Wireguard & PBR problem

Wizo · February 22, 2026, 4:22pm

Hello,

I have a wireguard client (Surfshark vpn) on:

Listen Port 51820

IP Address 10.14.0.2/16

peer ip address 0.0.0.0/0

Runs fine.

I am trying to run a wireguard Server (HomeWgServer) on:

Listen Port 51810

peer ip address 172.16.1.2/32

IP Address 172.16.1.1/24

Runs fine if I am on the same network (wifi) But does not work at all if I am using mobile data network!

I have a fixed ip address on my home network.

From what I have read and believe, I need to install and use PBR and luci-app-pbr which I have installed.

I just have not got a clue what I am doing with it!

I think I need to open a route from Listen Port: 51810 to my Wan port but have messed about for days and I’m no closer.

I hope open of you can show me what I need to do as I have never used PBR before ?

Thanks for any help you can give me, my very small brain is fried now.

lleachii · February 22, 2026, 4:43pm

Peer IP address (invalid as a host address), or "Allowed IPs" (traffic allowed to traverse the tunnel)?

Wizo · February 22, 2026, 5:00pm

That’s from Surfsharks config file.

[Interface]
Address = 10.14.0.2/16
PrivateKey = *
DNS = 162.252.172.57, 149.154.159.92
[Peer]
PublicKey =*
AllowedIPs = 0.0.0.0/0
Endpoint = uk-lon.prod.surfshark.com:51820

And seems to run just fine.

egc · February 22, 2026, 5:02pm

Remove the listen port on the WG client!

The WireGuard server will be automatically routed back via the WAN so with only installing the PBR-app that should start to work.

Do you want most of the traffic going via the surfshark VPN or via the WAN?

For the record how I setup a WireGuard client:
WireGuard Client Setup Guide

It can help if you show us your configs, please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have but do not redact private RFC 1918 IP addresses (192.168.X.X, 10.X.X.X and 172.16-32.X.X) as that is not needed:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip -6 route show
ip route show table all
ip rule show
wg show
cat /etc/config/pbr
service pbr restart
service pbr status

Wizo · February 22, 2026, 5:07pm

I would like most of my traffic going via surfshark VPN.

I am doing as you said now.

egc · February 22, 2026, 5:15pm

In that case enable Route Allowed IPs on the surfshark peer with 0.0.0.0/0 as Allowed IPs and if you have IPv6 and Surfshark also support IPv6 then als add 8000::/1 and 0::/1 as Allowed IPs to route all IPv6 via the surfshark VPN

For traffic you want to use the WAN make rules in the PBR app:

Wizo · February 22, 2026, 5:32pm

I have disabled IPv6

Using username "root".
Authenticating with public key "eddsa-key-20240818"

BusyBox v1.36.1 (2025-12-17 21:08:22 UTC) built-in shell (ash)




|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -|     ||  |  |  ||   ||   |
|_____||   |||||___|||  |____|
|| W I R E L E S S   F R E E D O M

OpenWrt 24.10.5, r29087-d9c5716d1d

root@Router:~# ubus call system board
{
"kernel": "6.6.119",
"hostname": "Router",
"system": "ARMv8 Processor rev 4",
"model": "Dynalink DL-WRX36",
"board_name": "dynalink,dl-wrx36",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "qualcommax/ipq807x",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}

root@Router:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd6b:489c:e14a::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ipv6 '0'
option delegate '0'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.1.5'
option ipv6 '0'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'
list dns '192.168.1.5'

config interface 'SurfShark'
option proto 'wireguard'
option private_key ****
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'

config wireguard_SurfShark
option description 'London'
option public_key ****
option private_key ****
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'uk-lon.prod.surfshark.com'
option endpoint_port '51820'

config interface 'HomeWgServer'
option proto 'wireguard'
option private_key ****
option listen_port '51810'
list addresses '172.16.1.1/24'
list dns '192.168.1.5'

config device
option name 'HomeWgServer'

config wireguard_HomeWgServer
option description 'Pixel 10 Pro'
option public_key ****
option private_key ****
list allowed_ips '172.16.1.2/32'

root@Router:~# cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd6b:489c:e14a::/48'
option packet_steering '1'

config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ipv6 '0'
option delegate '0'

config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '192.168.1.5'
option ipv6 '0'

config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option norelease '1'
option peerdns '0'
list dns '192.168.1.5'

config interface 'SurfShark'
option proto 'wireguard'
option private_key ****
list addresses '10.14.0.2/16'
list dns '162.252.172.57'
list dns '149.154.159.92'

config wireguard_SurfShark
option description 'London'
option public_key ****
option private_key ****
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'uk-lon.prod.surfshark.com'
option endpoint_port '51820'

