11 dev WgWappingCl table pbr_WgWappingCl 
default via 192.168.0.1 dev wan proto static src 192.168.0.51 
10.7.0.1 via 192.168.0.1 dev wan proto static 
10.7.254.0/24 dev WgWappingCl proto kernel scope link src 10.7.254.11 
10.11.0.0/24 dev br-lan proto kernel scope link src 10.11.0.1 
192.168.0.0/24 dev wan proto kernel scope link src 192.168.0.51 
local 10.7.254.11 dev WgWappingCl table local proto kernel scope host src 10.7.254.11 
broadcast 10.7.254.255 dev WgWappingCl table local proto kernel scope link src 10.7.254.11 
local 10.11.0.1 dev br-lan table local proto kernel scope host src 10.11.0.1 
broadcast 10.11.0.255 dev br-lan table local proto kernel scope link src 10.11.0.1 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.0.51 dev wan table local proto kernel scope host src 192.168.0.51 
broadcast 192.168.0.255 dev wan table local proto kernel scope link src 192.168.0.51 
fd9f:7397:e719::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd9f:7397:e719::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd9f:7397:e719:: dev br-lan table local proto kernel metric 0 pref medium
local fd9f:7397:e719::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::3224:78ff:fed8:1fa8 dev eth0 table local proto kernel metric 0 pref medium
local fe80::3224:78ff:fed8:1fa8 dev br-lan table local proto kernel metric 0 pref medium
local fe80::3224:78ff:fed8:1fac dev wan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev WgWappingCl table local proto kernel metric 256 pref medium

abeorch · May 28, 2026, 3:10pm

ipv6 route

fd9f:7397:e719::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd9f:7397:e719::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd9f:7397:e719:: dev br-lan table local proto kernel metric 0 pref medium
local fd9f:7397:e719::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::3224:78ff:fed8:1fa8 dev eth0 table local proto kernel metric 0 pref medium
local fe80::3224:78ff:fed8:1fa8 dev br-lan table local proto kernel metric 0 pref medium
local fe80::3224:78ff:fed8:1fac dev wan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev WgWappingCl table local proto kernel metric 256 pref medium

abeorch · May 28, 2026, 3:15pm

The server side is a bit of a hot mess. Its been around for a while as my daily driver openwrt router - I was trying to use this test router to get things straight and learn on the 'client' side first i.e getting the routing to go the right way etc. before looking at the sever side of things (where I will no doubt distrupt things)

Having said that the only particulary unusual thing is that my wireguard server (with the endpoint) has multiple peers - but that doesn't seem to cause any issues with traffic transiting the tunnel - and I haven't configured anything in terms of routing on the interface on the server end (except that the hosts for the interface are routed (I haven't put no-route-hosts) on the interface and given it an IP of 10.7.254.1/24 on the interface

egc · May 28, 2026, 3:22pm

If that is your only objective i.e. have access to the other side the you do not need PBR.
Such a setup is referred to as a site-to-site setup see the guide.
Basically instead of 0.0.0.0/0 on the peer you add the subnet of the other side in this case it looks like 192.168.5.0/24 and then Enable Route Allowed IPs
That is all because then a route is made to route all traffic for 192.168.5.0/24 via the tunnel

Your client setup looks OK, only deviation is that you do not masquerade the vpn traffic that is actually fine for a site-to-site setup as then the server side will have the client side subnet as allowed IPs but this is probably not yet the case here so you should either masquerade the VPN traffic or make a decent site-to-site setup (recommended)

abeorch · May 28, 2026, 3:22pm

From my reading of those extracts there is no route being added to 192.168.5.0/24 but you are saying that I shouldn't see that when displaying routes using the route command or via LUCI?

Would the configuration of the Interface as supported when it doesn't have a endpoint cause an issue?

