WireGuard Routing Problem?

HTMofDreams · November 26, 2025, 9:12pm

I have a WireGuard site-to-site connection to an external Fritz!Box.

The tunnel is established, but I'm always missing a route that I have to configure statically. I thought that wasn't necessary. My question is, is it normal that I have to create a static route myself?

config interface 'BaehrchensFB'
	option proto 'wireguard'
	option private_key 'secret'
	list addresses '192.168.15.1/24'
	list dns '192.168.178.1'

config wireguard_BaehrchensFB
	option description 'Imported peer configuration'
	option public_key 'secret'
	option preshared_key 'secret'
	list allowed_ips '192.168.178.0/24'
	list allowed_ips '192.168.10.0/24'
	list allowed_ips '192.168.11.0/24'
	list allowed_ips '192.168.12.0/24'
	option persistent_keepalive '25'
	option endpoint_host 'fritzbox_ip_address'
	option endpoint_port '51703'

Why do I have to create the following route statically? Can anyone help?

config route
	option interface 'BaehrchensFB'
	option target '192.168.178.0'
	option netmask '255.255.255.0'
	option gateway '0.0.0.0'
	option name 'BaehrchensFB'

psherman · November 26, 2025, 9:15pm

If you set option route_allowed_ips ‘1’ in the peer config, the routes should automatically populate. Have you tried that?

HTMofDreams · November 27, 2025, 3:33am

If I do that, my OpenWRT router becomes unreachable. I have to put it into failsafe mode and then remove the option again.

config interface 'BaehrchensFB'
	option proto 'wireguard'
	option private_key 'secret'
	list addresses '192.168.15.1/24'
	list dns '192.168.178.1'

config wireguard_BaehrchensFB
	option description 'Imported peer configuration'
	option public_key 'secret'
	option preshared_key 'secret'
	list allowed_ips '192.168.178.0/24'
	list allowed_ips '192.168.10.0/24'
	list allowed_ips '192.168.11.0/24'
	list allowed_ips '192.168.12.0/24'
	option persistent_keepalive '25'
	option endpoint_host 'fritzbox_ip_address'
	option endpoint_port '51703'
    option route_allowed_ips ‘1’

psherman · November 27, 2025, 3:34am

Let’s see the complete config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

HTMofDreams · November 27, 2025, 3:55am

I'm sorry, I can't do that because there are far too many lines, as I use many VPNs with PBR.

psherman · November 27, 2025, 4:08am

Ok. Well without the complete config, nobody will be able to help you identify the problem. My recommendation would be to disable PBR and all of the other vpns so you don’t have all of those variables in play. Get it working as a minimal configuration, then methodically enable the other vpns and PBR with only slight changes between tests until you identify the root cause.

Good luck!!

HTMofDreams · November 27, 2025, 4:19am

This was the right way:

config interface 'BaehrchensFB'
	option proto 'wireguard'
	option private_key 'secret'
	list addresses '192.168.15.1/24'
	list dns '192.168.178.1'
	option route_allowed_ips '1'  <------

Thanks for the inspiration.

system · December 7, 2025, 4:20am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.