config interface 'HomeWgServer'
option proto 'wireguard'
option private_key ****
option listen_port '51810'
list addresses '172.16.1.1/24'
list dns '192.168.1.5'

config device
option name 'HomeWgServer'

config wireguard_HomeWgServer
option description 'Pixel 10 Pro'
option public_key ****
option private_key ****
list allowed_ips '172.16.1.2/32'

root@Router:~# ^C

root@Router:~# cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'SsVpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'SurfShark'
option masq '1'

config forwarding
option src 'lan'
option dest 'SsVpn'

config zone
option name 'HomeWgServerZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'HomeWgServer'

config forwarding
option src 'HomeWgServerZone'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'HomeWgServerZone'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'HomeWgServer Forward'
option src 'wan'
option src_dport '51810'
option dest_ip '172.16.1.1'
option dest_port '51810'

root@Router:~# ip route show
default dev SurfShark proto static scope link
10.14.0.0/16 dev SurfShark proto kernel scope link src 10.14.0.2
89.36.70.0/24 dev wan proto kernel scope link src 89.36.70.207
172.16.1.0/24 dev HomeWgServer proto kernel scope link src 172.16.1.1
178.239.163.103 via 89.36.70.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
212.116.231.22 via 89.36.70.1 dev wan proto static

root@Router:~# ip -6 route show
fd6b:489c:e14a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd6b:489c:e14a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium

root@Router:~# ip route show table all
default via 89.36.70.1 dev wan table pbr_wan
172.16.1.0/24 dev HomeWgServer table pbr_wan proto kernel scope link src 172.16.1.1
192.168.1.0/24 dev br-lan table pbr_wan proto kernel scope link src 192.168.1.1
default dev SurfShark proto static scope link
10.14.0.0/16 dev SurfShark proto kernel scope link src 10.14.0.2
89.36.70.0/24 dev wan proto kernel scope link src 89.36.70.207
172.16.1.0/24 dev HomeWgServer proto kernel scope link src 172.16.1.1
178.239.163.103 via 89.36.70.1 dev wan proto static
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
212.116.231.22 via 89.36.70.1 dev wan proto static
local 10.14.0.2 dev SurfShark table local proto kernel scope host src 10.14.0.2
broadcast 10.14.255.255 dev SurfShark table local proto kernel scope link src 10.14.0.2
local 89.36.70.207 dev wan table local proto kernel scope host src 89.36.70.207
broadcast 89.36.70.255 dev wan table local proto kernel scope link src 89.36.70.207
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 172.16.1.1 dev HomeWgServer table local proto kernel scope host src 172.16.1.1
broadcast 172.16.1.255 dev HomeWgServer table local proto kernel scope link src 172.16.1.1
local 192.168.1.1 dev br-lan table local proto kernel scope host src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local proto kernel scope link src 192.168.1.1
fd6b:489c:e14a::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd6b:489c:e14a::/48 dev lo proto static metric 2147483647 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast fd6b:489c:e14a:: dev br-lan table local proto kernel metric 0 pref medium
local fd6b:489c:e14a::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
local fe80::a697:33ff:fedf:a62f dev br-lan table local proto kernel metric 0 pref medium
multicast ff00::/8 dev br-lan table local proto kernel metric 256 pref medium
multicast ff00::/8 dev HomeWgServer table local proto kernel metric 256 pref medium
multicast ff00::/8 dev SurfShark table local proto kernel metric 256 pref medium

root@Router:~# ip rule show
0:      from all lookup local
29998:  from all sport 51810 lookup pbr_wan
29999:  from all sport 51820 lookup pbr_wan
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan
32766:  from all lookup main
32767:  from all lookup default

root@Router:~# wg show
interface: HomeWgServer
public key: ****
private key: (hidden)
listening port: 51810

peer: ****
allowed ips: 172.16.1.2/32

interface: SurfShark
public key: ****
private key: (hidden)
listening port: 35565

peer: *****
endpoint: 178.239.163.103:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute ago
transfer: 9.62 MiB received, 789.11 KiB sent

root@Router:~# cat /etc/config/pbr

config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
list resolver_instance '*'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
option rule_create_option 'add'
option procd_boot_trigger_delay '5000'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'

config include
option path '/usr/share/pbr/pbr.user.dnsprefetch'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'

config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'

config dns_policy
option name 'Redirect Local IP DNS'
option src_addr '192.168.1.5'
option dest_dns '1.1.1.1'
option enabled '0'

config policy
option name 'Ignore Local Requests'
option interface 'ignore'
option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
option enabled '0'

config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'

config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'