Can you see anything on the clientside that isn't right? I've read throught the docs and maybe I'm just missing something obvious on the client side?

abeorch · May 28, 2026, 3:25pm

Sorry for being so verbose but from the 'client router' what I am seeing is that a traceroute goes directly out via the client's wan (In this case that is 192.168.0.1) - then on to my actual public facing internet connection router - rather than heading towards the VPN.

traceroute to 192.168.5.1 (192.168.5.1), 20 hops max, 46 byte packets
1 192.168.0.1 1.461 ms
2 10.53.39.121 10.180 ms
3 *
4

egc · May 28, 2026, 3:36pm

That is correct when using PBR.
As already said a proper site-to-site setup is easier.

I already pointed out that the lack of Masquerading on the client side might be problematic

I assume the endpoint is your other routers wan IP in which case it is an RFC1918 address and does not hurt if you show it so what is it exactly?

Furthermore what is the output of wg show

But without seeing the server side we are still a bit in the dark

abeorch · May 28, 2026, 3:43pm

So the lan -> wan forward is masquaded. (its just going to a 192.168.0/24 address because its double natted to get out to the internet)

I'm just trying to get the extracts for the 'server' side - there is a bit more to go through.. I'll also pull wg show for the client. (sorry missed that)

abeorch · May 28, 2026, 3:44pm

Server:

{
"kernel": "6.12.74",
"hostname": "OpenWrtWapping",
"system": "xRX200 rev 1.2",
"model": "BT Home Hub 5A",
"board_name": "bt,homehub-v5a",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.2",
"firmware_url": "``https://downloads.openwrt.org/``",
"revision": "r32802-f505120278",
"target": "lantiq/xrx200",
"description": "OpenWrt 25.12.2 r32802-f505120278",
"builddate": "1774469393"
}
}

abeorch · May 28, 2026, 3:48pm

Server : Network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd20:89a1:155b::/48'
option packet_steering '1'

config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'

config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config device
option name 'lan1'
option macaddr '18:62:2c:39:f9:d8'

config device
option name 'lan2'
option macaddr '18:62:2c:39:f9:d8'

config device
option name 'lan3'
option macaddr '18:62:2c:39:f9:d8'

config device
option name 'lan4'
option macaddr '18:62:2c:39:f9:d8'

config interface 'lan'
option device 'br-lan.99'
option proto 'static'
option ip6assign '60'
list ipaddr '192.168.5.1/24'
list ipaddr '10.7.0.1/24'
option multipath 'off'

config device
option name 'dsl0'
option macaddr '30:24:78:d8:1f:a9'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option clientid '613162326333653466353036406e6f7774767c6131623263336534'
option multipath 'off'

config interface 'WGGraysWapping'
option proto 'wireguard'
option private_key ''
option listen_port '59403'
list addresses '10.8.253.2/30'
option multipath 'off'

config wireguard_WGGraysWapping
option description 'Grays Server'
option public_key ''
option preshared_key ''
option route_allowed_ips '1'
option endpoint_host ''
option endpoint_port '51820'
option persistent_keepalive '25'
list allowed_ips '10.8.0.1/24'
list allowed_ips '10.8.253.1/30'
list allowed_ips '10.8.7.1/24'
list allowed_ips '10.8.1.1/24'

config interface 'WappingWifi'
option proto 'static'
option ipaddr '10.7.0.1'
option netmask '255.255.255.0'
option disabled '1'
option multipath 'off'

config interface 'IbizaWifi'
option proto 'static'
option ipaddr '10.5.7.1'
option netmask '255.255.255.0'
option disabled '1'
option multipath 'off'

config interface 'GraysGateway'
option proto 'wireguard'
option private_key ''
list addresses '10.8.252.7/24'
option multipath 'off'

config wireguard_GraysGateway
option description 'Grays Server'
option public_key ''
option route_allowed_ips '1'
option endpoint_host ''
option endpoint_port '51821'
option persistent_keepalive '25'
list allowed_ips '10.8.252.0/24'
list allowed_ips '10.8.7.0/24'

config interface 'WGIbizaWapping'
option proto 'wireguard'
option private_key ''
list addresses '10.5.50.2/24'
option multipath 'off'

