Firewall: Allow incoming traffic from cellular / mobile device possible

Hi,

I have Home Assistant running and exposing it via DDNS for remote access with Port Forwarding. Whilst mac address whitelist works for WiFi, I could not manage to identify a mac address for my mobile when on cellular. The cellular IP is also generic not allowing me to use CIDR notation.

Therefore my question, does anyone have an idea how to control access?

Many thanks in advance
Mike

Do you want to control access to home assistant?

I would personally suggest disabling the port forward as this exposes your home assistant to the internet. You could setup a wireguard VPN. This would allow you to dial into your home network and access any LAN resources.

MAC addresses are on visible on your local LAN (L2), they don't go beyond your ISPs first hop. You really should close all remote access (port forwardings) and connect to your home assistant only via a well secured VPN (roadwarrior type setup), e.g. via wireguard (or OpenVPN, IPsec, ...).

Thanks for you advice which make totally sense. I followed the current approach as this was the one I was most familiar with. Though, I am already working on the Wireguard setup.

Checking the docs I struggle to find some details hwo Wireguard works with DDNS. Do you happen to have some details please?

Kind regards
Mike

xxx.xxx.xxx.xxx/32 (this is the notation for a single IPv4 address)

It works like DDNS on any other interface, what issues are you having?

What I meant with random cellular IP was that the range was way to wide to be an effective security / control measure.

My first question when attempting to setup WireGuard was, as I can not find a configuration in the UI, how to configure the DDNS domain? To get a better understanding, I now used the automated WireGuard Script "Named Peers with IDs" where there is a corresponding variable.

I think I am close to getting the setup done using my mobile as a peer.

Use OpenWrt's DDNS config files?

For Wireguard or DDNS?

• For Wireguard install luci-app-wireguard
• For DDNS install luci-app-ddns

Thanks for the confirmation, I got these already. Though, I could not find the configuration where the DDNS Domain, please note that I got my own domain, is configured but with the script it should be fine. Unfortunately I can not establish a connecting form my mobile peer. Got to check for more sources to learn it properly.

No clue what this means.

If you have a DDNS domain, you configure it in luci-app-ddns (which you noted was installed). You browse to it by going to Services > DDNS.

Hope this helps.

If you update your DDNS with a script, then DDNS packages are not needed.

Did you open your firewall (inbound/accept) for WG port?

Yeah, makes sense. I guess the WireGuard setup got me confused.

In the phone, enter the DNS name of your router, that is the one registered with DDNS. Open one port on the firewall for UDP which leads to the Wireguard process. Configure that port number into the phone.

The IP of the phone will always be the same inside the tunnel, and you can route that to your LAN. Outside the tunnel it may have any IP, in general you don't care about that since Wireguard secures the connection with keys.

let's take a look at your config files to see if there are any issues that would prevent you from connecting...

We also need to make sure you have a public IP on the WAN of your router. Take a look at the LuCI web interface main status page and find the IPv4 upstream section... look at the IP address shown there and compare it to the result you get when you google "what's my IP" -- if they don't match, you either don't have a public IP from your ISP, or you've got a double-NAT situation... we'll explore if needed. If in doubt, post the first to octets of your IP address (in bold: aaa.bbb.ccc.ddd).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

And also please provide the wireguard config from your phone.

My public IP is fine and being updated via DDNS to nest-assistent.mikeg.de which I verified via https://dnschecker.org/#A/nest-assistent.mikeg.de

cat /etc/config/network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd2c:48ce:ad4f::/48'

config interface 'lan'
	option force_link '1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option proto 'pppoe'
	option username 'MY_USER'
	option password 'MY_PASSWORD'
	option ipv6 'auto'
	option device 'br-wan'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'
	option blinkrate '2'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5t'

config switch_port
	option device 'switch0'
	option port '1'
	option led '6'

config switch_port
	option device 'switch0'
	option port '2'
	option led '9'

config switch_port
	option device 'switch0'
	option port '5'
	option led '2'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'eth1'

config interface 'NestVPN'
	option proto 'wireguard'
	option private_key 'MY_PRIVATE_KEY'
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:e8a1:8d3f:9::1/64'

config wireguard_NestVPN 'wgclient'
	option preshared_key 'MY_PRE_SHARED_KEY'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fdf1:e8a1:8d3f:9::2/128'
	option public_key 'XbYcuAW34Ix2m/x6UXRuXTYshAMmQuiCUZBMWXxOfUU='
	option private_key 'MY_PRIVATE_KEY'
	option route_allowed_ips '1'

