Wireguard handshakes but no access to IPs behind

i'm trying to get a vpn working (android -> openwrt), handshake is ok but i cannot access any IPs behind. is my internal net. wg interface on android has, wgvpn is in zone lan to keep it simple.

root@wlanrouter:/etc/config# wg show
interface: wgvpn
  public key: HW1urKqVAAFF4S6dqdndVfmbghWYFSOHgpmeuGqvSls=
  private key: (hidden)
  listening port: 4444

peer: v3qMk12k5uKfgYHlY580cQK48SOlrg2HWwNjL5L3nAE=
  preshared key: (hidden)
  endpoint: <public-ip>:26464
  allowed ips:
  latest handshake: 11 minutes, 2 seconds ago
  transfer: 2.26 KiB received, 376 B sent

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wgvpn'

on android i can ping but no IPs in I'm stuck, any hints where to look?

You need to use a different subnet for the wireguard devices.


try changing the allowed ips of your peer config on the router to instead (and reboot).
The entry should be configured on your android (or if all the traffic should run over you vpn then

WG is a layer 3 protocol and the subnet used in the WG interface cannot overlap with the lan interface of the router.

1 Like

Thanks to all, i got it working, should have take a look at the routing table.

setting client ip to, allowed_ips to and route_allowed_ips=1 works, using subnet 10.10.3..0/24 or for clent and allowed_ips works too, but i have to set route_allowed_ips=1 to get the return packets routed back to the vpn interface.
route_allowed_ips is labeled as optional, how should it work without enabling this option?

ok, if you give the interface an ip you get a route and don't need route_allowed_ips=1