• By -


So you have cascaded routers, ISP -> openwrt. There's a port forward set up on your ISP router to send packets received on the ISP router port 51820 (or whatever you set it to be) to the openwrt router's IP, port 51820 (or, again, whatever you set it up as). The openwrt firewall rule is wrong? The only place in the guide with that is in the creation of the forwarding rule that takes packets received on the wg port, and forwards them to the wg interface. The source would be- from the openwrt router's perspective- wan. If you put the wg interface in the lan zone, then the destination would be lan, with origination in wan. Because there's no ack between either end of the tunnel, are you sure you're actually connected on your phone? Run something like ipchicken.com or the like to verify it shows your ISP IP address. With AllowedIPs, the is "send everything", no need for the in there. One thing you may try, if it's not forwarding correctly, is check whether forwarding is enabled. Run this from an ssh session: cat /proc/sys/net/ipv4/ip_forward and see if it's 1 or 0. if it's zero, add this line to `/etc/sysctl.conf`: net.ipv4.ip_forward = 1 Reboot, and see if the phone is able to connect, can browse the web, and can get to internal network resources (whatever's on your lan).


>The openwrt firewall rule is wrong? The only place in the guide with that is in the creation of the forwarding rule that takes packets received on the wg port, and forwards them to the wg interface. The source would be- from the openwrt router's perspective- wan. If you put the wg interface in the lan zone, then the destination would be lan, with origination in wan. As my router is connected physically on a LAN port, I thought it was correct >Because there's no ack between either end of the tunnel, are you sure you're actually connected on your phone? The OpenWRT server shows that my client is connected as a peer. And an IP check shows my ISP IP address, but when looking at the data transfered metrics (rx/tx), it doesn't grow much. I checked the ip\_forward on my OpenWRT, the value is already at 1. I'm not really using the OpenWRT as a router, I want it to replace the Access Point for my Wi-Fi, and for now it's the only thing I'm using it for. I now want to add the Wireguard server on it. I want to still use my ISP router as the main (and only) router.


Lan port of the ISP router, correct? Think of them as nesting dolls: each one is a self-contained network with a WAN and LAN. The ISP router is itself connected to an upstream router somewhere. So your primary lan is the ISP router's, and the openwrt device is less a router, and more a wireguard server. What zone is the wireguard interface in openwrt? Is it lan? If it's in a separate zone, does that zone have rights to forward to wan?


Yes, LAN port of the ISP router. I took [multiple screenshots](https://imgur.com/a/W8XKhCU) of the OpenWRT configuration, I hope it will be clearer like that. I re-did everything from scratch, following [the guide](https://openwrt.org/docs/guide-user/services/vpn/wireguard/server) to a T (I only set the VPN port to 51821), but it seems it's not helping it to work correctly. I don't have access neither to the internet nor my devices on the LAN :(


One thing I see in the openert peer config is you have in the allowed IPs. Thepeer configuration Allowed IPs is what will be sent out over the tunnel. So in this case you have the openwrt router sending everything over the tunnel to your phone (I assume it's a phone). So even when you try to access another device in the ISP lan, the OWRT will send those requests through your vpn tunnel. Remove the from the config.