Wireguard DNS Leak and restricted access to local LAN

Hi there,

I use Wireguard to dial-in to my local home network from outside. I use an OpenWrt router as a Wireguard server, this router also creates my home-network. Dial in to the internet is done by a blackbox from my ISP.

I recently set up a new Laptop running MX Linux 25 as a client and ran into some trouble I'm unable to resolve. Firstly the Wireguard connection has DNS-Leaks. When I e.g. dial-in via a mobile hotspot I send some of my DNS-requests to my mobile-ISP. Also I'm able to connect to LuCI and SSH into the OpenWrt-Device but I can't reach my Home-Server which is on the same network.

The DNS-issues are specific to the new client. I also use an Pixel 6a Graphene-OS phone with the Wireguard app and this connection does not have these issues.
The unability to connect to my home-server is a global problem.

Configs and SysInfo below. The interface is called HomeVPN and the Client MX2-Laptop.

SysInfo

	"kernel": "6.6.119",
	"hostname": "OpenWrt",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "AVM FRITZ!Box 4040",
	"board_name": "avm,fritzbox-4040",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "24.10.5",
		"revision": "r29087-d9c5716d1d",
		"target": "ipq40xx/generic",
		"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
		"builddate": "1766005702"

Network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd36:ec8d:1385::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '5.9.164.112'
	list dns '116.203.32.217'
	list dns '176.9.93.198'
	option defaultroute '1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2a01:4f8:251:554::2'
	list dns '2a01:4f8:1c1b:44aa::1'
	list dns '2a01:4f8:151:34aa::198'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option device 'br-guest'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	list dns '10.31.33.7'
	list dns '2001:db8::7'
	list addresses '10.10.54.232/32'
	list addresses 'fd00:10:10::2410/128'
	option defaultroute '0'

config interface 'HomeVPN'
	option proto 'wireguard'
	option private_key 'XXX'
	option listen_port '51820'
	list addresses '10.0.100.1/24'
	list addresses 'fd00:9::1/64'

config wireguard_HomeVPN
	option description 'Pixel6a'
	option public_key 'Bihydk9DrGgQ3a8G5/G3C0qRhfMFd5BXMXHpRt+9CkI='
	option private_key 'XXX'
	option preshared_key 'XXX'
	option route_allowed_ips '1'
	list allowed_ips '10.0.100.2/32'
	list allowed_ips 'fd00:9::2/128'

config wireguard_HomeVPN
	option description 'MX_Laptop'
	option public_key 'rBrdA/scXGr3XRLGoXzT+DAXB2mSjlshuNjICwN3+CI='
	option private_key 'XXX'
	option preshared_key 'XXX'
	option route_allowed_ips '1'
	list allowed_ips '10.0.100.3/32'
	option disabled '1'

config wireguard_wg0
	option description 'cs-berlin'
	option public_key 'qXuD0iXh3WK0maEkseBXwDbD2R5cya4zdXN3DfXCtxk='
	option preshared_key 'XXX'
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option persistent_keepalive '25'
	option endpoint_host 'berlin.cstorm.is'
	option endpoint_port '443'
	option route_allowed_ips '1'

config device
	option name 'br-guest'
	option type 'bridge'

config wireguard_HomeVPN
	option description 'MX2-Laptop'
	option public_key '/JiQIX3974FGp4O5urQiMKuY1opFXu/V4ssjTqnxYjE='
	option private_key 'XXX'
	option preshared_key 'XXX'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	list allowed_ips '10.0.100.4/32'
	list allowed_ips 'fd00:9::4/128'

Firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'HomeVPN'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '80 443'
	option name 'HTTP, HTTPS'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'SMTPS, IMAPS, Sieve'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '25 465 993 4190'

config rule
	option name 'SSH'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '22 7777'
	option target 'ACCEPT'

config rule
	option name 'NTP'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'OpenPGP-Keyserver'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '11371'
	option target 'ACCEPT'

config rule
	option name 'WHOIS'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '43'
	option target 'ACCEPT'

config rule
	option name 'Tor Browser'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '9001 9030'

config rule
	option name 'Monero'
	list proto 'tcp'
	option src 'lan'
	option dest 'wan'
	option dest_port '18080 18089 18081'
	option target 'ACCEPT'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '51820'

config rule
	option name 'Block all'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'qBittorrent-rpi'
	option src 'vpn'
	option src_dport '57082'
	option dest_ip '192.168.1.151'
	option dest_port '57082'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'HomeVPN'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.0.100.1'
	option dest_port '51820'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'lan'
	option dest 'vpn'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