config wireguard_WGIbizaWapping
option description 'Ibiza Server'
option public_key ''
list allowed_ips '10.5.50.1/24'
list allowed_ips '10.5.100.1/24'
list allowed_ips '10.5.2.1/24'
option route_allowed_ips '1'
option endpoint_host ''
option endpoint_port '51820'
option persistent_keepalive '25'

config interface 'WGMayfieldCl'
option proto 'wireguard'
option private_key ''
list addresses '10.6.254.5'
option disabled '1'
option multipath 'off'

config wireguard_WGMayfieldCl
option description 'Mayfield'
option public_key ''
list allowed_ips '10.6.254.1/24'
list allowed_ips '192.168.6.1/24'
list allowed_ips '10.6.0.1/24'
option endpoint_host '10.5.2.212'
option endpoint_port '51823'
option persistent_keepalive '25'

config interface 'WgServer'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses '10.7.254.1/24'
option multipath 'off'

config route
option target '192.168.4.0/24'
option gateway '10.7.254.4'

config wireguard_WgServer
option description 'Auckland'
option public_key ''
list allowed_ips '10.7.254.2/32'
list allowed_ips '0.0.0.0/0'

config wireguard_WgServer
option description 'Grays'
option public_key ''
list allowed_ips '10.7.254.4/32'
list allowed_ips '0.0.0.0/0'

config wireguard_WgServer
option description 'Ibiza'
option public_key ''
list allowed_ips '10.7.254.5/32'
list allowed_ips '0.0.0.0/0'

config wireguard_WgServer
option description 'Mayfield'
option public_key ''
list allowed_ips '10.7.254.6/32'
list allowed_ips '0.0.0.0/0'

config wireguard_WgServer
option description 'Melbourne'
option public_key ''
list allowed_ips '10.7.254.9/32'
list allowed_ips '0.0.0.0/0'

config wireguard_WgServer
option description 'Mi10T'
option public_key ''
list allowed_ips '10.7.254.111/32'
list allowed_ips '0.0.0.0/0'

config interface 'WGWapDevices'
option proto 'wireguard'
option private_key ''
option listen_port '51828'
list addresses '10.7.252.1/32'

config wireguard_WGWapDevices
option description 'Mi10T'
option public_key ''
list allowed_ips '10.7.252.101/32'
option route_allowed_ips '1'

config wireguard_WGWapDevices
option public_key ''
option private_key ''
list allowed_ips '10.7.252.102/32'
option route_allowed_ips '1'
option description 'Dean'

config wireguard_WGWapDevices
option description 'AbeDell'
option public_key ''
list allowed_ips '10.7.252.103/32'
option route_allowed_ips '1'

config interface 'DMZ'
option proto 'static'
option device 'br-lan.600'
option ipaddr '10.7.10.1'
option netmask '255.255.255.0'
option multipath 'off'

config interface 'GraysWifi'
option proto 'static'
option ipaddr '10.8.7.1'
option netmask '255.255.255.0'

config interface 'MayfieldWifi'
option proto 'static'
option ipaddr '10.6.7.1'
option netmask '255.255.255.0'
option disabled '1'
option multipath 'off'

config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4:t'

config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:t'
list ports 'lan2:u*'
list ports 'lan3:u*'
list ports 'lan4:u*'

config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4:t'

config bridge-vlan
option device 'br-lan'
option vlan '600'
list ports 'lan1:u*'
list ports 'lan4:t'

config interface 'WGMelbourneCl'
option proto 'wireguard'
option private_key ''
option multipath 'off'
list addresses '10.9.254.7/32'
option disabled '1'

config wireguard_WGMelbourneCl
option description 'Melbourne'
option public_key ''
option endpoint_host ''
option endpoint_port '51720'
option persistent_keepalive '25'
list allowed_ips '10.9.254.0/24'
list allowed_ips '0.0.0.0/0'

config wireguard_WgServer
option public_key ''
option private_key ''
option description 'Brisbane'
list allowed_ips '10.7.254.11/32'
list allowed_ips '0.0.0.0/0'

config route
option target '10.11.0.1/24'
option gateway '10.7.254.11'

egc · May 28, 2026, 3:48pm

Yes but not the WireGuard interface, please see the Wireguard client setup guide

What is the output of wg show on the client?

