Wireguard Client and Server Setup

modular077 · November 2, 2025, 8:29pm

I am trying to configure a Wireguard client and server on my OpenWRT router. I've seen a couple other posts of people having trouble, but no resolution as far as I could find. I used these very helpful guides (https://github.com/egc112/OpenWRT-egc-add-on/tree/main/notes), but I must have set something up incorrectly. My router's client works great, but when I try to add the server, my phone never gets a connection.

Here are some outputs that I saw requested in other posts that I expect may be helpful. Please ask for any additional information, and thanks for your help.

root@OpenWrt:~# uci export network
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix redacted
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option peerdns '0'
	list dns '10.2.0.1'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option norelease '1'
	option peerdns '0'
	list dns '10.2.0.1'

config device 'guest_dev'
	option type 'bridge'
	option name 'br-guest'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	list ipaddr '192.168.3.1/24'

config device 'iot_dev'
	option type 'bridge'
	option name 'br-iot'

config interface 'iot'
	option proto 'static'
	option device 'br-iot'
	list ipaddr '192.168.2.1/24'

config interface 'proton0'
	option proto 'wireguard'
	option private_key redacted
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_proton0
	option description 'Imported peer configuration'
	option public_key redacted
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host redacted
	option endpoint_port '51820'
	option route_allowed_ips '1'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key redacted
	option listen_port '55443'
	list addresses '172.22.22.1/24'

config wireguard_wgserver
	option description redacted
	option public_key redacted
	option private_key ‘redacted
	list allowed_ips '172.22.22.2/32'
	option route_allowed_ips '1'
	option endpoint_port '55443'
	option persistent_keepalive '25'




root@OpenWrt:~# uci export firewall
package firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option log '1'
	list network 'lan'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option log '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone 'guest'
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option mtu_fix '1'
	list network 'guest'

config rule 'guest_dns'
	option name 'Allow-DNS-Guest'
	option src 'guest'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'guest_dhcp'
	option name 'Allow-DHCP-Guest'
	option src 'guest'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone 'iot'
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config rule 'iot_dns'
	option name 'Allow-DNS-IOT'
	option src 'iot'
	option dest_port '53'
	option proto 'tcp udp'
	option target 'ACCEPT'

config rule 'iot_dhcp'
	option name 'Allow-DHCP-IOT'
	option src 'iot'
	option dest_port '67'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config zone
	option name 'proton0'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'proton0'

config forwarding
	option src 'lan'
	option dest 'proton0'

config forwarding
	option src 'guest'
	option dest 'proton0'

config forwarding
	option src 'lan'
	option dest 'iot'

config rule
	option src 'iot'
	option dest 'proton0'
	option name 'Allow-IoT-DNS-NTP'
	list proto 'udp'
	option dest_port '53 123'
	option target 'ACCEPT'

config rule
	option src 'iot'
	option dest 'proton0'
	option name 'Allow-IoT-DNS-HTTP-HTTPS'
	list proto 'tcp'
	option dest_port '53 80 443'
	option target 'ACCEPT'

config rule
	option src 'iot'
	option dest 'lan'
	option name 'Allow-Redacted-Forward-To-LAN'
	list proto 'all'
	list src_ip '192.168.2.142'
	option target 'ACCEPT'

config rule
	option src 'iot'
	option dest 'proton0'
	option name 'Allow-Redacted-Outbound'
	list proto 'tcp'
	list src_ip '192.168.2.142'
	option dest_port '8883'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option name 'Proton-VPN-Bypass-Test'
	list dest_ip redacted
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	list proto 'tcp'
	list dest_ip redacted
	option dest_port '443'
	option target 'ACCEPT'
	option name 'Allow-Redacted-VPN-Bypass'

config rule
	option src 'guest'
	option dest 'wan'
	option target 'ACCEPT'
	option name 'Allow-Redacted-VPN-Bypass'
	list src_ip '192.168.3.165'
	list proto 'all'