NetworkManager Conf

[connection]
id=HomeVPN
uuid=XXX
type=wireguard
autoconnect=false
interface-name=HomeVPN
timestamp=1771783278

[wireguard]
private-key=XXX

[wireguard-peer.XXX]
endpoint=XXX:51820
preshared-key=XXX
preshared-key-flags=0
persistent-keepalive=25
allowed-ips=0.0.0.0/0;::/0;

[ipv4]
address1=10.0.100.4/32
dns=192.168.1.1;
dns-search=~;
method=manual

[ipv6]
addr-gen-mode=stable-privacy
address1=fd00:9::4/128
method=manual

[proxy]

Might be ipv6 leak as allowed_ips for ipv6 is missing?

MX_Laptop is the old client. It is disabled. I didn't delete it to be able to compare it with my new client. MX2-Laptop is the new one, it has allowed_ips for ipv6. My DNS-Leaks happen on both ipv4 and ipv6 addresses.

If the server allows IPv6 and IPV4 then nothing on the server side can be the cause.

So look at the client side why it does not use the DNS server set in the WireGuard config.

Note that many browsers use their own private DNS unless that is disabled, maybe the linux version you are using also uses private DNS.

The DNS-Leaks are a NetworkManager problem. I added negativ dns.priority values to the NM-configuration and it fixed the DNS-Leaks. See new config below.

This does not however resolve my second issue. I still can't connect to any other address than 192.168.1.1 on my home network. I would like to talk to my server on 192.168.1.151 but i can't ping or ssh or connect to any of the WebUIs. How do I fix this?

New NM-conf

[connection]
id=HomeVPN
uuid=XXX
type=wireguard
autoconnect=false
interface-name=HomeVPN
timestamp=1771858915

[wireguard]
private-key=XXX

[wireguard-peer.XXX]
endpoint=XXX:51820
preshared-key=XXX
preshared-key-flags=0
persistent-keepalive=25
allowed-ips=0.0.0.0/0;::/0;

[ipv4]
address1=10.0.100.4/32
dns=192.168.1.1;
dns-priority=-10
dns-search=~;
method=manual

[ipv6]
addr-gen-mode=stable-privacy
address1=fd00:9::4/128
dns=fd36:ec8d:1385::1;
dns-priority=-10
method=manual

[proxy]

The server on 192.168.1.151 can have its own firewall and might not allow traffic from non local sources e.g. from the wireguard subnet 10.0.100.0/24 if that is the case then tweak the firewall of said server or enable masquerading on the lan interface but that is second best as you loose logging and access control

Furthermore your problem can also indicate that you did not setup the wireguard client correctly on your laptop it but normally if you used wg-quick to setup that should work.

Third problem can be if you laptop is also on a 192.168.1.0/24 network.

Using wg-quick does not solve it. Also in my test setup with my mobile-hotspot my Laptop is on this IP 10.155.59.11/24 according to $ip a.

Masquerading does solve the issue. However the server, a freshly setup RPi, has only some rules created by docker. It accepts pretty much everything as far as I understand iptables. Can it be something OpenWrt related? How come I can talk to 192.168.1.1 from 10.0.100.4 but not to any other address in the 192.168.1.X subnet

#iptables -L of the server yields

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-FORWARD  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (3 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             172.18.0.2           udp dpt:57082
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:57082
ACCEPT     tcp  --  anywhere             172.18.0.2           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:9117
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain DOCKER-BRIDGE (1 references)
target     prot opt source               destination         
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            

Chain DOCKER-CT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
target     prot opt source               destination         
DOCKER-CT  all  --  anywhere             anywhere            
DOCKER-INTERNAL  all  --  anywhere             anywhere            
DOCKER-BRIDGE  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER-INTERNAL (1 references)
target     prot opt source               destination         

Chain DOCKER-USER (1 references)
target     prot opt source               destination 

One more thing. I just tried to run $tcpdump icmp
on the RPi at 192.168.1.151 while pinging it via the Wireguard connection from 10.0.100.4. Ping reported 100% packet loss of 7 packets. But tcpdump showed the log below. I do not fully understand tcpdump but it seems the RPi received and answered the Ping.
So where does my traffic get stuck? The firewall of the device at 10.0.100.4, an laptop running MX Linux 25, was turned off for this.