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option drop_invalid '1'
	option synflood_protect '1'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'NestVPN'

config zone 'wan'
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option log '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fe80::/10'
	option src_port '547'
	option dest_ip 'fe80::/10'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config redirect
	option dest 'lan'
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.123'
	option name 'Nest-Assistent External LetsEncrypt 443'
	option dest_port '8123'
	option enabled '0'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

The WireGuard Status extension states the server is up and running. Trying to connect via my mobile, peer config was shared via QR Code, throws a DNS Resolution Error (Endpoint not reachable).

Dns resolution errors are very different than endpoint not reachable (unless the former causes the latter).

Check your endpoint address as entered into the mobile peer config - what does it have in there? If it is your ddns domain name, are there any typos? Can your phone resolve the address using another dns resolution or ping tool?

Can your computer resolve the address?

Thanks for the hint. Indeed, the QR Code setup did not configure the DDNS Domain but another value. After correcting that I managed to establish a connection but the peer in OpenWRT is reported to not being connected

Bildschirm­foto 2023-02-08 um 17.11.072266×1180 90.6 KB

Bildschirm­foto 2023-02-08 um 17.17.511938×300 45.7 KB

WireGuard App Log

2023-02-08 17:01:51.860646: [APP] App version: 1.0.15 (26)
2023-02-08 17:03:02.689244: [APP] startActivation: Entering (tunnel: NestVPN)
2023-02-08 17:03:02.694935: [APP] startActivation: Starting tunnel
2023-02-08 17:03:02.695635: [APP] startActivation: Success
2023-02-08 17:03:02.707707: [APP] Tunnel 'NestVPN' connection status changed to 'connecting'
2023-02-08 17:03:02.862172: [NET] App version: 1.0.15 (26)
2023-02-08 17:03:02.862327: [NET] Starting tunnel from the app
2023-02-08 17:03:07.696541: [APP] Status update notification timeout for tunnel 'NestVPN'. Tunnel status is now 'connecting'.
2023-02-08 17:03:08.263138: [NET] setTunnelNetworkSettings timed out after 5 seconds; proceeding anyway
2023-02-08 17:03:08.265346: [NET] DNS64: mapped 77.182.52.155 to itself.
2023-02-08 17:03:08.267811: [NET] Attaching to interface
2023-02-08 17:03:08.269460: [NET] UAPI: Updating private key
2023-02-08 17:03:08.269546: [NET] Routine: decryption worker 1 - started
2023-02-08 17:03:08.269562: [NET] Routine: encryption worker 2 - started
2023-02-08 17:03:08.269738: [NET] Routine: handshake worker 1 - started
2023-02-08 17:03:08.269827: [NET] Routine: handshake worker 4 - started
2023-02-08 17:03:08.269844: [NET] Routine: encryption worker 6 - started
2023-02-08 17:03:08.269912: [NET] Routine: handshake worker 6 - started
2023-02-08 17:03:08.269711: [NET] Routine: encryption worker 1 - started
2023-02-08 17:03:08.269947: [NET] Routine: decryption worker 2 - started
2023-02-08 17:03:08.270014: [NET] Routine: handshake worker 2 - started
