Wireguard home server. Problem

Wizo · February 24, 2026, 11:23am

Hello,

I have setup a fresh install of:

OpenWrt 25.12.0 RC5 + plus relevant updates

pbr

luci-app-pbr

wireguard-tools

luci-proto-wireguard

qrencode

And have set up:

Surfshark VPN client on 10.14.0.2/16 port 0.0.0.0/0

Wireguard server on 172.22.22.1/24 port 55443

My relevant devices:

Raspberry Pi running Adguard Home, Jellyfin and a file server on 192.168.1.5

Router running 25.12.0 RC5 on 192.168.1.1 handing out Raspberry Pi’s 192.168.1.5 dns

Mobile phone running wireguard on 192.168.1.15 or mobile connection

The problem I have is when I connect from my mobile phone with wireguard enabled, I am not able to browse the internet for example google.com I get Connection Refused!

But it does let me access my router on 192.168.1.1 and Adguard Home on 192.168.1.5

I would think I should be able to browse the internet as if I was home!

I have followed EGC’s excellent “OpenWRT WireGuard Server Setup guide using LuCi” but guess I did not seen something.

I am also not sure if I have to add a PBR rule or to does it automagically

Advise please?

root@Router:~# ubus call system board
{
"kernel": "6.12.71",
"hostname": "Router",
"system": "ARMv8 Processor rev 4",
"model": "Dynalink DL-WRX36",
"board_name": "dynalink,dl-wrx36",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.0-rc5",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32673-482ba7230a",
"target": "qualcommax/ipq807x",
"description": "OpenWrt 25.12.0-rc5 r32673-482ba7230a",
"builddate": "1771363837"
}
}
root@Router:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'

config globals 'globals'
option dhcp_default_duid *****
option ula_prefix 'fd9d:99b7:30e1::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
option multipath 'off'
list dns '192.168.1.5'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
option multipath 'off'
list dns '192.168.1.5'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'
option multipath 'off'
list dns '192.168.1.5'
option disabled '1'

config interface 'SurfS'
option proto 'wireguard'
option private_key *****
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'
option multipath 'off'

config wireguard_SurfS
option description 'London'
option public_key *****
list allowed_ips '0.0.0.0/0'
option endpoint_host 'uk-lon.prod.surfshark.com'
option endpoint_port '51820'
option route_allowed_ips '1'

config interface 'HwgS'
option proto 'wireguard'
option private_key *****
option multipath 'off'
option listen_port '55443'
list addresses '172.22.22.1/24'

config wireguard_HwgS
option public_key *****
option private_key *****
option description 'My Phone'
option endpoint_port '55443'
option persistent_keepalive '25'
list allowed_ips '172.22.22.2/32'
option route_allowed_ips '1'

root@Router:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi'
option band '5g'
option channel '100'
option htmode 'HE80'
option country 'GB'
option cell_density '0'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Andy'''s'
option encryption 'sae-mixed'
option key *****
option ocv '0'

config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi+1'
option band '2g'
option channel '1'
option htmode 'HE20'
option country 'GB'
option cell_density '0'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Andy'''s'
option encryption 'sae-mixed'
option key *****
option ocv '0'

root@Router:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'SsVpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
list network 'SurfS'
option masq '1'

config forwarding
option src 'lan'
option dest 'SsVpn'

config zone
option name 'HwgS'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'HwgS'

config forwarding
option src 'HwgS'
option dest 'lan'

config forwarding
option src 'HwgS'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'HwgS'

config rule
option src 'wan'
option name 'allow-55443'
list proto 'udp'
option dest_port '55443'
option target 'ACCEPT'

config nat
option name 'SNAT-WGserver'
list proto 'all'
option src 'lan'
option src_ip '172.22.22.0/24'
option target 'MASQUERADE'

root@Router:~# wg show
interface: HwgS
public key: *****
private key: (hidden)
listening port: 55443

peer: qynL6eWd4S3ZjW61lpjff+d/cXSNXdN6BDs+R8cWmWA=
allowed ips: 172.22.22.2/32
persistent keepalive: every 25 seconds

interface: SurfS
public key: *****
private key: (hidden)
listening port: 59384

peer: *****
endpoint: 185.245.82.66:51820
allowed ips: 0.0.0.0/0
latest handshake: 23 seconds ago
transfer: 378.41 KiB received, 229.49 KiB sent

lleachii · February 24, 2026, 11:40am

What is this?

