Configure wireguard client/server

I am configuring an OpenWRT based client/server pair using two nanopi devices.

The server has a static IP and will be connected via an LTE router.. The static IP is provided by the cellular carrier that provides the LTE router, and that router is in bridge mode so that the external IP shows up as the WAN address for OpenWRT.

The client will have whatever IP address is assigned to it and can expect to be usually NAT'ed behind some router. Details are unknown and need to be irrelevant or this won't work.

At this point I have the server set up on the LTE router and the client is connected on both LAN and WAN through my workstation (different subnets ...). My workstation has 3 NICs so handling multiple connections is not an issue.

Using tcpdump on my workstation so that I can see the client's WAN traffic shows that the server and the client see each other:

sometimes:

18:43:59.117898 IP 192.168.12.191.28360 > 162.191.189.110.30210: UDP, length 148
18:43:59.312563 IP 162.191.189.110.30210 > 192.168.12.191.28360: UDP, length 92
18:44:04.157478 IP 192.168.12.191.28360 > 162.191.189.110.30210: UDP, length 148
18:44:04.413048 IP 162.191.189.110.30210 > 192.168.12.191.28360: UDP, length 92

and sometimes:

18:41:22.872760 IP 162.191.189.110.30210 > 192.168.12.191.28360: UDP, length 148
18:41:22.880576 IP 192.168.12.191.28360 > 162.191.189.110.30210: UDP, length 92
18:41:27.987307 IP 162.191.189.110.30210 > 192.168.12.191.28360: UDP, length 148
18:41:27.994143 IP 192.168.12.191.28360 > 162.191.189.110.30210: UDP, length 92

depending on which side initiates the handshake.

I have both the client and the server configured for debugging; dmesg on the client and on the server looks the same depending on who initiates the handshake.

If the server initiates the handshake, I get this on the client:

[ 7718.785976] wireguard: wg0: Receiving handshake initiation from peer 7 (162.191.189.110:30210)
[ 7718.786771] wireguard: wg0: Sending handshake response to peer 7 (162.191.189.110:30210)
[ 7718.790547] wireguard: wg0: Keypair 317 destroyed for peer 7
[ 7718.791063] wireguard: wg0: Keypair 318 created for peer 7

and on the server:

[ 5356.645012] wireguard: wg0: Sending handshake initiation to peer 3 (184.190.169.121:28360)
[ 5356.929295] wireguard: wg0: Invalid handshake response from 184.190.169.121:28360
[ 5362.393842] wireguard: wg0: Handshake for peer 3 (184.190.169.121:28360) did not complete after 5 seconds, retrying (try 19)
[ 5362.395003] wireguard: wg0: Sending handshake initiation to peer 3 (184.190.169.121:28360)
[ 5362.689348] wireguard: wg0: Invalid handshake response from 184.190.169.121:28360
[ 5367.514011] wireguard: wg0: Handshake for peer 3 (184.190.169.121:28360) did not complete after 5 seconds, retrying (try 20)

and vice-versa when the client initiates the handshake.

The wireguard configuration on the client is:

root@Client:~# wg showconf wg0
[Interface]
ListenPort = 28360
PrivateKey =blahblah

[Peer]
PublicKey = uElTU2ZA6s38hZm7svdb2Cgg2dOtICA6AcpmSwLmQzo=
AllowedIPs = 10.14.7.1/32
Endpoint = 162.191.189.110:30210
PersistentKeepalive = 25

and on the server:

root@Server:~# wg showconf wg0
[Interface]
ListenPort = 30210
PrivateKey =blahblah

[Peer]
PublicKey = f9Nz1Me+l60pAH3dusLBQ4U/DG/70fg8KdcQxmdDm1I=
PresharedKey = blahblah
AllowedIPs = 10.14.7.2/32
Endpoint = 184.190.169.121:28360
PersistentKeepalive = 25

The keys are correct, the server is properly getting the PSK from the client, and the endpoint addresses are right. The devices are talking to each other.

Seems to me this has to be a firewall issue, but I am missing something.