2023-02-08 17:03:08.270093: [NET] Routine: decryption worker 6 - started
2023-02-08 17:03:08.270110: [NET] Routine: encryption worker 5 - started
2023-02-08 17:03:08.270212: [NET] Routine: handshake worker 3 - started
2023-02-08 17:03:08.270216: [NET] Routine: decryption worker 5 - started
2023-02-08 17:03:08.270253: [NET] UAPI: Removing all peers
2023-02-08 17:03:08.270300: [NET] Routine: encryption worker 3 - started
2023-02-08 17:03:08.270318: [NET] Routine: handshake worker 5 - started
2023-02-08 17:03:08.270393: [NET] Routine: TUN reader - started
2023-02-08 17:03:08.270438: [NET] Routine: decryption worker 3 - started
2023-02-08 17:03:08.270496: [NET] Routine: decryption worker 4 - started
2023-02-08 17:03:08.270491: [NET] Routine: encryption worker 4 - started
2023-02-08 17:03:08.270635: [NET] Routine: event worker - started
2023-02-08 17:03:08.271091: [NET] peer(PI2q…z7hM) - UAPI: Created
2023-02-08 17:03:08.271175: [NET] peer(PI2q…z7hM) - UAPI: Updating preshared key
2023-02-08 17:03:08.271326: [NET] peer(PI2q…z7hM) - UAPI: Updating endpoint
2023-02-08 17:03:08.272035: [NET] peer(PI2q…z7hM) - UAPI: Updating persistent keepalive interval
2023-02-08 17:03:08.272114: [NET] peer(PI2q…z7hM) - UAPI: Removing all allowedips
2023-02-08 17:03:08.272217: [NET] peer(PI2q…z7hM) - UAPI: Adding allowedip
2023-02-08 17:03:08.272344: [NET] peer(PI2q…z7hM) - UAPI: Adding allowedip
2023-02-08 17:03:08.273009: [NET] UDP bind has been updated
2023-02-08 17:03:08.273094: [NET] peer(PI2q…z7hM) - Starting
2023-02-08 17:03:08.273216: [NET] Interface state was Down, requested Up, now Up
2023-02-08 17:03:08.273284: [NET] Device started
2023-02-08 17:03:08.273521: [NET] Tunnel interface is utun4
2023-02-08 17:03:08.273723: [NET] Routine: receive incoming v4 - started
2023-02-08 17:03:08.273877: [NET] Routine: receive incoming v6 - started
2023-02-08 17:03:08.274654: [NET] peer(PI2q…z7hM) - Routine: sequential receiver - started
2023-02-08 17:03:08.274661: [NET] peer(PI2q…z7hM) - Routine: sequential sender - started
2023-02-08 17:03:08.275914: [NET] Network change detected with satisfied route and interface order [pdp_ip0]
2023-02-08 17:03:08.276399: [NET] DNS64: mapped 77.182.52.155 to itself.
2023-02-08 17:03:08.276512: [NET] peer(PI2q…z7hM) - UAPI: Updating endpoint
2023-02-08 17:03:08.276806: [NET] Routine: receive incoming v4 - stopped
2023-02-08 17:03:08.276870: [NET] Routine: receive incoming v6 - stopped
2023-02-08 17:03:08.277188: [NET] UDP bind has been updated
2023-02-08 17:03:08.277215: [NET] Routine: receive incoming v4 - started
2023-02-08 17:03:08.277252: [NET] Routine: receive incoming v6 - started
2023-02-08 17:03:08.284336: [APP] Tunnel 'NestVPN' connection status changed to 'connected'
2023-02-08 17:03:08.408894: [NET] Network change detected with unsatisfied route and interface order [pdp_ip0]
2023-02-08 17:03:08.409212: [NET] Connectivity offline, pausing backend.
2023-02-08 17:03:08.409870: [NET] Device closing
2023-02-08 17:03:08.410079: [NET] Routine: TUN reader - stopped
2023-02-08 17:03:08.410250: [NET] Routine: event worker - stopped
