Wireguard client and server interfaces not working together


I am running an openwrt snapshot version on raapberry pi 4B. I have set up a wireguard "server" interface that allows me to connect remotely into my home network. I have also set up a wireguard "client" interface to route all outbound LAN traffic through a wireguard connection into my VPN provider, CactusVPN.

My issue is that at a time only one of my wireguard interfaces work. If I shut down the wg client, all works fine with the router allowing inbound VPN connections into my home network and also allowing outbound internet connectivity through the wan interface. However, to get the CactusVPN wireguard client to work, I always need to shut down the wireguard server. Despite my best efforts, I have not been able to get the two wireguard interfaces to work together. I haven't found anything odd in the logs so far.

Please, can anyone possibly provide any insights into why this may be happening? Happy to send detailed configuration information if need be.


Dipak Jha

Is it possible that it's just route configuration issue? Please share content of /etc/config/network and /etc/config firewall. Output from commands ip route, and iptables-save may also help


Install VPN-PBR.
Use scenario #2. Don't route_allowed_ips to the wg client, but keep in the allowed IPs.
Make a policy to forward the lan traffic to the wg client tunnel.


Hi @trendy

I installed VPN Policy-Based Routing and added the following into /etc/config/vpn-policy-routing

config policy
option src_addr '192.168.X.XXX'
option interface 'wan'
option name 'WEB_TARGET_ON_WG'
option src_port '80 443'

config policy
option name 'LAN_OVER_WGC'
option src_addr '192.168.X.X/24'
option interface 'wgclient'

config policy
option name 'WG_MEMBERS_OVER_WGC'
option src_addr '192.168.XX.X/24'
option interface 'wgclient'

The first policy above is to allow for port forwarding into a web server I have on my LAN when connected to my VPN provider. The second one is to route all LAN traffic over the wireguard client and the third one is to route traffic from external clients connected to my wireguard server into the wireguard client and on to my VPN provider.

I can confirm, with the above in place, all works like a charm. My only issue is that wgclient interface is not fully ready at boot up for the VPN policy routing policy service to use and therefore I've had to delay wgclient interface initialization by 15 secs. I've achieved this by disabling it's startup at boot and adding the following into /etc/rc.local

sleep 15 ; ifup wgclient

In the absence of this workaround, the VPN policy routing policy service throws the following error at startup:

Sat Feb 27 10:06:17 2021 user.notice vpn-policy-routing [1962]: ERROR: iptables -t mangle -A VPR_PREROUTING -g VPR_MARK0x010000 -p tcp -s 192.168.X.XXX -m multiport --sport 80,443 -m comment --comment WEB_TARGET_ON_WG
// more errors - one for each policy

Not sure if my solution is right. It would be great if you / anybody else could share some thoughts on my workaround.

But regardless, a BIG thanks for pointing me in the right direction. With OpenWRT I seem to have achieved all I wanted to for my home network


Dipak Jha

Thanks @yousong The problem is now solved with a vpn routing policy add-on package. I have provided a detailed description of my solution as part of another post on this thread

The error is vague and doesn't show what the problem is. The rule is not immediately connected to the tunnel interface.
Follow the instructions for troubleshooting.
Also there is no need to cover the private IP addresses, like 192.168.X.X

1 Like