abeorch · May 28, 2026, 3:49pm

Firewall : Network

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'WappingWifi'
list network 'WGGraysWapping'
list network 'IbizaWifi'
list network 'GraysGateway'
list network 'WGIbizaWapping'
list network 'WGMayfieldCl'
list network 'WgServer'
list network 'WGWapDevices'
list network 'GraysWifi'
list network 'MayfieldWifi'
list network 'WGMelbourneCl'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'

config rule
option name 'Allow-WG-WGServer'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'

config rule
option name 'Allow-WG-WapDevices'
option src 'wan'
option dest_port '51828'
option target 'ACCEPT'

config zone
option name 'DMZ'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'DMZ'

config rule
option name 'DMZ 587'
option dest 'DMZ'
option dest_port '587'
option target 'ACCEPT'
option src 'wan'
option enabled '0'

config rule
option name 'DMZ 993'
option src 'wan'
option dest 'DMZ'
option dest_port '993'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'DMZ 20'
option src 'wan'
option dest 'DMZ'
option dest_port '20'
option target 'ACCEPT'
option enabled '0'

config rule
option name 'DMZ 25'
option src 'wan'
option dest 'DMZ'
option dest_port '25'
option target 'ACCEPT'
option enabled '0'

config redirect
option target 'DNAT'
option src 'wan'
option src_dport '80'
option proto 'tcp'
option family 'ipv4'
option dest_ip '10.7.10.10'
option dest_port '80'
option name 'DNAT-HTTP-WAN-DNZ'

config redirect
option target 'DNAT'
option src 'wan'
option src_dport '443'
option proto 'tcp'
option family 'ipv4'
option dest_ip '10.7.10.10'
option dest_port '80'
option name 'DNAT-HTTP-WAN-DNZ'

config redirect
option target 'DNAT'
option src 'wan'
option src_dport '587'
option proto 'tcp'
option family 'ipv4'
option dest_ip '10.7.10.10'
option dest_port '80'
option name 'DNAT-HTTP-WAN-DNZ'

config redirect
option target 'DNAT'
option src 'wan'
option src_dport '993'
option proto 'tcp'
option family 'ipv4'
option dest_ip '10.7.10.10'
option dest_port '80'
option name 'DNAT-HTTP-WAN-DNZ'

config rule
option src 'DMZ'
option proto 'udp'
option family 'ipv4'
option src_port '68'
option dest_port '67'
option target 'ACCEPT'
option name 'ACCEPT-DHCPDISCOVER-DMZ'

config rule
option dest 'DMZ'
option proto 'udp'
option family 'ipv4'
option src_port '67'
option dest_port '68'
option target 'ACCEPT'
option name 'ACCEPT-DHCPOFFER-DMZ'

config rule
option src 'DMZ'
option proto 'tcp udp'
option dest 'wan'
option dest_port '53'
option target 'ACCEPT'
option name 'ACCEPT-DNS-DMZ-WAN'

config rule
option src 'lan'
option dest 'DMZ'
option proto 'tcp'
option family 'ipv4'
option dest_port '22'
option target 'ACCEPT'
option name 'ACCEPT-SSH-LAN-DMZ'

config rule
option src 'DMZ'
option dest 'wan'
option name 'Outgoing Web'
option src_port '80 443'
option target 'ACCEPT'
option enabled '0'

config forwarding
option src 'DMZ'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'DMZ'

abeorch · May 28, 2026, 3:51pm

Server : wireguard

interface: WGGraysWapping
public key: 
private key: (hidden)
listening port: 59403