root@Router:~# service pbr restart
Resetting chains and sets [✓]
Removing routing for 'wan/89.36.70.1' [✓]
Removing routing for 'SurfShark/10.14.0.2' [✓]
pbr 1.2.0-r6 (fw4 nft file mode) stopped [✓]
Using uplink interface (on_start): wan [✓]
Found uplink gateway (on_start): 89.36.70.1 [✓]
Processing environment (on_start) [✓]
Setting up routing for 'wan/89.36.70.1' [✓]
Setting up routing for 'SurfShark/10.14.0.2' [✓]
Installing fw4 nft file [✓]
Setting interface trigger for wan [✓]
Setting interface trigger for wan6 [✓]
Setting interface trigger for SurfShark [✓]
pbr 1.2.0-r6 monitoring interfaces: wan wan6 SurfShark
pbr 1.2.0-r6 (fw4 nft file mode) started with gateways:
wan/89.36.70.1
SurfShark/10.14.0.2 [✓]
WARNING: Incompatible DHCP Option 6 for interface lan: 192.168.1.5.
WARNING: Warnings encountered, please check https://docs.openwrt.melmac.ca/pbr/1.2.0/#WarningMessagesDetails.

root@Router:~# service pbr status

pbr - environment
pbr 1.2.0-r6 installed on OpenWrt 24.10.5.

Dnsmasq version 2.90  Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack no-ipset nftset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile

pbr fw4 nft file: /usr/share/nftables.d/ruleset-post/30-pbr.nft
add chain inet fw4 pbr_mark_0x010000
add rule inet fw4 pbr_mark_0x010000  mark set mark and 0xff00ffff xor 0x010000
add rule inet fw4 pbr_mark_0x010000 return
add chain inet fw4 pbr_mark_0x020000
add rule inet fw4 pbr_mark_0x020000  mark set mark and 0xff00ffff xor 0x020000
add rule inet fw4 pbr_mark_0x020000 return

pbr chains - policies
chain pbr_forward { # handle 46
}
chain pbr_input { # handle 47
}
chain pbr_output { # handle 48
}
chain pbr_postrouting { # handle 50
}
chain pbr_prerouting { # handle 49
}
chain pbr_dstnat { # handle 45
}

pbr chains - marking
chain pbr_mark_0x010000 { # handle 2046
meta mark set meta mark & 0xff01ffff | 0x00010000 # handle 2047
return # handle 2048
}
chain pbr_mark_0x020000 { # handle 2049
meta mark set meta mark & 0xff02ffff | 0x00020000 # handle 2050
return # handle 2051
}

pbr nft sets

pbr tables & routing
IPv4 table 256 pbr_wan route:
default via 89.36.70.1 dev wan
IPv4 table 256 pbr_wan rule(s):
29997:  from all sport 51810 lookup pbr_wan
30000:  from all fwmark 0x10000/0xff0000 lookup pbr_wan

IPv4 table 257 pbr_SurfShark route:
default via 10.14.0.2 dev SurfShark
IPv4 table 257 pbr_SurfShark rule(s):
29998:  from all fwmark 0x20000/0xff0000 lookup pbr_SurfShark

Wizo · February 22, 2026, 5:37pm

Wizo · February 22, 2026, 5:39pm

Lookin at your:

OpenWRT WireGuard Client Setup guide using LuCi

Now!

egc · February 22, 2026, 5:48pm

Remove option masq , mtu fix is usually also not needed

Add the following to the Firewall:

config forwarding
option src 'HomeWgServerZone'
option dest 'lan'

Replace this:

With

config rule
	option name 'allow-51810'
	list proto 'udp'
	option src 'wan'
	option dest_port '51810'
	option target 'ACCEPT'

Wizo:

root@Router:~# ip rule show
0:      from all lookup local
29998:  from all sport 51810 lookup pbr_wan
29999:  from all sport 51820 lookup pbr_wan      <<<< The surfshark VPN should not have a listenport!

The above still show a listenport on the surfshark VPN note it does need an endpoint ort on the peer but not a listen port

It looks like you have already deleted that but did not reboot in that case just reboot

Furthermore it looks OK

Wizo · February 22, 2026, 6:22pm

I could not find where to put: option target 'ACCEPT'

but I did reboot after I sent you that list.

still not working… Is it worth me deleting all the HomeWgServer stuff zones and port-forwarding stuff and starting again with your guide ?

egc · February 22, 2026, 6:29pm

Sure you can try that but to be honest I would consider updating to 25.12 first, 24.10 is getting long in the tooth

I am running Master build on my DLWRX36 but that is for testing, 25.12 should be fine

Wizo · February 22, 2026, 6:37pm

OK Thanks for your help EGC your a star

My plan is to delete everything, update to 25.12, and then start a new project. I hope I won't have to bother you again.

Thank you again…. You helped me before in the ddwrt forum, you sure get about.

egc · February 22, 2026, 6:54pm

Good plan.
You know where to find us if you need help

system · March 4, 2026, 6:55pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.