config rule
	option src 'wan'
	option name 'Allow-WG-55443'
	list proto 'udp'
	option dest_port '55443'
	option target 'ACCEPT'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config forwarding
	option src 'wgserver'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'proton0'


root@OpenWrt:~# head -n -0 /etc/firewall.user;
head: /etc/firewall.user: No such file or directory


root@OpenWrt:~# ip -4 addr ;
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    inet 192.168.1.226/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
36: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
37: br-iot: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-iot
       valid_lft forever preferred_lft forever
44: br-guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-guest
       valid_lft forever preferred_lft forever
45: proton0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.2.0.2/32 brd 255.255.255.255 scope global proton0
       valid_lft forever preferred_lft forever
58: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 172.22.22.1/24 brd 172.22.22.255 scope global wgserver
       valid_lft forever preferred_lft forever



root@OpenWrt:~# ip -4 ro li tab all ;
default via 192.168.1.254 dev eth1 table pbr_wan 
default via 10.2.0.2 dev proton0 table pbr_proton0 
default dev proton0 proto static scope link 
Redacted via 192.168.1.254 dev eth1 proto static 
172.22.22.0/24 dev wgserver proto kernel scope link src 172.22.22.1 
172.22.22.2 dev wgserver proto static scope link 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.226 
192.168.2.0/24 dev br-iot proto kernel scope link src 192.168.2.1 
192.168.3.0/24 dev br-guest proto kernel scope link src 192.168.3.1 
local 10.2.0.2 dev proton0 table local proto kernel scope host src 10.2.0.2 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 172.22.22.1 dev wgserver table local proto kernel scope host src 172.22.22.1 
broadcast 172.22.22.255 dev wgserver table local proto kernel scope link src 172.22.22.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
local 192.168.1.226 dev eth1 table local proto kernel scope host src 192.168.1.226 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.226 
local 192.168.2.1 dev br-iot table local proto kernel scope host src 192.168.2.1 
broadcast 192.168.2.255 dev br-iot table local proto kernel scope link src 192.168.2.1 
local 192.168.3.1 dev br-guest table local proto kernel scope host src 192.168.3.1 
broadcast 192.168.3.255 dev br-guest table local proto kernel scope link src 192.168.3.1


root@OpenWrt:~# ip -4 ru;
0:	from all lookup local
29998:	from all fwmark 0x20000/0xff0000 lookup pbr_proton0
30000:	from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:	from all lookup main
32767:	from all lookup default


root@OpenWrt:~# wg
interface: proton0
  public key: redacted
  private key: (hidden)
  listening port: 55647

peer: redacted
  endpoint: redacted:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 24 seconds ago
  transfer: 198.78 MiB received, 16.97 MiB sent

interface: wgserver
  public key: redacted
  private key: (hidden)
  listening port: 55443

peer: redacted
  allowed ips: 172.22.22.2/32
  persistent keepalive: every 25 seconds

egc · November 3, 2025, 8:19am

Normally the pbr app which you have installed will take care of the routing of the wg server listen port back via the wan.

There should be a rule present which can be seen with ip rule show however this rule is not present.

Start with rebooting and check if the rule with the listen port 55443 is present, if not what pbr version are you using? You need at least 1.1.8-r36

pavelgl · November 3, 2025, 8:20am

Some mandatory prerequisites:

The OpenWrt device is obviously connected to an upstream router. That router must have a public IP address and must have a DNAT rule to forward requests for port 55443 to OpenWrt.

Some errors to fix:

Change the lan subnet so that it does not overlap with the wan.

Remove option endpoint port from here. It is only needed in the "client" part.

You can also optimize the configuration.

modular077:

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config forwarding
	option src 'wgserver'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'proton0'

Remove all of this and add the wgserver network to the lan firewall zone.

Since the wireguard client is always active, you need a rule that returns the wireguard server traffic over the wan interface. Make sure the pbr version you are using is new enough to automatically create such rules.

Add wgserver to the list of supported interfaces and restart the service.
You should see an ip rule like this:

from all sport 55443 lookup pbr_wan