WireGuard stops working when Android client is on the LAN

rpugsley · March 7, 2026, 10:19pm

I’m trying to use WireGuard on my Android phone with a single configuration that works both on my home LAN (Wi‑Fi) and on mobile data. When the phone is on mobile data, the tunnel works perfectly. When the phone is on the LAN, the tunnel works for a while and then wireguard crashes (no error messages) and keeps dead until reboot.

The strangest part is that this setup worked for more than a week even with an incorrect configuration (the LAN subnet was included in AllowedIPs on the router side). After rebooting the router, that configuration started behaving as expected and broke the LAN, but the original issue remained, the Android peer still stops working after some time whenever it’s on the LAN.

I’ve tried all correct configurations, including a single‑host /32 on the router side, the LAN subnet on the Android side, and even routing “everything except the LAN” on the client. The problem persists. Since WireGuard on OpenWrt has no daemon, there are no logs to help diagnose what’s happening.

My goal is simply to leave the Android device connected on WireGuard both on LAN and on mobile data. I’ll include my full configuration below. Any insight would be appreciated


config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option src 'wan'
	option name 'Allow Wireguard'
	list proto 'udp'
	option dest_port '1234'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'DNAT Xbox'
	option src 'wan'
	option src_dport '49621'
	option dest_ip '192.168.120.20'

config redirect 'adblock_lan53'
	option name 'Adblock DNS (lan, 53)'
	option src 'lan'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config rule 'adblock_lan853'
	option name 'Adblock DNS (lan, 853)'
	option src 'lan'
	option proto 'tcp udp'
	option dest_port '853'
	option target 'REJECT'
	option dest '*'

config rule 'adblock_lan5353'
	option name 'Adblock DNS (lan, 5353)'
	option src 'lan'
	option proto 'tcp udp'
	option dest_port '5353'
	option target 'REJECT'
	option dest '*'

config zone
	option name 'VPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'ProtonVPN_SG'
	list network 'ProtonVPN_RO'

config forwarding
	option src 'lan'
	option dest 'VPN'

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'wg0'

config forwarding
	option src 'wireguard'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wireguard'

config forwarding
	option src 'wireguard'
	option dest 'wan'

config forwarding
	option src 'wireguard'
	option dest 'VPN'

config redirect 'adblock_wireguard53'
	option name 'Adblock DNS (wireguard, 53)'
	option src 'wireguard'
	option proto 'tcp udp'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
	option family 'any'

config rule 'adblock_wireguard853'
	option name 'Adblock DNS (wireguard, 853)'
	option src 'wireguard'
	option proto 'tcp udp'
	option dest_port '853'
	option target 'REJECT'
	option dest '*'

config rule 'adblock_wireguard5353'
	option name 'Adblock DNS (wireguard, 5353)'
	option src 'wireguard'
	option proto 'tcp udp'
	option dest_port '5353'
	option target 'REJECT'
	option dest '*'

config rule
    option name 'Block IPv6 for VPN clients'
    option src 'lan'
    option dest 'wan'
    option family 'ipv6'
    option target 'REJECT'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.120.1'
	option netmask '255.255.255.0'
	list ip6class 'wan6'
	option ip6assign '64'

config interface 'wan'
	option device 'eth3'
	option proto 'dhcp'
	option peerdns '0'
	list dns '127.0.0.1'

config interface 'wan6'
	option device 'eth3'
	option proto 'dhcpv6'
	option force_link '1'
	option reqaddress 'force'
	option reqprefix '56'
	option norelease '1'
	option peerdns '0'
	list dns '::1'
	option ip6assign '64'
	list ip6class 'wan6'

config interface 'wg0'
	option proto 'wireguard'
	option listen_port '1234'
	option delegate '0'
	list addresses '10.14.0.1/24'

config wireguard_wg0
	option route_allowed_ips '1'
	option persistent_keepalive '10'
	option description 'Android'
	list allowed_ips '10.14.0.3/32'

anon63541380 · March 7, 2026, 10:24pm

You need a different subnet for wg subnet.

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output (red circle; this works best in the 'Markdown' composer view in the blue oval):

psherman · March 7, 2026, 10:27pm

Did you remove the keys for redaction purposes? If not, they’re missing and that is a problem.

rpugsley · March 7, 2026, 10:28pm

yes. keys were removed

psherman · March 7, 2026, 10:57pm

Ok. What is the output of wg show

rpugsley · March 9, 2026, 6:08am

Got it working on 25.12 after a fresh install. Yay!

system · March 19, 2026, 6:08am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.