And this?

Are you saying you're testing locally?

Remove masq.

(Also, the DNS settings on the WG interface only works for router traffic.)

egc · February 24, 2026, 11:42am

Not related but add option mtu_fix '1':

Also not related but remove option masq '1' below:

Normally you do not have to add any rule to make it work

It might be a DNS problem you can install an app called FING on your phone and then see if you can ping e.g. 8.8.8.8
Also in your phone's WireGuard client set 9.9.9.9 as DNS client but you probably have DNS hijacking rules in place which might block this.
I do not use Adguard home it is too bloated for my taste but it has a nice interface but I think it needs special setup to allow DNS queries from other subnets

Too look at other things, can you show the following:

ip rule show
ip route show
ip route show table all
service pbr status

Wizo · February 24, 2026, 11:51am

Nice to see you again egc.

root@Router:~# ip rule show
0:      from all lookup local
29997:  from all sport 55443 lookup pbr_wan
29998:  from all lookup main suppress_prefixlength 1
29999:  from all fwmark 0x20000/0xff0000 lookup pbr_SurfS
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default
root@Router:~# ip route show
default dev SurfS proto static scope link
10.14.0.0/16 dev SurfS proto kernel scope link src 10.14.0.2
89.36.70.0/24 dev wan proto kernel scope link src 89.36.70.207
172.22.22.0/24 dev HwgS proto kernel scope link src 172.22.22.1
172.22.22.2 dev HwgS proto static scope link
178.239.163.73 via 89.36.70.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
root@Router:~# ip route show table all
default via 89.36.70.1 dev wan table pbr_wan
default via 10.14.0.2 dev SurfS table pbr_SurfS
default dev SurfS proto static scope link
10.14.0.0/16 dev SurfS proto kernel scope link src 10.14.0.2
89.36.70.0/24 dev wan proto kernel scope link src 89.36.70.207
172.22.22.0/24 dev HwgS proto kernel scope link src 172.22.22.1
172.22.22.2 dev HwgS proto static scope link
178.239.163.73 via 89.36.70.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
local 10.14.0.2 dev SurfS table local proto kernel scope host src 10.14.0.2
broadcast 10.14.255.255 dev SurfS table local proto kernel scope link src 10.14.0.2
local 89.36.70.207 dev wan table local proto kernel scope host src 89.36.70.207
broadcast 89.36.70.255 dev wan table local proto kernel scope link src 89.36.70.207
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.22.22.1 dev HwgS table local proto kernel scope host src 172.22.22.1
broadcast 172.22.22.255 dev HwgS table local proto kernel scope link src 172.22.22.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
fd9d:99b7:30e1::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd9d:99b7:30e1::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd9d:99b7:30e1:: dev br-lan table local proto kernel metric 0 pref medium
local fd9d:99b7:30e1::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wan table local proto kernel metric 0 pref medium
local fe80::a697:33ff:fedf:a62e dev wan table local proto kernel metric 0 pref medium
local fe80::a697:33ff:fedf:a62f dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev HwgS table local proto kernel metric 256 pref medium
multicast ff00::/8 dev wan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev SurfS table local proto kernel metric 256 pref medium
root@Router:~# service pbr status

pbr - environment
pbr 1.2.1-r87 on OpenWrt 25.12.0-rc5 r32673-482ba7230a.
Uplink (IPv4): wan/wan/89.36.70.1.

