I wonder if it's possible to use Wireguard within a Raspberry Pi attached to LAN via OpenWRT.
Currently I can use the VPN but can't connect users between and the overall network is super-slow, probably because a miss configuration.
My usecase is for keeping local apps on Wireguard clients, on LAN and WAN when I'm out.
I searched the forum but it's common to install Wireguard on OpenWRT and that's different to my case.
Please tell me what logs and config files do I need to share.
Yes. I do this in my own network. Specifically, I have OpenWrt on my Pi4, and Wireguard runs on that. This is what I'd recommend.
Does this mean your VPN is currently running on the main router, or on the Pi? If the main router is running Wireguard and it is slow, there could be a few possible reasons for that -- internet speeds, router's abilities (how powerful is the CPU) and/or misconfiguration (or non-ideal configs).
I'm not sure I understand your goal here, could you try to provide one or more specific examples to make sure I'm sync'd? Regardless, if this is an inbound VPN, yes, it's possible and we should be able to make it work.
My VPN is actually running on the Pi, OpenWRT should enable port forwarding and firewall rules for enable the shared apps.
Sure, thanks for pointing this out.
I'm self-hosting apps for notes, files, photos and I want to access them from outside my LAN (trough Wireguard VPN) 
The tricky for me was to found plenty of guides about installing Wireguard VPN into OpenWRT and that's not fit to my usecase...
And of course, I'm learning and kind of newbie here.
Ok. Let's see if we can figure out what's happening.
First:
Let's see the configs for OpenWrt devices:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Nop but Wireguard.
Yes it is.
That's how my configuration looks, if I turn off the VLAN switch then I loss internet:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXX::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.100'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway 'IP'
config device
option name 'eth0.2'
option macaddr 'XXX'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'vpn'
option proto 'wireguard'
option private_key 'XXX'
list addresses '10.0.0.3/24'
list dns '10.1.0.1'
option mtu '1380'
config wireguard_vpn
option description 'Imported peer configuration'
option public_key 'XXX'
option preshared_key 'XXX'
option endpoint_host 'my.domain'
option endpoint_port '51820'
list allowed_ips '192.168.10.0/24'
list allowed_ips '10.1.0.0/24'
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan'
list network 'wan6'
option mtu_fix '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'vpn'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_port '51280'
config forwarding
option src 'lan'
option dest 'wan'
Wireguard is working but super slow, probably because of the VLAN settings, so I'm looking for a good config here 
I'm on Archer C7, resolving DNS from the Pi too for giving room to router resources.
Sorry.. I'm a bit confused... is the Pi on the router's lan? If so, why do you have Wireguard on the Pi connecting to the router?
So what OS is t he Pi running? Raspberry Pi OS? Ubuntu? Something else?
How is the router connected to the upstream/internet? If you're using the wan, you should remove the gateway below. If you're using the lan as the upstream (I.e. 192.168.10.x is the address of an upstream router), you need to have a DNS here:
What traffic do you want to send through the tunnel? And is the Wireguard on the router acting as a server (listening for inbound connections) or a client (initiating an outbound connection)?
You need to delete the 192.168.10.0/24 -- that will cause a problem:
This looks wrong... why is this here?
Yes it is.
I've installed Wireguard on the router to enable access between my LAN users, is that not neccessary?
Linux.
Done.
I don't know if I understand your question properly, I want to use local apps on my local devices (on LAN and my VPN) as described.
May I know how can I get this information?
I'm a bit confused about installing Wireguard like this setup on OpenWRT.
Done.
Failed trial and errors, I removed it.
With the modifications you shared the VPN stopped working. I can check my IP displayed on Internet.
Is the OpenWrt device connected directly to the internet? There's no other routers or devices being used?
No.
Do you have wireguard set up on the Pi? If so, what's the config file?
Could you describe the purpose of the Pi on your network? And maybe provide a topology diagram that shows the key pieces of network infrastructure?
If the Pi and the router are both on the same network, there is no need for a VPN between them. I'm still a bit unclear about where the endpoints are for the VPN and what you are trying to achieve. Specifically, VPN configurations usually fall into 3 broad categories:
What is your goal in your network?
Yes, it is. WAN port with DHCP is working.
Thanks, removed. Wireguard works far better on the Pi, OpenWRT (on the router) should firewall and manage traffic but first I need it working with the Pi.
I described that I want to access internal IP address using the VPN outside my LAN.
VPN is there for privacy/security as well and because of that I tried to use it on OpenWRT.
Ok.... so the remote endpoint is outside your network... I assume coming from the internet, right?
Depending on the specifics of what rules you want in the firewall, you may fin that the Pi needs to be properly configured such that it doesn't masquerade the tunnel. The upstream router, in turn, needs both a static route and firewall rules to govern the connection. If the Pi masquerades the tunnel, you will find yourself significantly limited in terms of the firewall rules that can be implemented on your router (they could still potentially be configured on the Pi, but that would be an exercise outside the scope of OpenWrt).
That said, going back to this:
Is there a reason you need to run what I assume is a 'big distro' (i.e. Ubuntu, Debian, etc.) on your Pi? Could you instead run OpenWrt on the Pi? If so, we can help you configure the Pi (with OpenWrt) with Wireguard and also the approrpriate routing and firewall rules on either the Pi or the main router.
The remote endpoint is a DDNS, my updated public IP.
There is no upstream router on Starlink bypassed. There is no configuration there.
No, I'm running OpenWRT on my dedicated router. Pi is managing everything else.
Nothing worked, I continue here:
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.