2023-02-08 17:03:08.410363: [NET] Routine: receive incoming v4 - stopped
2023-02-08 17:03:08.410490: [NET] Routine: receive incoming v6 - stopped
2023-02-08 17:03:08.410728: [NET] peer(PI2q…z7hM) - Stopping
2023-02-08 17:03:08.410903: [NET] peer(PI2q…z7hM) - Routine: sequential receiver - stopped
2023-02-08 17:03:08.410932: [NET] peer(PI2q…z7hM) - Routine: sequential sender - stopped
2023-02-08 17:03:08.411087: [NET] Device closed
2023-02-08 17:03:08.411141: [NET] Routine: decryption worker 1 - stopped
2023-02-08 17:03:08.411142: [NET] Routine: handshake worker 1 - stopped
2023-02-08 17:03:08.411148: [NET] Routine: decryption worker 5 - stopped
2023-02-08 17:03:08.411190: [NET] Routine: decryption worker 4 - stopped
2023-02-08 17:03:08.411221: [NET] Routine: decryption worker 3 - stopped
2023-02-08 17:03:08.411569: [NET] Routine: decryption worker 6 - stopped
2023-02-08 17:03:08.411641: [NET] Routine: decryption worker 2 - stopped
2023-02-08 17:03:08.411662: [NET] Routine: handshake worker 2 - stopped
2023-02-08 17:03:08.411740: [NET] Routine: handshake worker 5 - stopped
2023-02-08 17:03:08.411876: [NET] Routine: handshake worker 6 - stopped
2023-02-08 17:03:08.411870: [NET] Routine: handshake worker 4 - stopped
2023-02-08 17:03:08.411937: [NET] Routine: handshake worker 3 - stopped
2023-02-08 17:03:08.412289: [NET] Routine: encryption worker 4 - stopped
2023-02-08 17:03:08.412306: [NET] Routine: encryption worker 2 - stopped
2023-02-08 17:03:08.412387: [NET] Routine: encryption worker 5 - stopped
2023-02-08 17:03:08.412392: [NET] Routine: encryption worker 3 - stopped
2023-02-08 17:03:08.412444: [NET] Routine: encryption worker 1 - stopped
2023-02-08 17:03:08.412475: [NET] Routine: encryption worker 6 - stopped
2023-02-08 17:03:12.696417: [APP] Status update notification timeout for tunnel 'NestVPN'. Tunnel status is now 'connected'.
2023-02-08 17:12:13.699132: [APP] startDeactivation: Tunnel: NestVPN
2023-02-08 17:12:13.707478: [APP] Tunnel 'NestVPN' connection status changed to 'disconnecting'
2023-02-08 17:12:13.845035: [NET] Network change detected with unsatisfied route and interface order [pdp_ip0]
2023-02-08 17:12:17.818890: [NET] Network change detected with unsatisfied route and interface order [pdp_ip0]
2023-02-08 17:12:18.717593: [NET] Stopping tunnel
2023-02-08 17:12:18.761209: [APP] Tunnel 'NestVPN' connection status changed to 'disconnected'
2023-02-08 17:12:19.667504: [APP] Tunnel 'NestVPN' connection status changed to 'connecting'
2023-02-08 17:12:19.788235: [NET] App version: 1.0.15 (26)
2023-02-08 17:12:19.824968: [NET] Starting tunnel from the OS directly, rather than the app
2023-02-08 17:12:27.257466: [NET] setTunnelNetworkSettings timed out after 5 seconds; proceeding anyway
2023-02-08 17:12:27.259823: [NET] DNS64: mapped 77.182.52.155 to itself.
2023-02-08 17:12:27.261380: [NET] Attaching to interface
2023-02-08 17:12:27.262144: [NET] Routine: handshake worker 1 - started
2023-02-08 17:12:27.262295: [NET] UAPI: Updating private key
2023-02-08 17:12:27.262405: [NET] Routine: decryption worker 2 - started
2023-02-08 17:12:27.262526: [NET] Routine: decryption worker 1 - started
