PC > SSH > Archer > ping google.com or anything > works
Phone > WireGuard > ping 192.168.1.148 > works
Phone > WireGuard > ping anything else > does not work
The Google WiFI is the DHCP server, not the TP-LINK. The Google WiFi's network is 192.168.1.x . 192.168.2.x is WireGuard's network as it's a layer 3 VPN.
192.168.1.1 is the Google WiFi
192.168.1.148 is the Archer - WireGuard config shown above
192.168.2.2 is the phone - WireGuard config shown above
192.168.1.0/24 is not specified anywhere. Ctrl+F on this thread shows only posts by you and me responding to them.
I feel like I already know the answer and am wasting everyone's time.
OMG...my brain hurts, I think you are route looping thru an encryption connection...on the same LAN!
This is a joke, rite? (I won't say troll)
You failed to mentioned you're testing this in LAN...and hid it too.
Lastly, is there any other device running Wireguard (except the phone, or a router running NAT), and if not, why do you pass traffic thru its interface?
I would strongly recommend that you reset your Archer (OpenWrt) to defaults and start over. There is really very little that you need to do -- keep it simple. No extra routes, etc.
if you want to use the dumb AP type configuration, it should work. Just change the LAN to DHCP client instead of a static IP (just as you had done previously). Install WG. Configure the WG interface with the keys and then do the remote peer. That's it. Don't add any static routes -- they will only mess things up.
On your phone, the setup should generally be the following (you'll have to create a syntactically correct config file or enter things into the correct fields
Wireguard Local Interface (on phone)
Private_key = <INSERT_PRIVATE_KEY_FOR_PHONE>
Addresses = 192.168.2.2/32
DNS_server = 192.168.1.1
Peer Config (on phone, refers to Archer):
Public_key = <INSERT_PUBLIC_KEY_FROM_ARCHER>
Endpoint = <INSERT_PUBLIC_IP_ADDRESS> # For testing, could use LAN address of Acher 192.168.1.148
Allowed_IPs = 0.0.0.0/0 # If you want to pass all traffic through the tunnel; if just looking for LAN access, use 192.168.1.0/24
Persistent_keepalive = 25
That's all you have to do! Do not overcomplicate the configuration.
EDIT: Forgot to include the firewall additions (you already had these mostly correct):
config zone
option name 'WireGuard'
option network 'WireGuard wg0'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option output 'ACCEPT'
config forwarding
option dest 'lan'
option src 'WireGuard'
For the benefit of other users reading this thread in the future, the OP appears to be over complicating the configuration by using ProxyARP (which and amounts to a hack in this context). I would recommend against this method, and the OP has also not shared enough info (And has presented details in the most confusing ways possible) such that it would be very difficult for any other user to actually make a functioning wg installation. Other threads will almost certainly be more helpful for the vast majority of users.
It should work as long as those devices use the TP-Link as its gateway.
This is where Wireguard exists, hence it's a router (if I understood correctly).
That usually means it's not a dumb AP config - meaning that the TP-Link is issued as the gateway address (either statically or via DHCP).
Lastly, the OP never identified any real far end for encrypted traffic either. Remember this setup was just a loop thru LAN.
EDIT: I just want to note, routing rules on the phone likely won't allow you to connect to WiFi in 192.168.1.0/24, then connect via Wireguard to 192.168.2.0/24; and route thru WG back to 192.168.1.0/24. The phone is smart enough to know that network is local.And I was gong to tell @neheb that you may not want to use 192.168.1.0/24 if you VPN into your LAN. If you are again at a location that uses that subnet, the same route problem would occur on your phone; and your traffic would leak into the insecure network you connected to.
Yes, this is my assumption, too. I ran a quick test on a spare (dev) router I have lying around, and setting the LAN IP to DHCP client mode does indeed pickup the DNS and gateway information from the upstream DHCP server (I did an opkg update and it worked perfectly). Obviously if the IP is manually assigned, the gateway/DNS must also be specified.
FWIW, when I was referring to the "dumb ap" configuration, I was really referring to the LAN-LAN connection between the two routers, DHCP (server) disabled on the secondary router, and not using the WAN/NAT+firewall. @lleachii - you are probably technically correct in that the moment you enable anything with routing, it ceases to be the dumb AP config, but I was generally thinking in terms of the two routers both having their LANs defined in the same network.
I have the same assumption. In fact, WireGuard makes the routing really easy -- much more straight forward than other L3 VPNs.
I had the impression that the OP was trying to use the WG VPN as a remote access method to their LAN (and/or "road-warrior"-to-"home internet" to avoid geo-restrictions and such). But because the OP refused to properly explain the specific goals, issues (and requested test results), and config information, I may very well be mistaken about this.
-- much more straight forward than other L3 VPNs.