Wireguard client on router not delivered to LAN

I configured my router to access a VPN server so that all my LAN clients can access the VPN connection using the client on the router. The "wg show" gives that I have a working VPN connection but my traffic from lan clients does not route through the VPN and directly connects to the ISP traffic.

root@OpenWrt:~# wg show
interface: wireguard
  public key: wfh90wXXXXXXXXXXXXXXXXxnyTr58kGeogd36jk=
  private key: (hidden)
  listening port: 54924

peer: BihUx7bBsnXXXXXXXXXXXXXXXXXVU1cPdBV/QxGEmxU=
  endpoint: 185.217.70.146:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 3 seconds ago
  transfer: 3.79 KiB received, 1.26 KiB sent
  persistent keepalive: every 10 seconds

My network configuration is below


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd59:2b64:6358::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr 'c0:74:2b:ff:80:01'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option name 'eth0'
	option macaddr 'B0:BE:76:F7:4D:35'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'
	option metric '20'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key '8BSuXXXXXXXXXXXXXXXXXXXXBs1M='
	list dns '198.XXX.XXX.XXX'
	list addresses '10.134.230.40/32'

config wireguard_wireguard
	option description 'Imported peer configuration'
	option public_key 'BihUx7bXXXXXXXXXXXXXXXXXQxGEmxU='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '10'
	option endpoint_host '185.XXX.XXX.XXX'
	option endpoint_port '51820'

config device
	option name 'wireguard'
	option ipv6 '0'


And firewall configuration:


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wireguard'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'

config forwarding
	option src 'lan'
	option dest 'wan'


Enable Routed Allowed IPs in the peer section

1 Like

thank you. that was really quick

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.