Wireguard on a secondary router

I'm trying to setup a Wireguard server at home on a secondary router running Openwrt.
I've already lost endless hours trying to set this up, searching all kinds of forums, and no go...
I've had DD-WRT on this router, and wireguard worked fine.
I also have a Unraid server running Wireguard and it works fine.
So this is my setup:
Main router is ISP router which provides DHCP: IP
My OpenWRT router has IP and runs as a dumb AP (no DHCP, and firewall, dnsmasq and odhcpd are disabled).
I already established handshakes between my mobile (peer) and my Openwrt router, so keys and port forwarding are ok.
For this I forwarded port 51821 to 51820 (51820 is already being used for Unraid).
I've addedd wg0 to LAN as I've seen from various settings.
I'll paste here my network settings:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option listen_port '51820'
	list addresses ''

config wireguard_wg0
	option description 'Telemovel'
	list allowed_ips ''
	option route_allowed_ips '1'
	option public_key 'REDACTED'

I've made no changes to my firewall, since it's disabled. But I've managed to connect to my SSH server (I also run a SFTP server on my openwrt router) by adding a traffic rule allowing all UDP traffic, from WAN to LAN to port 51820, but couldn't connect to internet, Samba share or other computers on my Openwrt router, so I removed that rule.
I believe I have to create some rule, ou route, or something similar, but I can't find what... Most guides I follow assume OpenWRT as main router, but mine is a secondary router, setup as a dumb AP.
I also tried to follow the settings from my Unraid server, but those aren't applied to Openwrt. Can someone help with this?


I'm assuming your client is a road warrior (laptop or phone) that holds the one IP and does not have its own LAN behind it.

In the remote client, you need a route to your LAN via Or perhaps the whole Internet via if that is your intention for the client to use your home Internet connection. Allowed_ips on the client should correspond to all the routes, thus the route_allowed_ips feature should be enabled on the client.
Client configuration:
wg0 IP (note this is /24 so that .1 is in the subnet)
allowed_ips (or
route_allowed_ips 1

Next since the wireguard server is not the main router in the house, a request for the LAN (or the Internet) will end up at the main router from, and so far it does not know how to route the reply. Thus you need a route on the main router to send VPN traffic back through the OpenWrt router: via

Your choice of .254 for the main router and .1 for a LAN appendage device is unconventional-- usually it is the opposite. But of course this will work as long as you stay consistent.

1 Like


On the client side I have those settings, with allowed_ips ::/0.

This is a major issue because my ISP router doesn't have that enabled, I think it's on purpose. And I've already read several complaints about that and they can't get to a competent support that opens that route. What I've read is that I can double NAT, but that will get me all sorts of issues.
But my Unraid server works perfectly without double NAT, I think... I've selected the option "Local server uses NAT", and in configurations I see this:

PostUp=logger -t wireguard 'Tunnel WireGuard-wg0 started'
PostUp=iptables -t nat -A POSTROUTING -s -o br0 -j MASQUERADE
PostDown=logger -t wireguard 'Tunnel WireGuard-wg0 stopped'
PostDown=iptables -t nat -D POSTROUTING -s -o br0 -j MASQUERADE

How can I translate this to "OpenWRT language"?

I chose to do this because I flash my Openwrt router frequently, and it always defaults to, so to avoid IP's conflicts I set my main router to the last available IP. :slight_smile:

Thank you for your help.

1 Like

Not really. It's not the best choice, but if you cannot avoid it...

Yes, you'll have to NAT into the LAN since without being able to install an additional route, the only IPs the main router can route the Internet back to are those of the LAN.

If it were only LAN access you could potentially install a route to the tunnel on every LAN device of interest but that isn't real practical.

The main downside of this is that the LAN can't easily initiate a connection to the road warrior. But that is often not desirable anyway.

NAT on the outside of a Wireguard tunnel is not a problem at all since everything inside the tunnel is single hop regardless of how many times the outer packets have been NATd.

If you reset your dumb AP to defaults be sure to disable its DHCP server before putting it on the network, because incorrect DHCP can break the network in a way that will require restarting the connection on every affected device.

1 Like

Usually I don't do that because I flash it while connected to the LAN, but luckily it hasn't given me any issues, and I if does I don't have that many devices connected, it's not a big issue to restart them.

If anyone could show me how to set this up in my OpenWRT router (Wireguard with NAT), or direct me to where I can see how it's done, I'd appreciate. So far all I've seen looks too complex and I don't no if it aplies to me. Last time I tried something similar I lost connection to my router. Had to reset and start all over.

NAT is a feature of the firewall system, so the first thing to do is re-enable the firewall. SInce the default firewall rules are to allow everything on the lan network, this should not break connectivity.

The original dumb AP has one network, lan. Then you've added a second network, the wireguard tunnel. Make a new firewall zone for the wg0 interface and allow forwarding wireguard --> lan. Then enable NAT (masquerade) on the lan zone. Now when packets are forwarded to the LAN from the road warrior, they will be converted to have the router's LAN address, then sent to a LAN device or the main router.

A common rookie mistake is to think that NAT should be enabled on the source zone (wireguard). It doesn't work that way. Enable NAT on the destination zone (lan).

I knew it would be a very simple solution, but I just couldn't get there. Thank you very much!! I have internet and can reach all my LAN devices now.

Is this how I should have done it? I mean, it's working now, but...

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'wg0'

config forwarding
	option src 'Wireguard'
	option dest 'lan'

Just a question: what sort of issues can I expect by enabling Masquerade on lan zone? I didn't even know that Masquerade is the same as NAT...

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.