2023-02-08 17:12:27.262590: [NET] Routine: handshake worker 4 - started
2023-02-08 17:12:27.262711: [NET] Routine: encryption worker 1 - started
2023-02-08 17:12:27.262732: [NET] Routine: handshake worker 2 - started
2023-02-08 17:12:27.262760: [NET] Routine: decryption worker 5 - started
2023-02-08 17:12:27.262860: [NET] Routine: encryption worker 3 - started
2023-02-08 17:12:27.262847: [NET] Routine: encryption worker 5 - started
2023-02-08 17:12:27.262893: [NET] Routine: handshake worker 6 - started
2023-02-08 17:12:27.262944: [NET] Routine: encryption worker 2 - started
2023-02-08 17:12:27.262979: [NET] Routine: encryption worker 6 - started
2023-02-08 17:12:27.262993: [NET] Routine: decryption worker 6 - started
2023-02-08 17:12:27.263164: [NET] Routine: decryption worker 3 - started
2023-02-08 17:12:27.263241: [NET] Routine: encryption worker 4 - started
2023-02-08 17:12:27.263244: [NET] Routine: TUN reader - started
2023-02-08 17:12:27.263285: [NET] Routine: decryption worker 4 - started
2023-02-08 17:12:27.263411: [NET] Routine: handshake worker 3 - started
2023-02-08 17:12:27.263429: [NET] Routine: handshake worker 5 - started
2023-02-08 17:12:27.263555: [NET] Routine: event worker - started
2023-02-08 17:12:27.263605: [NET] UAPI: Removing all peers
2023-02-08 17:12:27.264881: [NET] peer(PI2q…z7hM) - UAPI: Created
2023-02-08 17:12:27.265004: [NET] peer(PI2q…z7hM) - UAPI: Updating preshared key
2023-02-08 17:12:27.265117: [NET] peer(PI2q…z7hM) - UAPI: Updating endpoint
2023-02-08 17:12:27.265398: [NET] peer(PI2q…z7hM) - UAPI: Updating persistent keepalive interval
2023-02-08 17:12:27.265544: [NET] peer(PI2q…z7hM) - UAPI: Removing all allowedips
2023-02-08 17:12:27.265754: [NET] peer(PI2q…z7hM) - UAPI: Adding allowedip
2023-02-08 17:12:27.265931: [NET] peer(PI2q…z7hM) - UAPI: Adding allowedip
2023-02-08 17:12:27.266703: [NET] UDP bind has been updated
2023-02-08 17:12:27.266761: [NET] Routine: receive incoming v4 - started
2023-02-08 17:12:27.266798: [NET] Routine: receive incoming v6 - started
2023-02-08 17:12:27.266817: [NET] peer(PI2q…z7hM) - Starting
2023-02-08 17:12:27.267154: [NET] Interface state was Down, requested Up, now Up
2023-02-08 17:12:27.267229: [NET] Device started
2023-02-08 17:12:27.267448: [NET] Tunnel interface is utun4
2023-02-08 17:12:27.267450: [NET] peer(PI2q…z7hM) - Routine: sequential sender - started
2023-02-08 17:12:27.267497: [NET] peer(PI2q…z7hM) - Routine: sequential receiver - started
2023-02-08 17:12:27.268917: [NET] Network change detected with satisfied route and interface order [pdp_ip0]
2023-02-08 17:12:27.269513: [NET] DNS64: mapped 77.182.52.155 to itself.
2023-02-08 17:12:27.269640: [NET] peer(PI2q…z7hM) - UAPI: Updating endpoint
2023-02-08 17:12:27.269916: [NET] Routine: receive incoming v4 - stopped
2023-02-08 17:12:27.270086: [NET] Routine: receive incoming v6 - stopped
2023-02-08 17:12:27.271211: [NET] UDP bind has been updated
2023-02-08 17:12:27.271308: [NET] Routine: receive incoming v6 - started
2023-02-08 17:12:27.271430: [NET] Routine: receive incoming v4 - started
2023-02-08 17:12:27.274313: [APP] Tunnel 'NestVPN' connection status changed to 'connected'
