Openwrt wg0 behaves not alike that on Fedora: why?

Sergey Ivanov seriv at
Mon Jun 15 22:02:41 CEST 2020

You are right, it was a rule: '-A zone_wireguard_forward -m comment
--comment "!fw3" -j zone_wireguard_dest_REJECT'. Corresponding setting
in the luci web interface was "Forward" from the zone "Wireguard" to
"Wireguard". Although I also need a separate ip route table for this
VPN to get access to subnet routing.

On Mon, Jun 15, 2020 at 7:02 AM <mikma.wg at> wrote:
> On 2020-06-14 20:19, Sergey Ivanov wrote:
> > Hi,
> > I have a question about wg0 on OpenWRT not forwarding packets from one
> > client to another. I have a laptop at home in my home LAN, and a
> > computer at work in a very restricted LAN. They can not see one
> > another. I spent a lot of time trying to get them connected by adding
> > their wg0's IP addresses to the AllowedIPs on my home router running
> > OpenWRT. I saw pings from each of them successfully decrypted (I've
> > used ping with patterns) on the OpenWRT wg0, but they never got routed
> > further.
> >
> > When I decided to try to move the same AllowedIPs from OpenWRT's wg0
> > to my desktop Fedora, it immediately worked. It looks like some sort
> > of setting like isolation of the clients, or hairpin mode which is
> > different on OpenWRT than on Fedora.
> >
> > Can someone help and suggest what I should look at? I'd like to have
> > it working on the router which is all time on.
> You should look at the firewall in OpenWrt. It's probably dropping or
> rejecting the packets. In particular look at the forward option of the
> firewall zone assigned to wg0. From the OpenWrt Firewall - Zone Settings
> GUI:
>      the forward option describes the policy for forwarded traffic
> between different networks within the zone.
> Since WireGuard is a routed (and not bridged) VPN the above setting can
> also control forwarding between hosts on the same network.

More information about the WireGuard mailing list