Wireguard works from LAN but not from WAN

I have a wg-server set up. Here's the relevant bit from /etc/config/network:

config interface 'wan_isp'
        option proto 'dhcp'
        option metric '10'
        option device 'eth1.20'

config interface 'wg_server'
        option proto 'wireguard'
        option private_key '***'
        list addresses ''
        option listen_port '51820'

config device
        option name 'wg_server'
        option acceptlocal '1'
        option ipv6 '0'

config wireguard_wg_server
        option description 'z-flip-4'
        option public_key '***'
        option private_key '***'
        option preshared_key '***'
        option route_allowed_ips '1'
        list allowed_ips ''
        option persistent_keepalive '25'

Here's the bit from /etc/config/firewall:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone4 '1'
        option fullcone6 '1'
        option masq '1'
        option mtu_fix '1'
        list network 'wan_isp'

config rule
        option name 'Allow-WireGuard'
        list proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '51820'

wg-clients are on two VPSs and on Android phones.

when I initiate the connection while my phone is connected to wifi (local network) it connects to wg-server and works.

when a client outside my network (e.g., 46.6.) tries connecting (current IP is 213.195.) - the handshake fails.

fail it looks like this (wireshark/tcpdump)


success looks like this ( is my phone inside LAN):

Any ideas about what's wrong?

I noticed your IP is an IR ISP. See these quotes from your fellow country persons:


WireGuard is easy to detect so if that is blocked then nothing you can do (there is an obfuscation package which if compiled might work)

If it is not blocked then maybe you do not have the WG interface added to the LAN zone to open up the firewall?

Furthermore the list addresses are lacking the net mask not sure how much of a problem that is.

1 Like

noticed your IP is an IR ISP.

nope, I'm in Spain, my ISP (for both fiber and mobile) is Pepephone, and it definitely does not block wireguard.


tcpdump clearly shows packets coming in.

Have you added the WG interface to the LAN zone to open up the firewall?

I'm not sure if the metric could be responsible for this... do you have multiple wan connections? Why do you have a metric assigned here?

Make the address explicitly a /24 (

remove the following:

make the allowed IPs explicitly a /32 (

I'm not sure if the fullcone options may play into the issue, but I'd recommend removing them unless there is a reason you need them here:

If those things don't fix the problem, let's see your entire configuration (network and firewall files, as well as the remote peer config).


Oops, my apologies.


config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_server'
        list network 'docker70'

I was experimenting with mwan3, it's an artefact. I'll try removing it, and trying all the other ideas.

Thank you!

Got it to work following the advice from a friend. Turns out, my ISP changed something in their network configuration, and the default MTU was no longer working reliably. Changed it to 1200 and now it works.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.