2023-02-08 17:12:27.383838: [NET] Network change detected with unsatisfied route and interface order [pdp_ip0]
2023-02-08 17:12:27.384223: [NET] Connectivity offline, pausing backend.
2023-02-08 17:12:27.384839: [NET] Device closing
2023-02-08 17:12:27.385039: [NET] Routine: TUN reader - stopped
2023-02-08 17:12:27.385215: [NET] Routine: event worker - stopped
2023-02-08 17:12:27.385372: [NET] Routine: receive incoming v4 - stopped
2023-02-08 17:12:27.385553: [NET] Routine: receive incoming v6 - stopped
2023-02-08 17:12:27.385740: [NET] peer(PI2q…z7hM) - Stopping
2023-02-08 17:12:27.385921: [NET] peer(PI2q…z7hM) - Routine: sequential receiver - stopped
2023-02-08 17:12:27.385979: [NET] peer(PI2q…z7hM) - Routine: sequential sender - stopped
2023-02-08 17:12:27.386120: [NET] Routine: decryption worker 2 - stopped
2023-02-08 17:12:27.386110: [NET] Device closed
2023-02-08 17:12:27.386148: [NET] Routine: handshake worker 1 - stopped
2023-02-08 17:12:27.386224: [NET] Routine: handshake worker 6 - stopped
2023-02-08 17:12:27.386239: [NET] Routine: decryption worker 3 - stopped
2023-02-08 17:12:27.386367: [NET] Routine: handshake worker 5 - stopped
2023-02-08 17:12:27.386417: [NET] Routine: handshake worker 3 - stopped
2023-02-08 17:12:27.386451: [NET] Routine: decryption worker 6 - stopped
2023-02-08 17:12:27.386454: [NET] Routine: handshake worker 2 - stopped
2023-02-08 17:12:27.386516: [NET] Routine: handshake worker 4 - stopped
2023-02-08 17:12:27.386531: [NET] Routine: decryption worker 5 - stopped
2023-02-08 17:12:27.386613: [NET] Routine: decryption worker 4 - stopped
2023-02-08 17:12:27.386733: [NET] Routine: decryption worker 1 - stopped
2023-02-08 17:12:27.387072: [NET] Routine: encryption worker 6 - stopped
2023-02-08 17:12:27.387076: [NET] Routine: encryption worker 1 - stopped
2023-02-08 17:12:27.387152: [NET] Routine: encryption worker 2 - stopped
2023-02-08 17:12:27.387209: [NET] Routine: encryption worker 3 - stopped
2023-02-08 17:12:27.387228: [NET] Routine: encryption worker 4 - stopped
2023-02-08 17:12:27.387266: [NET] Routine: encryption worker 5 - stopped
2023-02-08 17:14:03.296806: [APP] startDeactivation: Tunnel: NestVPN
2023-02-08 17:14:03.299444: [APP] Tunnel 'NestVPN' connection status changed to 'disconnecting'
2023-02-08 17:14:03.405926: [NET] Network change detected with unsatisfied route and interface order [pdp_ip0]
2023-02-08 17:14:08.307033: [NET] Stopping tunnel
2023-02-08 17:14:08.324045: [APP] Tunnel 'NestVPN' connection status changed to 'disconnected'
2023-02-08 17:14:32.852820: [NET] App version: 1.0.15 (26)
2023-02-08 17:14:32.853001: [NET] Starting tunnel from the OS directly, rather than the app
2023-02-08 17:14:37.863842: [NET] setTunnelNetworkSettings timed out after 5 seconds; proceeding anyway
2023-02-08 17:14:37.866227: [NET] DNS64: mapped 77.182.52.155 to itself.
2023-02-08 17:14:37.867989: [NET] Attaching to interface
2023-02-08 17:14:37.868913: [NET] UAPI: Updating private key
2023-02-08 17:14:37.868914: [NET] Routine: encryption worker 2 - started
2023-02-08 17:14:37.869021: [NET] Routine: encryption worker 1 - started
