Losing LAN Internet access with Wireguard client enabled?

I thought I had everything working with my VPN setup, but then I noticed that my LAN loses Internet access when the Wireguard client is connected. However, the router itself (AR750S) has Internet access if I SSH in and try the same connectivity tests (e.g. ping Within the LAN and across the VPN tunnel to the “AllowIPs” network, connectivity is fine. Disconnecting Wireguard immediately brings back connectivity. Some details below. Thanks!

VPN config:

root@GL-AR750S:/etc/config# cat wireguard
config proxy
        option main_server 'Home'
        option host <redacted>
        option enable '0'

config peers 'wg_peer_9655'
        option name 'Home'
        option private_key <redacted>
        option public_key <redacted>
        option persistent_keepalive '25'
        option listen_port '39977'
        option end_point '<redacted>:51820'
        option address ''
        option allowed_ips '',''

Routing table on router:

root@GL-AR750S:/etc/config# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         fw.lan         UG    20     0        0 wlan-sta       *          U     0      0        0 wg0       *          U     20     0        0 wlan-sta       *          U     0      0        0 wg0
<vpn server ip>      fw.lan UGH   0      0        0 wlan-sta     *        U     0      0        0 br-lan

Router has Internet access:

root@GL-AR750S:/etc/config# ping
PING ( 56 data bytes
64 bytes from seq=0 ttl=119 time=11.936 ms
64 bytes from seq=1 ttl=119 time=11.588 ms

But not LAN device:

C:\Users\kodbuse> ping -t
Pinging with 32 bytes of data:
Reply from Destination port unreachable.
Reply from Destination port unreachable.

I was able to fix this myself by removing the call to “lan2wan_forwarding disable” in /etc/init.d/wireguard.

This seems like a bug that should be fix in the repo. When AllowedIPs is not, it doesn’t make sense to disable LAN-to-WAN forwarding, because then there’s no working route for WAN traffic from the LAN.

BTW, maybe I just don’t understand the UI, but I wasn’t able to tell in LuCI that this change was made by the init.d script.


1 Like

In firmware version 3.105, LAN2WAN forwarding is not disabled if Allowdips is not

1 Like

Excellent, thank you!