Wireguard Server on OpenWrt

Hi folks,
I am officially to dump to configure wireguard....
I only read forum entries like "It's easy to setup", "No efford at all..." or "Anyone can do it in minutes"...
Well here I am struggling for 4 days now, right to the point wher I only want to take the openWrt device and throw it out off the window.

But back to my problem
My Setup: OpenWrt (RC3) running on an Linksys E8450
The interfaces are set up:
wan: PPPOE does get IPv4 and IPv6 from the provider correcttly
lan: Static address 10.0.0.1/16
dmz: Static address 10.10.0.1/16 VLAN 10
wlan: Static address 10.20.0.1/16 VLAN 20
pwlan: Static address 10.30.0.1/16 VLAN 30
cobra: Static address 10.40.0.1/16 VLAN 40
cobraVPN: wireguard-VPN 10.50.0.1/16

I did go through ever documentation or tutorial I could found but i did not get the thing to work.
I am at a point where I can open an wireguard tunnel but the IP of the device is 169.254.x.x/16 and not in the 10.50 range I configured. Therefor I am unable to ping the 10.50.0.1 interface.
I am miles away to be able to connect to the server that waits just for me to connect to at 10.40.0.2

I take every hint...

It's not at all clear what you want to accomplish:

• set up a wireguard roadwarrior 'server' on your router
• set up some site2site VPN
• connect to a commercial VPN service

90% of troubles with wireguard are misconfigured routing policies, so re-check those and make sure that they match what you want to achieve.

Wireguard operates at layer 3 which means, amongst other things, DHCP doesn't work over it. You have to assign addresses manually.

It would also help to see your config, please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

The wireguard config on remote devices would also be helpful to see.

A lot of good advice already provided…

I think it would make sense to describe what your goals are for each network. For example, what is the difference between wlan and pwlan? Do you really want your wlan to be an entirely different network than your regular lan? What is the purpose of cobra and cobraVPN? And what about dmz? Knowing what your goals for each network are will help us provide the best advice.

Another question… Why are all of these /16 subnets? This is unnecessary in the vast majority of cases, and also bad practice in some situations. /24 is the typical size of most home networks and is usually the recommended default unless you specifically need to use something else.

There are diffrent wiki pages. But honestly, I find them really technical. They don't clarify anything for me more than I aready imagine those things should work.

I personally skimmed over the wiki pages, but dropt them and used the UI instead. Worked flawlessly and really intuitive. At least for me, having a good background in networking that is.

• Your wireguard devices need local IP address. But that's for our routers to communicate. You seem to plan on 65'000 road warrior logins, or 65'000 remote sites you want to connect. That's at least what our /16 targets for. Honestly: Forget about that!
• Give your routers a single IPv4 address on the wireguard link. That's either "10.0.50.1" or "10.0.50.1/32". Bothe are the same statement. Avoid the "and a whole lot of other IP addresses here" notion when dealing with VPN.
• When you confgure your peers, give them a single IP address as well. Your first peer can get the "10.0.50.2", or the "10.0.50.2/32". One single IP address.
• Within the "allowed IPs", start with adding the one single IP address your peer has.
• Same on the reverse side: Tell your peer to allow the one single IP address your OpenWRT has.
• Make sure the "No host routes" checkbox on your routers configuration is not checked.
• Tick the "Route Allowed IPs" checkbox on the peer configuration of your router.
• Try starting with firewall zone "LAN". You can (and should) change that to a more limited setting afterwards, but while you're trying to get routing working, I'd start with no firewall restrictions.

This setting should allow your two peers to connect to each other and ping their respective IP addresses. 10.0.50.1 should be able to ping 10.0.50.2 and vice versa.

Now go and adjust your second, non-openwrt-device and add "10.0.0.1/16" to its "allowed IPs" list.
This will enable rouing between your LAN and the connected VPN peer.

If that works, you should have an idea on how things should work.

First I try to explain what exactly i try to achive.

ISP: I connect to my isp using PPPOE. I get one ipv4 address and an /64 ipv6subnet.
Let's keep ipv6 out of the picture for now since I am trying to get an /58 subnet.

My Switch:
Is a managed mikrotik switch running swOS. I plan to setup the switch to filter traffic on specific ports based on VLAN tags and set up specific ports to only able to communicate with other specific ports later. As of now non of this is configured and the switch is using the default config.

