Posted: Sun May 25, 2025 23:27 Post subject: Wireguard server only allowing access to the router it's on
I am attempting to set up a wireguard server on a DD-WRT router to allow myself to access my local network remotely. I have followed the guides I found on the forum, and I have managed to get a connection from my phone (on cellular data) to my local network, but the ONLY thing that it can connect to is the DD-WRT router that is running the wireguard server. Attempting to access other routers, other devices on the network, or attempting to access the internet fails.
Any ideas what might be causing this or how I can troubleshoot it?
I have attached a picture of my tunnel settings for reference.
Joined: 18 Mar 2014 Posts: 13880 Location: Netherlands
Posted: Mon May 26, 2025 12:22 Post subject:
Probably not related but for MTU use 1420 to be on the safe side.
The Allowed IPs for your peers should have a /32 netmask and not /24, but if you have only one peer then it does not matter.
Maybe you are leaving out important information, so start with showing us a picture of the basic setup page and tell is how the router is setup (e.g. connected with its wan port on the internet or behind another router etc).
I went ahead and tried using 1420 for the MTU and /32 netmask for the "peer tunnel" on the client config file & the "allowed IPs" field for the client - that's what is supposed to be /32 as the client has a specific IP address assigned to it, right?
I'm still having the same issue after this change. Client can connect to the router, but no other devices on the network or the internet. Other devices connected directly to the wireless access point (not through the VPN) can access the rest of the network and the internet.
The router running wireguard (192.168.1.3) is configured as a wireless access point behind a primary gateway router (192.168.1.1). The port for wireguard is forwarded to the static IP of the router running wireguard.
Connection to the gateway router is via a wired ethernet connection on the LAN2 port of the access point.
Let me know if there's anything else you'd need to know to help troubleshoot the issue.
Joined: 18 Mar 2014 Posts: 13880 Location: Netherlands
Posted: Mon May 26, 2025 17:44 Post subject:
capt_happy wrote:
The router running wireguard (192.168.1.3) is configured as a wireless access point behind a primary gateway router (192.168.1.1). The port for wireguard is forwarded to the static IP of the router running wireguard.
That is exactly the important information you had left out
The router running wireguard (192.168.1.3) is configured as a wireless access point behind a primary gateway router (192.168.1.1). The port for wireguard is forwarded to the static IP of the router running wireguard.
Let me know if there's anything else you'd need to know to help troubleshoot the issue.
Because of how you might have your system setup, you may have to set up the client to allow access to the lan. without seeing your client setup, Im just gonna guess that you need to add in the client allowed ips of whatever subnets you want access to. There is a different way to do it but the simplest is probably like this...on the client like an android phone....
Code:
allowed ips 192.168.1.0/24 (your main net), (whatever other subs you want access say 192.168.2.0/24), 192.168.5.2/32 (your connection point/peer)
also, i corrected the ips, i had misread your main subnet as 192.168.3.1...so if you got that version, its fixed above to 192.168.1.0/24
This works because wireguard is really peer connection, not client server. takes a bit to wrap your head around it, but you are telling it what you want to access from the client, because its really a peer
So I only want to connect to my primary and one of the subnets from say my phone...
Also note it's kinda tricky...the android client will say connects but the data transferred with not go up. If you have a good connection, the data will crawl up...a bit deceiving, but if you use an endpoint that is DDNS, it will make you think you might be connected when you aren't actually there, so when i play with it, i start it up on my home network cause then i dont have to worry about ddns routing and port forwarding till i get it all working and then if you are having problems with ddns routing, use the numbers for the endpoint..and then change it to name resolution....if it doesnt work the first time. when I first did it forwarded like you are trying to do it took a few steps to get it to connect properly behind the ddns, which is probably because i had dual forwards..thought i was connected because it showed connected but the data never went above 92 bytes...
I think all that is covered in the guide but hope it helps!
Another way to look at it my friend and i figured out and this really helped me...because its a peer, look at it from the phone side...as the phone going into the network, I want to connect to whatever subnets/devices etc...so for the phone i want to connect to those two subnets because they have cameras and a media server...so I tell the phone where I want to connect and then via port forwarding on the router side, I can get to those devices.
If the computer side is looking out to my phone, it only needs to connect to the one ip, cause it doesnt want to see anything else except to connect, but that gets you in the right understanding.
If say you are connecting two computers/networks, you tell each what you want to see, but looking from the each perspective...Hopefully thats not too confusing...but i think where most wireguard initial setup goes wrong is reversing what you want to see from the other side. In regular client/server connections, you allow access, but in peer connections you tell it what you want.