2023-02-08 17:14:37.869144: [NET] Routine: handshake worker 4 - started
2023-02-08 17:14:37.869332: [NET] Routine: handshake worker 3 - started
2023-02-08 17:14:37.869481: [NET] Routine: encryption worker 4 - started
2023-02-08 17:14:37.869518: [NET] Routine: decryption worker 1 - started
2023-02-08 17:14:37.869549: [NET] Routine: decryption worker 3 - started
2023-02-08 17:14:37.869609: [NET] Routine: decryption worker 4 - started
2023-02-08 17:14:37.869729: [NET] Routine: handshake worker 1 - started
2023-02-08 17:14:37.869834: [NET] Routine: decryption worker 5 - started
2023-02-08 17:14:37.869936: [NET] Routine: encryption worker 5 - started
2023-02-08 17:14:37.869960: [NET] UAPI: Removing all peers
2023-02-08 17:14:37.869994: [NET] Routine: handshake worker 2 - started
2023-02-08 17:14:37.870137: [NET] Routine: decryption worker 2 - started
2023-02-08 17:14:37.870132: [NET] Routine: encryption worker 3 - started
2023-02-08 17:14:37.870233: [NET] Routine: TUN reader - started
2023-02-08 17:14:37.870257: [NET] Routine: encryption worker 6 - started
2023-02-08 17:14:37.870290: [NET] Routine: decryption worker 6 - started
2023-02-08 17:14:37.870332: [NET] Routine: handshake worker 6 - started
2023-02-08 17:14:37.870387: [NET] Routine: handshake worker 5 - started
2023-02-08 17:14:37.870466: [NET] Routine: event worker - started
2023-02-08 17:14:37.871145: [NET] peer(PI2q…z7hM) - UAPI: Created
2023-02-08 17:14:37.871244: [NET] peer(PI2q…z7hM) - UAPI: Updating preshared key
2023-02-08 17:14:37.871330: [NET] peer(PI2q…z7hM) - UAPI: Updating endpoint
2023-02-08 17:14:37.871531: [NET] peer(PI2q…z7hM) - UAPI: Updating persistent keepalive interval
2023-02-08 17:14:37.871617: [NET] peer(PI2q…z7hM) - UAPI: Removing all allowedips
2023-02-08 17:14:37.871720: [NET] peer(PI2q…z7hM) - UAPI: Adding allowedip
2023-02-08 17:14:37.871827: [NET] peer(PI2q…z7hM) - UAPI: Adding allowedip
2023-02-08 17:14:37.872397: [NET] UDP bind has been updated
2023-02-08 17:14:37.872455: [NET] Routine: receive incoming v4 - started
2023-02-08 17:14:37.872475: [NET] peer(PI2q…z7hM) - Starting
2023-02-08 17:14:37.872485: [NET] Routine: receive incoming v6 - started
2023-02-08 17:14:37.872772: [NET] Interface state was Down, requested Up, now Up
2023-02-08 17:14:37.872811: [NET] peer(PI2q…z7hM) - Routine: sequential receiver - started
2023-02-08 17:14:37.872864: [NET] Device started
2023-02-08 17:14:37.872967: [NET] peer(PI2q…z7hM) - Routine: sequential sender - started
2023-02-08 17:14:37.873073: [NET] Tunnel interface is utun4
2023-02-08 17:14:37.874450: [NET] Network change detected with satisfied route and interface order [pdp_ip0]
2023-02-08 17:14:37.875034: [NET] DNS64: mapped 77.182.52.155 to itself.
2023-02-08 17:14:37.875178: [NET] peer(PI2q…z7hM) - UAPI: Updating endpoint
2023-02-08 17:14:37.875484: [NET] Routine: receive incoming v4 - stopped
2023-02-08 17:14:37.875540: [NET] Routine: receive incoming v6 - stopped
2023-02-08 17:14:37.875960: [NET] UDP bind has been updated
2023-02-08 17:14:37.876031: [NET] Routine: receive incoming v4 - started