My Networkzones:
WAN: My OpenWrt box is directly connected to an Fritzbox Router with PPPOE passthrough enabled. The Fritzbox therefore basically acts only as a modem.
Using PPPOE passthrough seems to be the way to go since it is the only way to prevent a double DNAT from happening.

LAN: My trusted home network. IP range 10.0.0.0/16 untagged. In this network all trusted devices will conntect to each other. There are more than 255 devices at the moment and number is still growing so I used an /16 subnet. Devices in this zone can access the Internet, DMZ and WLAN zones.

DMZ: IP range 10.10.0.0/16 VLAN 10. Servers runningsServices that are accessable from the internet. Like my PlexServer or the SiaCoin Daemon. Devices in this Network can access each other and the internet but not device in other zones.

WLAN: IP range 10.20.0.0/16 VLAN 20. My private WLAN. All devices in this WLAN are trusted. Devices in this zone can access the Internet, DMZ, and LAN. I am still thinking about to integrate this in the LAN network so maybe this will be removed.

PWLAN: IP range 10.30.0.0/16 VLAN 30. My public WLAN for Visitors. Devices in this zone can access the internet.

CobraLAN: IP range 10.40.0.0/16 VLAN 40.My company workspace at home running some dev environments on virtual servers. Devices in this zone can access the internet.

CobraVPN: IP range 10.50.0.0./16 VLAN 50. IPs for devices connected with VPN. This is for connecting into the dev environment from anywhere. VPN Connections should be able to be opened from LAN Zone and from the Internet. Devices at this zone can access the internet and CobraLAN.

Basically when I start my workday I want to open the VPN and only act inside my dev environment. Regardles if I am sitting at home(LAN) or somewhere on an busines trip (WAN). I do not want to connect two LANs so I do not have a second router at he other end, I just want a device to be able to setup the VPN and act like a device inside the private network.

As requested here are the configs.
I did not change them at the console. I only used the GUI and tried to set up things.

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd18:254d:0d95::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'	

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        option ip6hint '0000'

config interface 'wan'
        option device 'wan'
        option proto 'pppoe'
        option username '<username>'
        option password '<password>'
        option ipv6 'auto'
        option ip6assign '64'
        option ip6hint 'FFFF'

config interface 'cobraVPN'
        option proto 'wireguard'
        option private_key '<privateKeyWG1'
        option listen_port '51820'
        option delegate '0'
        list addresses '10.50.0.1/32'
        list addresses 'fd18:254d:d95:32::1/128'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '40'
        option name 'br-lan.40'

config interface 'cobraLAN'
        option proto 'static'
        option device 'br-lan.40'
        option ipaddr '10.40.0.1'
        option netmask '255.255.0.0'
        option ip6assign '64'
        option ip6hint '0028'

config wireguard_cobraVPN
        option description 'Bilal'
        option public_key '<publicKeyWG1>'
        option private_key '<privateKeyWG1>'
        option preshared_key '<presharedKey>'
        option route_allowed_ips '1'
        option endpoint_host '<ddns url>'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '10.50.0.1'
        list allowed_ips '10.50.0.2'
cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'MikroTik'
        option ip '10.0.0.2'
        option mac 'xx:xx:xx:xx:xx:xx'
        option hostid '::2'

config host
        option name 'AMATERASU'
        option ip '10.0.0.10'
        option mac ' xx:xx:xx:xx:xx:xx '
        option hostid '::10'
cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'cobraVPN'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Plex Server'
        list proto 'tcp'
        option src 'wan'
        option src_dport '32400'
        option dest_ip '10.0.0.10'
        option dest_port '32400'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Sia Coin'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '9981-9985'
        option dest_ip '10.0.0.10'
        option dest_port '9981-9985'

config zone
        option name 'cobra'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'cobraLAN'

config zone
        option name 'cobraVPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'	

config forwarding
        option src 'cobraVPN'
        option dest 'wan'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option dest '*'
        option dest_port '51820'
        option target 'ACCEPT'

THe wiregard client config is copied from the GUI

[Interface]
PrivateKey = <privateKeyWG1>
ListenPort = 51820

[Peer]
PublicKey = <PublicKeyWG1>
PresharedKey = <PresharedKey>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <ddns url>:51820
PersistentKeepAlive = 25

Firewall rules are far from finished. I did not touch them to much. Since I havend used iptables in ages and it still seams overcomplicated compared to setups like on watchguard firewalls.
So for the purpose of my problem please ignore DMZ, WLAN and PWLAN Zone, since they are just precreated as palceholders for thinks to come.