The client firewall is:

root@Client:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option flow_offloading '0'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone4 '1'
        option fullcone6 '1'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wg0'

config forwarding
        option src 'lan'
        option dest 'VPN'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Reject-IPv6'
        option family 'ipv6'
        option src 'wan'
        option dest '*'
        option target 'REJECT'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option src 'VPN'
        option name 'wireguard'
        list proto 'all'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'
        option masq '1'

config forwarding
        option src 'VPN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'VPN'

config rule
        option src 'VPN'
        option target 'ACCEPT'
        option name 'allow ping over vpn'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'

config rule
        option name 'allow wireguard'
        option src 'VPN'
        option target 'ACCEPT'
        list proto 'all'
        option dest 'VPN'
        list src_ip '10.14.7.0/8'

config rule
        option name 'allow outbound wg'
        option dest 'VPN'
        option target 'ACCEPT'
        list proto 'all'
        list dest_ip '10.14.7.0/8'

config rule

and the server firewall:

root@Server:/etc/config# cat firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option flow_offloading '0'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        option masq '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option fullcone4 '1'
        option fullcone6 '1'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Reject-IPv6'
        option family 'ipv6'
        option src 'wan'
        option dest '*'
        option target 'REJECT'
        option enabled '0'

config rule
        option name 'Allow wireguard'
        list proto 'udp'
        option src 'VPN'
        option target 'ACCEPT'
        list src_ip '10.14.7.0/8'
        option dest '*'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'VPN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'VPN'

config rule
        option src 'VPN'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        list src_ip '10.14.7.0/8'

config rule
        option name 'incoming wireguard connection'
        option dest_port '30210'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option src 'wan'

config rule
        option name 'allow outbound wireguard'
        option dest 'VPN'
        option target 'ACCEPT'
        list src_ip '10.14.7.0/8'
        list proto 'all'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'VPN'
        option src_dport '30210'
        option dest_ip '192.168.1.1'

config rule

I just know I'm gonna feel dumb when this problem is found. But can anyone tell me what is wrong?

Please post the following from both the server and the client:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network

The server:

root@Server:/etc/config# cat network 

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:ab:cd::/48'
        option packet_steering '1'

config device
        option name 'eth0'
        option macaddr 'be:c3:b8:d7:26:26'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'be:c3:b8:d7:26:27'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.199'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'blahblah
        option listen_port '30210'
        list addresses '10.14.7.0/8'

config wireguard_wg0
        option description 'client'
        option public_key 'f9Nz1Me+l60pAH3dusLBQ4U/DG/70fg8KdcQxmdDm1I='
        option preshared_key blahblah
        option persistent_keepalive '25'
        list allowed_ips '10.14.7.2/32'

and the client:

root@Client:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:ab:cd::/48'
        option packet_steering '1'

config device
        option name 'eth0'
        option macaddr 'be:c3:b8:d7:26:26'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option peerdns '0'
        list dns '192.168.2.50'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'be:c3:b8:d7:26:27'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wg0'
        option proto 'wireguard'
        option private_key blahblah
        list addresses '10.14.7.2/32'

config wireguard_wg0 'wgserver'
        option public_key 'uElTU2ZA6s38hZm7svdb2Cgg2dOtICA6AcpmSwLmQzo='
        option endpoint_host '162.191.189.110'
        option endpoint_port '30210'
        option persistent_keepalive '25'
        list allowed_ips '10.14.7.1/32'

You forgot the output of:

ubus call system board

Sorry.

The machines are identical (purchased together) and the images are from the same download. So both boards are identical

root@Server:/etc/config# ubus call system board
{
        "kernel": "6.6.78+",
        "hostname": "Server",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyelec,nanopi-r4s",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "rockchip/armv8",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

You are correct in that I did download the firmware from the Friendlyelec site. My experience with them indicates that what they provide is pretty close to stock, and the syntax for the configs looks full stock. At least, I don't see any differences. I seriously doubt this issue is rooted in any difference between their build and full stock though of course I cannot prove that.

The link you provided leads to an updater, not an installer. Is it safe enough to install that updater over the existing image?

Yes, you can use the sysupgrade image downloaded from the firmware selector, and you'll simply use the upgrade feature in the friendlywrt fork to change over to official OpenWrt.

That said, do not keep settings during the upgrade (and do not restore an upgrade). There are items in their configs which are not compatible. You can use a backup as a human-readable reference to recreate most of the config, though.

The reason it's important:

• there are absolutely material differences in the configs (and things under the hood) when comparing their fork vs official OpenWrt
• changes suggested here (while you are using the Friendlywrt fork) may break your installation/config because of those differences.

go ahead and upgrade, then we can review again.

Did you configure the Preshared Key on the "client" config for the peer?

It doesn't appear in your wg show output or config.

What is the difference between the regular version and the "enterprise edition"? They appear to have the same basic packages installed.

This is yet another reason that you need to ask them if you are running their fork. No such distinction exists in official OpenWrt. And obviously there are changes that they make such that they can have two versions.

Install official OpenWrt and things will be more straightforward.

Vendor supplied code based on OpenWRT -- that's ok - if they fork, they own it for support...

Much like u-boot - there's a lot of different vendors there, some provide code, some don't...

@cookiemonster - you seem to be very concerned about u-boot, but not concerned about upper layer forks and PR's pulled back..

but it is the Openwrt site providing two versions, not the friendlyelec site.