18:55:23.960365 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 1, length 64
18:55:23.960482 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 1, length 64
18:55:24.968412 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 2, length 64
18:55:24.968501 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 2, length 64
18:55:26.024107 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 3, length 64
18:55:26.024273 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 3, length 64
18:55:27.024247 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 4, length 64
18:55:27.024347 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 4, length 64
18:55:28.025177 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 5, length 64
18:55:28.025299 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 5, length 64
18:55:29.050849 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 6, length 64
18:55:29.050940 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 6, length 64
18:55:29.971378 IP 10.0.100.4 > raspberrypi.lan: ICMP echo request, id 1, seq 7, length 64
18:55:29.971455 IP raspberrypi.lan > 10.0.100.4: ICMP echo reply, id 1, seq 7, length 64

What is the output of:

ip route show
ip route show table all
ip -6 route show table all
ip rule show
ip -6 rule show

Assuming you want the output from the OpenWrt-Router while reproducing the error. I got the following. The XXX is my public ipv4-address or the subnet of it.

$ ip route show

default via XXX.254 dev wan proto static src XXX 
10.0.100.0/24 dev HomeVPN proto kernel scope link src 10.0.100.1 
10.0.100.2 dev HomeVPN proto static scope link 
10.0.100.4 dev HomeVPN proto static scope link 
XXX.0/24 dev wan proto kernel scope link src XXX 
37.120.217.76 via XXX.254 dev wan proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1

$ ip route show table all

default via XXX.254 dev wan table pbr_wan                                               
default via 10.10.54.232 dev wg0 table pbr_wg0  
default via XXX.254 dev wan proto static src XXX 
10.0.100.0/24 dev HomeVPN proto kernel scope link src 10.0.100.1 
10.0.100.2 dev HomeVPN proto static scope link  
10.0.100.4 dev HomeVPN proto static scope link  
XXX.0/24 dev wan proto kernel scope link src XXX 
37.120.217.76 via XXX.254 dev wan proto static 
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1 
192.168.4.0/24 dev br-guest proto kernel scope link src 192.168.4.1 
local 10.0.100.1 dev HomeVPN table local proto kernel scope host src 10.0.100.1 
broadcast 10.0.100.255 dev HomeVPN table local proto kernel scope link src 10.0.100.1 
local 10.10.54.232 dev wg0 table local proto kernel scope host src 10.10.54.232 
local XXX dev wan table local proto kernel scope host src XXX 
broadcast XXX.255 dev wan table local proto kernel scope link src XXX 
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1 
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1 
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1 
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1 
local 192.168.4.1 dev br-guest table local proto kernel scope host src 192.168.4.1 
broadcast 192.168.4.255 dev br-guest table local proto kernel scope link src 192.168.4.1 
unreachable default dev lo table pbr_wan metric 1024 pref medium
fd00:10:10::2410 dev wg0 table pbr_wg0 proto kernel metric 256 pref medium
default dev wg0 table pbr_wg0 metric 128 pref medium
fd00:9::2 dev HomeVPN proto static metric 1024 pref medium
fd00:9::4 dev HomeVPN proto static metric 1024 pref medium
fd00:9::/64 dev HomeVPN proto kernel metric 256 pref medium
fd00:10:10::2410 dev wg0 proto kernel metric 256 pref medium
fd36:ec8d:1385::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd36:ec8d:1385::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd00:9:: dev HomeVPN table local proto kernel metric 0 pref medium
local fd00:9::1 dev HomeVPN table local proto kernel metric 0 pref medium
local fd00:10:10::2410 dev wg0 table local proto kernel metric 0 pref medium
anycast fd36:ec8d:1385:: dev br-lan table local proto kernel metric 0 pref medium
local fd36:ec8d:1385::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
local fe80::3810:d5ff:feaa:ec33 dev br-guest table local proto kernel metric 0 pref medium
local fe80::3a10:d5ff:feaa:ec30 dev eth0 table local proto kernel metric 0 pref medium
local fe80::3a10:d5ff:feaa:ec30 dev br-lan table local proto kernel metric 0 pref medium
local fe80::3a10:d5ff:feaa:ec30 dev wan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev HomeVPN table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-guest table local proto kernel metric 256 pref medium