Thanks for the hint but I still got stuck with the same behavior. I wonder if RC3 is to blame.

According to the above configs, you have:

• Specified the /32 and /128 netmasks for the VPN server address.
• Assigned the VPN server interface to the WAN zone.

Please remind me which part of the OpenWrt wiki made you do this.

the part when I startet to try out everything because nothing works...

Thanks for your commet.

Update your settings according to the OpenWrt wiki.
Post the updated configs and runtime diagnostics if the issue persists.

No change at all SUPRISE!!!!

But I managed to get the hole thing to work.
Since I followed the wiki to the letter...again I can now tell exactly what I had to change for it to work. I hope I do not forget anything.

1. When following the wiki the vpn interface ends up assigned to the lan firewall zone. I did change it to my cobra firewall zone (I did not need a dedicated cobraVPN firewall zone anyway)
2. After doing this I did see the VPN under Status->Wireguard but with an endpoint IP in my private lan. I had to set the Endpoint Host in the wireguard peer settings to 10.50.0.1 so enforce the correct endpoint.
3. The client config and for that the qr code generated by the gui is not correct. I had to add Address = 10.50.0.2/16 in the Interface section for the client to get the correct IP in the right subnet otherwise it did get some default generic IP in the 169.x.x.x range.
4. The generated Traffic Rule as stated in the wiki is wrong. When following the wiki I end up with an rule that forwards to This device. This did not work I had to change it to my cobra firewall zone. After that pings to 10.50.0.1 started to finally work...
5. Most important the wireguard service is very fragile on configuration changes. It did stop working occasionally when I changed wireguard settings and even firewall settings. The Traffic Rule for example. I was forced to restart the network service after every change to ensure the wireguard service is running and working.

You are supposed to connect from outside, e.g. using a mobile ISP.

It works fine on a default OpenWrt setup when connecting from outside.

The rule in the wiki opens a port for the WireGuard server in the WAN zone.
Do not confuse port opening with port forwarding.

I recommend to use an automated script that generates the correct client profiles.

That sounds weird, but perhaps we have different criteria for fragility.

I assume you have never been in touch with IPsec Wireguard is a relief. A few years ago I moved multiple site to site VPN (3 datacenter and 8 offices) to Wireguard in just a single day without any downtimes and later was able to reconfigure everything on the fly after I discovered a configuration mistake and again without any downtime. From my experience this is just not possible with openvpn or ipsec... the stateless nature and simplicity of wireguard is such an improvement in lifetime quality

this page will help you set up:

• some info:

Wireguard config Situation:

Dynamic Public IP ISP to Dynamic Public IP ISP = No need to open any ports as long as Both IP are known and up in config
Dynamic Public IP ISP to VPS = Firewall WireGuard Port on VPS must be open
Mobile CG-NAT ISP to VPS = Firewall WireGuard Port on VPS must be open
Mobile CG-NAT ISP to Dynamic Public IP ISP = Firewall WireGuard Port on Dynamic Public IP Client must be open Forward

Everything else is straight forward with wireguard configuration and it just work.

With the exception of CG-NAT to CG-NAT, you will need to have a middle device with public accessible IP which can be a VPS or a Dynamic Public IP from ISP.

I think you misunderstood. Not the client came form the lan zone, but the wireguard endpoint on the server side did get an IP from the lan subnet with was wrong.

The tutorial might work or not if you only have wan and lan subnetworks to care for. But as soon as you have more subnetworks than that it seems you have to explicitly tell the wireguard service with subnet to use.

Looking back, I think that there tutorial should be extended for setups with multiple subnets and multible firewall zones. This is where every tutorial i found starts to mess things up.

As long as I did not touch the rule pings to the wireguard endpoint on the server side and to the servers running in the cobra subnet did not work. Only after changing this rule pings starts to work. I worked this out by try and error. I have absolutely no idea why that is the case here.

That how-to is not limited by the number of pre-configured interfaces, subnets, or zones.
Only a significantly modified setup may require some adjustment, but supporting that is beyond the scope of the how-to format.
By the way, I don't see any particular reason why this wouldn't work for your router as long as you proceed carefully to avoid human-related errors.
You can change the zone of the VPN interface at any time after testing the basic functionality.

To be honest, I'm not sure that I understand the issue correctly, but I don't remember anything like that over the years on this forum.
However, we can take a look deeper into the problem if it is actually reproducible.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.