Really? Can you show me (links and/or screengrabs)? I'm not challenging you, but I've never seen this. Not sure where one would find an offering of a regular vs enterprise edition of OpenWrt from the official project.

There's 2 hardware versions of the NanoPi R4S. A normal version and an enterprise version. As they are different hardware models there's an entry for both in the firmware selector.

From their wiki...

• The R4S Enterprise version has a built-in EEPROM chip (Model: 24AA025E48T) which has a globally unique MAC address. This is a permanent and temper-proof address.

• The R4S Standard version doesn't have this chip and has a MAC address that is generated by a software utility. Apart from this difference, the two versions have the same hardware configuration.

What's more odd is the HW diff between the 1GB and 4GB models, as they're completely different circuitboard layouts...

Mystery solved.

@jiml8 - please install the one that matches your hardware.

Yes, as pointed out previously, the two listings are for two different versions of the hardware. OpenWrt is the same in either case. There is no such thing as an "enterprise" vs standard version of OpenWrt.

Honestly I'm not sure which hardware I have. I do recall seeing the different variants when I was specifying these things, but I had our buyer actually make the purchase and I didn't specify which I wanted because I didn't care. Also the packaging is at the office and I am at home. My job doesn't generally get me into much networking these days, and when I tried to set up and configure this project using the tools at work...well...it got ugly. My home lab is much better equipped for all sorts of complicated networking topologies so I am here where I have the tools I need.

I did download and install the standard variant. If it doesn't support a hardware mac address, I don't think that will be a problem for me, even if these have it. I think it is interesting that friendlyelec doesn't distinguish between the two variants in their downloads - or if they did I totally missed it.

I also will add that there are substantial architectural differences between the friendlyelec openwrt image and the version I picked up here. You said there would be and now that I have them side by side I see you are right.

At this time I have more or less reconfigured both the client and the server but at this point the server isn't talking. I did this in sort of a rush because I am catching a plane in a couple of hours so perhaps I missed something trivial.

In any case, traffic is passing from the client to the server and is arriving at the server as seen by tcpdump on the server. The server is not responding.

root@Server:/etc/config/wireguard# ubus call system board
{
        "kernel": "6.6.86",
        "hostname": "Server",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "rockchip/armv8",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

Server network:

root@Server:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd82:463f:5f41::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr '2a:09:10:a9:48:7d'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.199'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr '2a:09:10:a9:48:7c'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'blahblah'
        option listen_port '30210'
        list addresses '10.14.7.1'
        option mtu '1412'

config wireguard_wg0
        option description 'client'
        list allowed_ips '10.14.7.2/32'
        list allowed_ips '0.0.0.0/0'

Client network:

root@Client:/etc/config# cat network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda2:6dcc:a44e::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'be:c3:b8:d7:26:27'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr 'be:c3:b8:d7:26:26'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'blahblah'
        list addresses '10.14.7.2/32'
        option mtu '1412'

config wireguard_wg0
        option description 'server'
        option public_key 'uElTU2ZA6s38hZm7svdb2Cgg2dOtICA6AcpmSwLmQzo='
        option endpoint_host '162.191.189.110'
        option endpoint_port '30210'
        option persistent_keepalive '25'
        list allowed_ips '10.14.7.1/32'
        list allowed_ips '10.14.7.2/32'

Server firewall:

root@Server:/etc/config# cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config rule
        option src 'wan'
        option name 'wireguard connection'
        list proto 'udp'
        option dest_port '30210'
        option target 'ACCEPT'

config rule
        option dest 'wan'
        option name 'outbound wireguard connection'
        list proto 'udp'
        option target 'ACCEPT'
        option dest_port '30210'

config forwarding
        option src 'VPN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'VPN'

CLient firewall:

root@Client:/etc/config# cat firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'VPN'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'VPN'

config rule
        option src 'wan'
        option name 'wireguard connection'
        list proto 'udp'
        option src_port '30210'
        option target 'ACCEPT'

config rule
        option dest 'wan'
        option name 'outbound wireguard connection'
        list proto 'udp'
        list dest_ip '162.191.189.110'
        option dest_port '30210'
        option target 'ACCEPT'

There is a bit of hacking in the networking files, such as the allowed IPs, but these can't be the basic problem because the server just doesn't respond...no error, no nothing.

Also this kernel does not have debugging built into it so I can't turn on debugging in dmesg the way I did with the friendlyelec variant, so this is a black box to me.

As much as I want to get this running, I am catching a plane in just a couple of hours so I won't be working on this for more than another half hour. Thus, I am grateful for the assistance but I won't respond again more than likely for several days.