-
Notifications
You must be signed in to change notification settings - Fork 2
LAN to Peer Routing
When "Allow local network to reach peers" is enabled in Firewall Rules → Network Policies, WireGUI configures its nftables firewall to accept traffic from your LAN to VPN clients. However, your LAN's default gateway (router) also needs a static route so it knows to send traffic destined for the WireGuard subnet to the WireGUI server.
Without this route, LAN devices cannot reach VPN peers even if the policy is enabled — the router will forward WireGuard-subnet traffic to its WAN gateway where it gets dropped. The static route tells the router: "to reach the VPN subnet, forward packets to the WireGUI server."
| Value | Example | Source |
|---|---|---|
| WireGuard IPv4 subnet | 10.3.2.0/24 |
WG_WG_IPV4_NETWORK env var |
| WireGuard IPv6 subnet | fd00::3:2:0/120 |
WG_WG_IPV6_NETWORK env var |
| WireGUI server LAN IP | 192.168.1.100 |
Your network configuration |
Replace the example values below with your actual subnets and server IP.
Run on the gateway machine:
# IPv4
ip route add 10.3.2.0/24 via 192.168.1.100
# IPv6
ip -6 route add fd00::3:2:0/120 via <server-ipv6-lan-addr>To persist with netplan:
# /etc/netplan/01-static-routes.yaml
network:
version: 2
ethernets:
eth0:
routes:
- to: 10.3.2.0/24
via: 192.168.1.100Most consumer and business routers have a static routes section under Advanced or Routing:
| Field | Value |
|---|---|
| Destination | 10.3.2.0 |
| Subnet Mask | 255.255.255.0 |
| Gateway / Next Hop | 192.168.1.100 |
| Interface | LAN |
/ip route add dst-address=10.3.2.0/24 gateway=192.168.1.100
/ipv6 route add dst-address=fd00::3:2:0/120 gateway=<server-ipv6-lan-addr>
set protocols static route 10.3.2.0/24 next-hop 192.168.1.100
set protocols static route6 fd00::3:2:0/120 next-hop <server-ipv6-lan-addr>
commit; save
Navigate to System → Routes → Configuration and add a new route:
| Field | Value |
|---|---|
| Destination network | 10.3.2.0/24 |
| Gateway | 192.168.1.100 |
ip route 10.3.2.0 255.255.255.0 192.168.1.100
ipv6 route fd00::3:2:0/120 <server-ipv6-lan-addr>
From any LAN device, confirm the route is working:
# Should show the WireGUI server (192.168.1.100) as the next hop
traceroute 10.3.2.1
# Ping a connected peer (the peer must be online)
ping 10.3.2.2If the traceroute shows your WAN gateway instead of the WireGUI server, the static route is missing or not applied.