Wireguard & OpenWRT
Goal: setup my Android handset so that it can connect remotely to hosts on my home network
Follow the OpenWRT Wiki guide for general Wireguard setup.
Addressing
My handset typically doesn’t have IPv6 Internet connectivity, so Wireguard traffic will be over IPv4. However traffic inside the tunnel can be over IPv6.
| Name | IP |
|---|---|
| Home IPv6 ULA 1 | fd2c:cfce:c1ce::/48 |
| Home WAN IP | 203.123.xx.xx |
| Home LAN IP | 192.168.1.1/24, fd2c:cfce:c1ce::1/60 |
| Home WG IP | fd2c:cfce:c1ce:10::1/64 |
| Android WAN IP | (dynamic IPv4) |
| Android WG IP | fd2c:cfce:c1ce:10::2/128 |
Wireguard
Android Wireguard config:
[Interface]
Address = fd2c:cfce:c1ce:10::2/64
DNS = fd2c:cfce:c1ce:10::1
PrivateKey = xxxxxxxxxxxxxxxxxxxxxx
[Peer]
AllowedIPs = ::/0
Endpoint = 203.123.xx.xx:51820
PublicKey = f15Cut8SWrguJaPVFp68/N+ior/yJ7q+ml2o/Q+v1zg=
NOTE:
- Android will not resolve
AAAArecords unless there is an IPv6 default route 2 i.e.::/0 - DNS IP corresponds with my home router. All DNS traffic from Android will get sent here while the tunnel is up.
DNS
OpenWRT supports setting hostnames for both IPv4 + IPv6 IP addresses under ‘DHCP and DNS’ -> Hostnames. I have a Truenas server on my home network, so I added 2 entries here:
| Hostname | Type | IP |
|---|---|---|
truenas |
A |
192.168.1.10 |
truenas |
AAAA |
fd2c:cfce:c1ce:0:3ce7:f1ff:fe35:ed56 |
Each entry corresponds with an A or AAAA record and also a PTR (reverse lookup). I’ve also configured OpenWRT with local domain .lan.
Now I’m able to connect to truenas.lan from Android.
Neighbor Discovery
UPDATE: 2025-10-07
After a frustrating time trying to figure out why I had no network connectivity from wireguard, I discovered a quirk of odhcpd (Openwrt’s swiss army knife daemon): putting the wireguard interface and LAN interface in the same Openwrt firewall zone has an undesirable side-effect: in the same zone, an IPv6 RA (router advertisement) is sent that includes the wireguard network ‘on link’ i.e. Truenas route table contains this:
fd2c:cfce:c1ce:10::/64 dev br0 proto kernel metric 256 pref medium
This causes Truenas to send neighbor solicitations to find out who has the wireguard client IP. But that doesn’t work as the wireguard client is not on the same link as Truenas and no response is returned.
The solution is to put the wireguard interface and the LAN interface in different firewall zones. That way, no route is included in the RA and Truenas just sends traffic to its default gateway.