peer: 
preshared key: (hidden)
endpoint: :51820
allowed ips: 10.8.0.0/24, 10.8.253.0/30, 10.8.7.0/24, 10.8.1.0/24
latest handshake: 27 seconds ago
transfer: 66.50 KiB received, 211.06 KiB sent
persistent keepalive: every 25 seconds

interface: GraysGateway
public key: 
private key: (hidden)
listening port: 41363

peer: 
endpoint: :51821
allowed ips: 10.8.252.0/24, 10.8.7.0/24
latest handshake: 1 minute, 36 seconds ago
transfer: 91.05 KiB received, 134.77 KiB sent
persistent keepalive: every 25 seconds

interface: WGIbizaWapping
public key: 
private key: (hidden)
listening port: 57034

peer: 
endpoint: :51820
allowed ips: 10.5.50.0/24, 10.5.100.0/24, 10.5.2.0/24
latest handshake: 36 seconds ago
transfer: 56.02 KiB received, 201.14 KiB sent
persistent keepalive: every 25 seconds

interface: WGWapDevices
public key: 
private key: (hidden)
listening port: 51828

peer: 
allowed ips: 10.7.252.101/32

peer: 
allowed ips: 10.7.252.102/32

peer: 
allowed ips: 10.7.252.103/32

interface: WgServer
public key: 
private key: (hidden)
listening port: 51820

peer: 
endpoint: :50431
allowed ips: 10.7.254.9/32
latest handshake: 17 seconds ago
transfer: 54.96 KiB received, 14.91 KiB sent

peer: 
endpoint: :50960
allowed ips: 10.7.254.5/32
latest handshake: 34 seconds ago
transfer: 54.99 KiB received, 14.91 KiB sent

peer: 
endpoint: 192.168.0.47:54106
allowed ips: 10.7.254.4/32
latest handshake: 1 minute, 34 seconds ago
transfer: 54.72 KiB received, 14.82 KiB sent

peer: 
endpoint: :60239
allowed ips: 10.7.254.11/32, 0.0.0.0/0
latest handshake: 1 hour, 3 minutes, 42 seconds ago
transfer: 13.35 MiB received, 13.33 MiB sent

peer: 
allowed ips: 10.7.254.6/32

peer: 
allowed ips: 10.7.254.2/32

peer: 
allowed ips: 10.7.254.111/32

abeorch · May 28, 2026, 3:56pm

Yeah the wireguard is not masqurading /NATing - my thought that it should all be routing inside the lan zone (which covers the wireguard interfaces and LAN)

Client: Wg show

interface: WgWappingCl
public key: 
private key: (hidden)
listening port: 34781

peer: 
endpoint: 10.7.0.1:51720
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 123.57 KiB sent
persistent keepalive: every 25 seconds

abeorch · May 28, 2026, 4:08pm

So pasting this last wg_show i've realised at some point the connection dropped. - I realised that between the two boxes I was actually travering the public IP endpoint and back in so i've updated this so the two routers server and client connect directly across the 192.168.0.0/24 subnet on my border router by pointing directly to the server's end point rathe than the port forwarded endpoint available publically.

interface: WgWappingCl
public key: <REDACTED>
private key: (hidden)
listening port: 56823

peer: <REDACTED>
endpoint: 192.168.0.24:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 1 minute, 15 seconds ago
transfer: 707.63 KiB received, 721.30 KiB sent
persistent keepalive: every 25 seconds

egc · May 28, 2026, 4:21pm

Why this address it is also in the WG subnet that will not going to work.

On the WG server you have a lot of peers with 0.0.0.0/0, overlapping peers will lead to undetermined behaviour

That is not the way to route via a WG interface so remove it and add the route to the allowed IPs of the corresponding peer that is how a site-to-site setup works please see the appropriate section in the guides

On the client side add to the allowed IPs 192.168.5.0/24 and also the WG subnet 10.7.254.0/24 if you want other peers of that server to have access. Remove 0.0.0.0/0 and :/0 and Enable Route Allowed IPs

But you are correct there is definitely room for improvement of your setup