Adding a rule and a static route to... route all packets from a host through a specific wireguard interface. How?

No need to masq. I didn't get the other one.

No, the INPUT is accept, so you don't need any allow rules.

If it is not in the allowed IPs, then you must SNAT/Masquerade the packets.

I miss something, if I add 0.0.0.0/0 in the allowedIPs and 10.2.1.0/24 in the IpAddress of wireguard I cant connect to router A from the smartphone via the VPS.

Actually the config is the following. It enables me to reach the router A from the smartphone via wg_parents, but the tv at my parents' home cannot connect (I have no detailed messages here, just the network error in youtube app).
firewall zone


config zone
        option name 'wg_parents'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'wg_parents'
        option forward 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wg_parents'

config forwarding
        option src 'wg_parents'
        option dest 'lan'

maybe I should do something in the advanced config?

The following is the /etc/config/network related part:

config interface 'wg_parents'
        option proto 'wireguard'
        option private_key ''
        option metric '100'
        list addresses '10.2.1.2/24'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key ''
        option preshared_key ''
        option endpoint_host ''
        option endpoint_port ''
        option persistent_keepalive '10'
        list allowed_ips '10.2.1.0/24'

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

this is the ip output:

root@D7800:/etc/config# ip -4 ro list table all
default dev wg_parents table 100 scope link  metric 100
default via 192.168.1.254 dev eth0.2  src 192.168.1.74
10.2.1.0/24 dev wg_parents scope link  metric 100
VPS__PUBLIC_IP via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link  src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.74
broadcast 10.2.1.0 dev wg_parents table local scope link  src 10.2.1.2
local 10.2.1.2 dev wg_parents table local scope host  src 10.2.1.2
broadcast 10.2.1.255 dev wg_parents table local scope link  src 10.2.1.2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.16.128.0 dev br-lan table local scope link  src 172.16.128.1
local 172.16.128.1 dev br-lan table local scope host  src 172.16.128.1
broadcast 172.16.128.255 dev br-lan table local scope link  src 172.16.128.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.74
local 192.168.1.74 dev eth0.2 table local scope host  src 192.168.1.74
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.74

Don't use IP .0

Again the same issue, you send everything from tv to WG, but WG allowed IPs are limited to 10.2.1.0/24.

lan zone doesn't need to be masqueraded.

ok, put the right 0.0.0.0/0 and 10.2.1.2/24, now I can reach the router A from wg_parents but, the tv says it is connected but cannot reach internet. EDIT: after a restart, tv wont connect. Crying.

config interface 'wg_parents'
        option proto 'wireguard'
        option private_key ''
        option metric '100'
        list addresses '10.2.1.2/24'

config wireguard_wg_parents
        option description 'VPS1'
        option public_key ''
        option preshared_key ''
        option endpoint_host ''
        option endpoint_port '53821'
        option persistent_keepalive '10'
        list allowed_ips '0.0.0.0/0'

config rule
        option in 'lan'
        option src '172.16.128.142/32'
        option lookup '100'

config route
        option target '0.0.0.0/0'
        option interface 'wg_parents'
        option table '100'

and the routing tables

root@D7800:/etc/config# ip -4 ro list table all
default dev wg_parents table 100 scope link  metric 100
default via 192.168.1.254 dev eth0.2  src 192.168.1.74
10.2.1.0/24 dev wg_parents scope link  metric 100
public_vps_ip via 192.168.1.254 dev eth0.2
172.16.128.0/24 dev br-lan scope link  src 172.16.128.1
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.74
broadcast 10.2.1.0 dev wg_parents table local scope link  src 10.2.1.2
local 10.2.1.2 dev wg_parents table local scope host  src 10.2.1.2
broadcast 10.2.1.255 dev wg_parents table local scope link  src 10.2.1.2
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.16.128.0 dev br-lan table local scope link  src 172.16.128.1
local 172.16.128.1 dev br-lan table local scope host  src 172.16.128.1
broadcast 172.16.128.255 dev br-lan table local scope link  src 172.16.128.1
broadcast 192.168.1.0 dev eth0.2 table local scope link  src 192.168.1.74
local 192.168.1.74 dev eth0.2 table local scope host  src 192.168.1.74
broadcast 192.168.1.255 dev eth0.2 table local scope link  src 192.168.1.74