Client has no internet with Wireguard VPN and separate gateway

I have an OpenWrt device at 192.168.2.2 (acting as a 'dumb' Wi-Fi AP) while another device 192.168.2.1 is the internet gateway (DSL router).

.2 is supposed to run a Wireguard server.

On .1, I've forwarded port 51823 to .2 as well as added a static route to the VPN subnet 192.168.9.0/24 to .2.

I've setup the server according to this user guide: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

It seems the connection is established successfully, but in the adapter status there is no gateway, and internet access is not working, neither can I ping 192.168.9.1.

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'vpn'

Interfaces:

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fde1:...::/48'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.2'
        option gateway '192.168.2.1'
        list dns '192.168.2.1'
        option device 'br-lan'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr '...'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'vpn'
        option proto 'wireguard'
        option private_key '...'
        option listen_port '51823'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:...::1/64'

config wireguard_vpn 'wgclient'
        option public_key '...'
        option preshared_key '...'
        list allowed_ips '192.168.9.2/32'
        list allowed_ips 'fdf1:...:2/128'
        option route_allowed_ips '1'

Client configuration:

PrivateKey = ...
Address = 192.168.9.2/32
DNS = 192.168.9.1

[Peer]
PublicKey = ...
PresharedKey = ...
AllowedIPs = 0.0.0.0/0
Endpoint = example.com:51823
PersistentKeepalive = 21
```

what is the output of
wg show

interface: vpn
  public key: ...
  private key: (hidden)
  listening port: 51823

peer: ...
  preshared key: (hidden)
  allowed ips: 192.168.9.2/32, fdf1:.../128

This indicates that there is no handshake.

on the 'client' device, change the endpoint to 192.168.2.2:51823 and attempt to connect while using wifi (on your same network). Then post the output of wg show again. This test will allow us to understand if the keys are working properly or not -- if you get a handshake, keys are good. If not, you may need to regenerate your keys (pro-tip: remove the preshared key for the purposes of troubleshooting and then add it in later when everything is working).

The problem was that I had the client's public key in the client's [Peer] section when it should have been the server's public key.

This is a common problem... the reason I recommended regenerating keys is that it gives the opportunity to make sure the keys are exchanged into the right places.

Anyway, glad things are now working as expected.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.