$ ip -6 route show table all

unreachable default dev lo table pbr_wan metric 1024 pref medium
fd00:10:10::2410 dev wg0 table pbr_wg0 proto kernel metric 256 pref medium
default dev wg0 table pbr_wg0 metric 128 pref medium
fd00:9::2 dev HomeVPN proto static metric 1024 pref medium
fd00:9::4 dev HomeVPN proto static metric 1024 pref medium
fd00:9::/64 dev HomeVPN proto kernel metric 256 pref medium
fd00:10:10::2410 dev wg0 proto kernel metric 256 pref medium
fd36:ec8d:1385::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd36:ec8d:1385::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
fe80::/64 dev br-guest proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd00:9:: dev HomeVPN table local proto kernel metric 0 pref medium
local fd00:9::1 dev HomeVPN table local proto kernel metric 0 pref medium
local fd00:10:10::2410 dev wg0 table local proto kernel metric 0 pref medium
anycast fd36:ec8d:1385:: dev br-lan table local proto kernel metric 0 pref medium
local fd36:ec8d:1385::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev eth0 table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-guest table local proto kernel metric 0 pref medium
local fe80::3810:d5ff:feaa:ec33 dev br-guest table local proto kernel metric 0 pref medium
local fe80::3a10:d5ff:feaa:ec30 dev eth0 table local proto kernel metric 0 pref medium
local fe80::3a10:d5ff:feaa:ec30 dev br-lan table local proto kernel metric 0 pref medium
local fe80::3a10:d5ff:feaa:ec30 dev wan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev HomeVPN table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wg0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev br-guest table local proto kernel metric 256 pref medium

$ ip rule show

0:      from all lookup local
29997:  from all sport 51820 lookup pbr_wan
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

$ ip -6 rule show

0:      from all lookup local
29997:  from all sport 51820 lookup pbr_wan
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_wg0
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main

No sorry from the openwrt router to see if there is a problem with the routing.

You are also running a WG client and the PBR -app which can influence routing

I updated the post to the Router outputs.

As a test can you add the following routing rule:

ip rule add suppress_prefixlength 1 table main

Check if the rule is in place with: ip rule show

Alternative test:
instead of the above add HomeVPN to the list of ignored interfaces on the Advanced tab of the PBR GUI, reboot afterwards

Not sure if it is there as you are presumably running an old PBR version

First of all: Thank you .
I think it's solved. If everything remains stable I'll change this to solved.

I decided against the ip-rule since it is not an as visible or understandable modification to me as putting something in the PBR-GUI.

Putting HomeVPN in Ignored Interfaces and rebooting solved the issue. But after around 2 minutes of rebooting my internet connection would stop functioning. The Router could not Ping anything in the internet and my connected devices also were without internet.

I noticed that the PBR-GUI has a disabled preconfigured policy named Ignore Local Requests with these IPs in it 10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24. So i added 10.0.100.0/24 to that rule and enable it instead of your fix. This also works and my internet connection does not crash. Is there any downside to doing it this way?

Lastly, what happened? If I understand correctly the 10.0.100.0/24 subnet could talk to the 192.168.1.0/24 subnet but since my server on 192.168.1.151 was forced to use my Wireguard-Client-Interface wg0 by PBR it could never answer locally?

I think that is something not related.

Using the Ignore Local Request is also fine.

It might be that the return traffic cannot find the correct route in the routing table but not sure wh.
It is using pbr-wan table and local routes should be copied to that table but the are not present. Might be a bug in PBR or something else in your setup but you have an outdated PBR version which is no longer supported, current version is 1.2.2-r6 but it is only tested on 25.12 and master builds.

Because you do have your default route via the wan if you ignore PBR and that is what you do by setting the HomeVPN as ignored interface or adding the HomeVPN subnet to the ignored routes then you will use the main table with the correct routes.

Newer version of PBR use the suppress prefixlength rule which should also do the trick.

But glad you solved it

Even better! I updated to OpenWrt 25.12.0-rc5 and PBR 1.2.1-r87 which is the newest available for me and everything works without tweaking any rules.

Great, good choice updating to 25.12.

PBR 1.2.2-r6 will hopefully be available for the general public this week but if you want it already see:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.