2023-02-08 17:14:37.876041: [NET] Routine: receive incoming v6 - started
2023-02-08 17:14:46.047363: [APP] Tunnel 'NestVPN' connection status changed to 'connected'
2023-02-08 17:14:46.165785: [NET] Network change detected with unsatisfied route and interface order [pdp_ip0]
2023-02-08 17:14:46.166040: [NET] Connectivity offline, pausing backend.
2023-02-08 17:14:46.166665: [NET] Device closing
2023-02-08 17:14:46.166817: [NET] Routine: TUN reader - stopped
2023-02-08 17:14:46.166921: [NET] Routine: event worker - stopped
2023-02-08 17:14:46.167033: [NET] Routine: receive incoming v4 - stopped
2023-02-08 17:14:46.167123: [NET] Routine: receive incoming v6 - stopped
2023-02-08 17:14:46.167203: [NET] peer(PI2q…z7hM) - Stopping
2023-02-08 17:14:46.167277: [NET] peer(PI2q…z7hM) - Routine: sequential receiver - stopped
2023-02-08 17:14:46.167293: [NET] peer(PI2q…z7hM) - Routine: sequential sender - stopped
2023-02-08 17:14:46.167368: [NET] Device closed
2023-02-08 17:14:46.167380: [NET] Routine: decryption worker 1 - stopped
2023-02-08 17:14:46.167399: [NET] Routine: handshake worker 4 - stopped
2023-02-08 17:14:46.167405: [NET] Routine: handshake worker 2 - stopped
2023-02-08 17:14:46.167416: [NET] Routine: handshake worker 1 - stopped
2023-02-08 17:14:46.167426: [NET] Routine: decryption worker 3 - stopped
2023-02-08 17:14:46.167481: [NET] Routine: decryption worker 5 - stopped
2023-02-08 17:14:46.167475: [NET] Routine: decryption worker 4 - stopped
2023-02-08 17:14:46.167553: [NET] Routine: handshake worker 3 - stopped
2023-02-08 17:14:46.167617: [NET] Routine: handshake worker 5 - stopped
2023-02-08 17:14:46.167643: [NET] Routine: decryption worker 6 - stopped
2023-02-08 17:14:46.167652: [NET] Routine: handshake worker 6 - stopped
2023-02-08 17:14:46.167699: [NET] Routine: decryption worker 2 - stopped
2023-02-08 17:14:46.167860: [NET] Routine: encryption worker 2 - stopped
2023-02-08 17:14:46.167873: [NET] Routine: encryption worker 3 - stopped
2023-02-08 17:14:46.167895: [NET] Routine: encryption worker 4 - stopped
2023-02-08 17:14:46.167911: [NET] Routine: encryption worker 6 - stopped
2023-02-08 17:14:46.167918: [NET] Routine: encryption worker 5 - stopped
2023-02-08 17:14:46.167921: [NET] Routine: encryption worker 1 - stopped

let's take a look at the wg config from your phone.

Did that a couple of time but to no avail. The WireGuard iPhone app states "Tunnel status us now 'connected'" but no packages arrive. I deleted the peer, setup it up once more two times. Once manually, another time via QR. No spaces in the keys, all seem valid.

please post your phone's wg config here (redact the keys)

Here you go

[Interface]
PrivateKey = MY_PRIAVTE_KEY
ListenPort = 51820

[Peer]
PublicKey = PI2q7IUhd8V+aS/sssmrF0V1BpqA9/v8j69Toqez7hM=
PresharedKey = MY_PRE_SHARED_KEY
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = nest-assistent.mikeg.de:51820

The allowed IPs I once set to 192.168.9.2/32 and fdf1:e8a1:8d3f:9::2/128 to test this as a point of failure but to no avail.

Remove the listen port from your phone's WG interface.
And you need to add the interface address (192.168.9.2/32) to this stanza.