This is my 2nd learning project with OpenWrt. It should be a straightforward process to install & configure a Wireguard client with Luci. I've done it before on an Asus router.
To my embarassement I could not get it working on a Raspberry Pi.
The reason I want to have a wireguard client on a Pi 4B is beefier compute power. I noticed that the Asus AC51U router is laggier than a wireguard client app on an Nvidia Shield for streaming.
The Pi is connected to a USB LAN port [eth1 - WAN] to the main internet router.
And the built in LAN port [eth0 - LAN] to my PC.
WAN interface is a simple dhcp client.
LAN interface has it's own subnet [192.168.1.1] and dhcp server
Above is all standard stuff and I have an internet connection on my PC from the Pi.
The scary part comes next.
The first time I created a Wireguard VPN interface for the WG client and assigned it to the firewall zones, it worked flawlessly. The tunnel is created. And ipleak.net shows my destination IP.
However after reboot or deleting and creating the WG interface, something strange happens.
I have internet connection, the WG client interface has connection with the server, however the traffic does not flow over the tunnel. Only the keep alive pings flows over the tunnel. I've performed a reset and redo the same steps to create wan and wg interface to no avail.
I am not expert but why have you assigned the wg0 interface to the WAN zone? In my use case, granting access to remote devices when away from home, I have my wg0 assigned to my guest zone (could be LAN as well).
EDIT: I also see differences in your config vs mine. For reference:
i think your wg config is a server accepting incoming requests (rule ‘wg’). mine is a client initiating outgoing requests.
I reflashed a clean sd card with Openwrt and redo the steps again. I also used a protonvpn config file [with a static IP peer] which I imported into Luci. After every save & apply a reboot or a network restart. And the PC only connection is to the Pi and not any wifi connection to internet.
Same result: wg vpn interface is up, but no traffic. The firewall zones are configured as above. Both wan/vpn zones have masquerading & MSS clamping enabled.
I try to figure out what the differences are between the Pi and the Asus config [which works]:
on the Pi wan had to be created manually, due to the USB LAN port. The wan interface works
on the Asus the clients come thru Wifi and on the Pi thru LAN
yeah, protonpvn was used for testing, and later disabled.
Lessons learned. To make the wireguard client interface work, I had to consider the following. Both on ordinary Asus router and Pi:
don't rely on interface stop/start, to get a proper connection. If you do want to use it, adhere to the following: stop first the vpn interface. Then restart wan. Check if you have a proper internet connection. Then restart the vpn interface
In my experience better do a reboot. The best is to switch off and on the device. It seems that a service restart of wan or network does not do the proper order of interface starts
if your vpn client is configured with PersistentKeepalive other than 0, note that if the vpn server/peer is rebooted, you will loose the vpn connection, so a restart/reboot of router is necessary.
Better to keep this setting to 0, where a connection is initiated on a on demand basis.