WireGuard configuration when host device is behind another router

Hi All,

I have been having issues getting a stable WireGuard configuration and would appreciate some insight.

Here's what I have:

OpenWrt and WireGuard are running on a BT Home Hub 5A configured primarily as a wireless access point - it does not act as the main WAN interface; that's done through a Draytek router.

I have configured the Draytek to open port 55000 to the HH5A and both devices are connected LAN port ->>> LAN port. I am not using the WAN port on the HH5A.


INTERNET ->>> WAN IP (static) 45.X.X.X ->>> Draytek router >>> Open Port 55000 to HH5A

LAN network:


WireGuard LAN (interface wg0):

If I configure a single VPN peer for my Android phone, connectivity is as expected, but when I configure a second things stop working.

From what I can see, when the second peer is configured and the settings saved, 'something' changes the default gateway on the HH5A to wg0 rather than leaving it as the main router via br0...and things stop working. At this time both br0 and wg0 are in the same firewall zone, but I have tried them separately with forwarding rules.

I have played around with the route settings in WireGuard without any success. I have also tried defining and not defining the peers' WAN IP addresses.

After a few hours of config permutations, I have stepped away for some advice before starting again - for example would it be better to define the link between the Draytek and the HH5A as a static IP link going through the HH5A's WAN port?

I couldn't find a similar scenario online to work through so I'm open to suggestions.

Many thanks.

Is the Draytek running openwrt?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses, private keys and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

I assme by br0, you're actually talking about the lan interface? The two networks will need to be in different firewall zones -- the lan needs to be masqueraded (unless your draytek router supports static routes -- in that case, you need to set a proper static route if you don't want to use masquerading).

I have some gueses about what might be wrong with your setup, but we need to see the config files as requested. Once we see those, we can guide you through the necessary changes to fix the problems.

Hi Both, thanks for the replies. I have been away from home for a while so only just picking this up.

Having played around with wg and peer settings a lot, without success, I wanted to start from scratch to make sure I took the right approach rather than just fiddling around with where I ended up.

I have deleted the current wg interface and here's the current planned setup. If needed I could NAT port-forward from the Draytek to the wg interface rather than simply opening the port . All input gratefully received. To answer one question, yes the Draytek does support adding static routes.


These are often the same thing with only minor nuance. A port forward is required if the service is hosted on something behind router that is performing NAT masquerading (i.e. the router that is directly handling the actual internet connection). This is sometimes called "opening a port", but the other context of "opening a port" is when the service is hosted on the main router, thus no forward is required.

Based on your topology, you need to forward a port -- the Draytek 2927 needs to forward udp port 55000 to the address that the plusnet hub holds on the network (if your diagram is correct, that should be As an aside, why are you using a /16 for this network? That's an unnecesarily large subnet.

Anyway, this scenario will work -- it's how I run my own Wireguard endpoints. Take a look at the road warrior example:

Thanks for the quick reply. I'll run through the road warrior config.

I'm using a /16 subnet so I can demarcate fixed IPs for functional groups of kit by using the third octet - so. The current count of devices on the network is 63 so there is a bit of headroom, but I have a tidy spreadsheet.

One thing to add, as far as I have understood the WG server is setup on a wireless access point (dumb AP).

Traffic coming out of the WG server has a source address 10.200.200.x.

Your local LAN clients do not know where to reply to so are using the default gateway.

So either set a static route on the Draytek to route the WG subnet via your wireless access point or easier Masquerade the LAN interface of the wireless access point.

1 Like