Very possibly.
Thanks. I'll change the address and report back!
Well, I changed the address but still no luck 
let's see the latest config files. Two from your router and the 3rd from your phone:
/etc/config/network
/etc/config/firewall
and the WG config file from your phone.
Don't forget to redact the keys and any personal info, but leave the RFC1918 addresses intact.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdca:ae32:3c52::/48'
config interface 'wan'
option device 'eth1'
option proto 'pppoe'
option username 'xxxxx'
option password 'xxxxx'
option ipv6 'auto'
option peerdns '0'
list dns '45.90.28.167'
list dns '45.90.30.167'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.12.20.1'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'wg0'
option proto 'wireguard'
option listen_port '9600'
option private_key 'xxxxxx'
option mtu '1420'
option delegate '0'
list addresses '10.12.21.1/24'
config wireguard_wg0
option description 'Android device'
option route_allowed_ips '1'
option preshared_key 'xxxxx'
option public_key 'xxxxx'
list allowed_ips '10.12.21.2/32'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'wan'
list network 'wan6'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'wg0'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
config forwarding
option src 'wan'
option dest 'wg'
config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '9600'
option name 'Allow-Wireguard-Inbound'
Android device:
I hope this information could be useful. Thanks for your time 
EDIT: I deleted the previous firewall and port forwarding rules, and created new ones, per this guide.
Remove this line, at least for now:
You have wg0 in two firewall zones... it should only be in one.
remove this line from the lan zone definition
remove these:
Add in a DNS server into your wg interface on your phone (maybe 10.12.20.1)
Remove the IPv6 from the phone's allowed IPs.
You may need to disable masquerading on the wg zone in the firewall, but leave it enabled for now.
I edited the files and the Android device configuration, but now I just can access the router while connected to the WireGuard VPN. I disabled masquerading, but with same results. I can ping the camera (as well as other devices), but can't access the web interface anymore, nor I can't view the streaming, even with wifi.
Maybe I need to start over 
Seems like there's different ways to approach the same result, but I'm not sure which one could be better in my case.
PS: Just to clear out a doubt, do I need a port forwarding rule as well as a traffic rule?
At this point, it could be the camera system and not your WireGuard configuration...
Let's run some other tests. Set the phone on cellular (turn off wifi) and then turn on WG on the phone. Now, test the following things:
- Can you reach the router admin page?
- Can you reach google.com and other websites in general?
- Do you have any other devices on your network that have a a web interface, and can you reach those?
If those all work, the WG tunnel is working properly and now it is purely a question of your camera system. There are two possible causes at that point:
- The camera system may have a firewall on the device itself that only allows access from the same subnet. As an example, Windows does this by default, and you have to adjust the firewall to allow other subnets to access the system. The WG subnet must be different than the LAN subnet, so if this is the issue, you'll need to find out how to change the firewall settings on the camera system itself.
- The camera system could rely on mdns or other zero-conf type technologies that require that the viewing-client be on the same subnet. This is only a potential issue if the camera system has a dedicated and required app; if you normally use a web browser, this is unlikely to be part of the issue.
2 Likes
Oh, and to answer this, no... you only need the traffic rule, and that should be the only inbound rule related to your wireguard tunnel. If you want to post your latest config files, I can review them again.
1 Like
I think you're right. Well, kind of. It's been the Android app the whole time. I tried with another one, and it works just fine on 4G/LTE network.
This is embarrasing. Sorry (everyone) for wasting your time. But thanks a lot for your help, I actually have a good WG configuration now with the firewall zone and the traffic rule.
Glad it's all working now! You did have some potential issues with your WG config, so it was good to go through the exercise of getting that setup properly. But yeah, some apps behave poorly (or not at all) when they aren't on the same L2 network.
Please mark the most useful comment as the solution so that future readers will find it quickly.
2 Likes
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.