Dnsmasq version 2.91  Copyright (c) 2000-2025 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_dstnat {}
add chain inet fw4 pbr_forward {}
add chain inet fw4 pbr_output {}
add chain inet fw4 pbr_prerouting {}

add rule inet fw4 dstnat jump pbr_dstnat
add rule inet fw4 mangle_prerouting jump pbr_prerouting
add rule inet fw4 mangle_output jump pbr_output
add rule inet fw4 mangle_forward jump pbr_forward

add rule inet fw4 pbr_forward meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_output meta mark & 0x00ff0000 != 0 return
add rule inet fw4 pbr_prerouting meta mark & 0x00ff0000 != 0 return
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  meta mark set (meta mark & 0xff00ffff) | 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  meta mark set (meta mark & 0xff00ffff) | 0x020000
add rule inet fw4 pbr_mark_0x020000 return

pbr chains - policies
chain pbr_forward { # handle 97
meta mark & 0x00ff0000 != 0x00000000 return # handle 930
}
chain pbr_output { # handle 98
meta mark & 0x00ff0000 != 0x00000000 return # handle 931
}
chain pbr_prerouting { # handle 99
meta mark & 0x00ff0000 != 0x00000000 return # handle 932
}
chain pbr_dstnat { # handle 96
}

pbr chains - marking
chain pbr_mark_0x010000 { # handle 107
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 933
return # handle 934
}
chain pbr_mark_0x020000 { # handle 110
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 935
return # handle 936
}

pbr nft sets

pbr tables & routing
IPv4 table main routes:
default dev SurfS proto static scope link
10.14.0.0/16 dev SurfS proto kernel scope link src 10.14.0.2
89.36.70.0/24 dev wan proto kernel scope link src 89.36.70.207
172.22.22.0/24 dev HwgS proto kernel scope link src 172.22.22.1
172.22.22.2 dev HwgS proto static scope link
178.239.163.73 via 89.36.70.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
IPv4 table main rules:
29998:      from all lookup main suppress_prefixlength 1
32766:      from all lookup main

IPv4 table 256 (pbr_wan) routes:
default via 89.36.70.1 dev wan
IPv4 table 256 (pbr_wan) rules:
29997:      from all sport 55443 lookup pbr_wan
30000:      from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 (pbr_SurfS) routes:
default via 10.14.0.2 dev SurfS
IPv4 table 257 (pbr_SurfS) rules:
29999:      from all fwmark 0x20000/0xff0000 lookup pbr_SurfS

root@Router:~#

doing that phone thing now

Wizo · February 24, 2026, 11:54am

I have disabled IPv6.

Some sneeky IoT devices try to bypass my rules

Wizo · February 24, 2026, 11:59am

Fing 8.8.8.8 100% packet loss.

Wizo · February 24, 2026, 12:04pm

I can easily disable Adguard home if it helps, you have to love a flashy interface

Wizo · February 24, 2026, 12:10pm

SNAT-WGserver from egc guide.

Are you saying you're testing locally? No remote.

masq full loaded.

egc · February 24, 2026, 12:10pm

My bad you have default route via the VPN you also have to allow traffic from wg server to wg client.

If that does not help than add the following rule:

ip rule add  suppress_prefixlength 1 table main

Wizo · February 24, 2026, 12:17pm

How do I do that egc from luci?

SsVpn or HwgS?

egc · February 24, 2026, 12:22pm

In the firewall zone of the WG server under Allow forward to destination zones: you add the zone of the WG client, you should already have there LAN and WAN

Wizo · February 24, 2026, 12:24pm

Done rebooting fingers crossed…

egc · February 24, 2026, 12:25pm

At least it should be possible to ping from your phone not sure about the DNS

Wizo · February 24, 2026, 12:28pm

Thats ALL WORKING, Thank you egc

Wizo · February 24, 2026, 12:29pm

do I need to keep “SNAT-WGserver”

as I have a static IP no NAT as far as I know.

I dont think I do….

egc · February 24, 2026, 12:41pm

It is for seamless access to your clients on the lan.
If they have their own firewall they might not allow traffic form other subnets so no access from the wgservers subnet so your phone might no get access to e.g. servers on the lan.
It is IMO better to tweak the firewall of your local lan client to allow traffic from 172.22.22.0/24 as that will give you to ability for access control and logging but if you or other trusted persons are the only ones having access then a simple masquerading with the SNAT-WGserver rule is OK and of course easier then tweaking firewall on all local lan clients you want to have access to

Wizo · February 24, 2026, 12:45pm

Thank you again egc & lleachii

Now I am a happy bunny

system · March 6, 2026, 12:46pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.