Help with WireGuard routing all traffic guide

I've tried following the guide WireGuard routing all traffic to set up a Raspberry Pi 5 running the latest (ish) snapshot of OpenWRT.

Error

I just keep getting the following error in logread:

Sun Mar 17 12:35:24 2024 daemon.notice netifd: wg0_int (1925): Try again: `notmyrealdomain.duckdns.org:51820'. Trying again in 2.07 seconds...

My configs

Snapshort build was requested with the following packages (in addition to the defaults):
luci luci-ssl kmod-mt7921e kmod-mt7921u kmod-usb-net-asix-ax88179 kmod-usb-net-cdc-mbim kmod-usb-net-rtl8152 luci-proto-wireguard

OPNSense wg instance

I have port forwarded 51820 to the OPNSense server and have seen wg packets being received (with alternative configurations, not with the config details detailed below).

Also, I can't access luci and the DHCP server on lan/eth0 doesn't work but those are minor issues I can live with.

The intended use is to connect to roam with the device and connect to public networks via Ethernet or WiFi as a last resort. I have a TP Link UE300 as my eth1 (i.e., someone else's router/gateway where I don't have access to). I have an OPNSense (I couldn't get OpenWRT working on x86) Wireguard instance running at home and all internet traffic should flow through there.

#/etc/config/network 
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:c930:0025::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan_int'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
    	option delegate '0'
    	option defaultroute '0'

config interface 'wan_int'
	option proto 'dhcp'
	option device 'eth1'

config interface 'wg0_int'
	option proto 'wireguard'
	option private_key 'whatever was generated by the luci'
	list addresses '10.80.90.2/32'

config wireguard_wg0_int
	option public_key 'wg instance public key on OPNSense'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'notmyrealdomain.duckdns.org'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option description 'home-pt-opnsense'
    	option route_allowed_ips '1'
#/etc/config/firewall 
config defaults
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan_zone'
	option output 'DROP'
	option forward 'DROP'
	option input 'DROP'
	list network 'lan_int'

config zone
	option name 'wan_zone'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan_int'

config forwarding
	option src 'lan_zone'
	option dest 'wg0_zone'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan_zone'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan_zone'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan_zone'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wg0_zone'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	list network 'wg0_int'
	option masq '1'

config rule 
	option name 'Allow_DNS_IN'
	option family 'ipv4'
	option src 'lan_zone'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow_SSH_OUT'
	option family 'ipv4'
	option src 'lan_zone'
	list proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config forwarding
	option src 'lan_zone'
	option dest 'wg0_zone'

config rule
	option name 'Allow_Wireguard_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest 'wan_zone'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option name 'Allow_DHCP_IN'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option src 'lan_zone'

config rule
	option name 'Allow_DHCP_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option dest 'lan_zone'

config rule
	option family 'ipv4'
	option dest 'wg0_zone'
	option target 'ACCEPT'
	option name 'Allow_DNS_OUT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53'

config rule
	option name 'Allow_HTTP(S)_OUT'
	option family 'ipv4'
	list proto 'tcp'
	option dest 'wg0_zone'
	option dest_port '80 443'
	option target 'ACCEPT'
 
config rule
	option name 'Allow_NTP_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest 'wg0_zone'
	option dest_port '123'
	option target 'ACCEPT'

# /etc/config/dhcp
config dnsmasq
    option domainneeded '1'
    option localise_queries '1'
    option rebind_protection '1'
    option rebind_localhost '1'
    option local '/lan/'
    option domain 'lan'
    option expandhosts '1'
    option authoritative '1'
    option readethers '1'
    option leasefile '/tmp/dhcp.leases'
    option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
    option localservice '1'
    option ednspacket_max '1232'
    list server 10.80.90.1

In the guide from the given link, the firewall blocks everything and only some specific services for specific interfaces are allowed. You are not supposed to connect to the wg server by domain name but by ip address.

The wan port is not allowed to send DNS queries, so notmyrealdomain.duckdns.org cannot be resolved to an ip address and wireguard cannot initiate a connection. To get the DNS service working, you first need a successful wireguard connection. It's a catch 22 situation.

Try to connect to the server by ip address.

If the server public ip changes frequently and/or you prefer to connect via a domain name, you will need to create an allow rule for the wan interface and add an additional server option in /etc/config/dhcp.

# /etc/config/firewall
config rule
        option name 'Allow_DNS_WAN_OUT'
        option family 'ipv4'
        option dest 'wan_zone' 
        list dest_ip '8.8.8.8' 
        list proto 'tcp'
        list proto 'udp'
        option dest_port '53'
        option target 'ACCEPT'

# /etc/config/dhcp
config dnsmasq
        ...
        list server '/notmyrealdomain.duckdns.org/8.8.8.8' 	
        list server '10.80.90.1'
# /etc/config/firewall
config rule
        option name 'Allow_LuCI'
        option family 'ipv4'
        option src 'lan_zone'
        list proto 'tcp'
        option dest_port '80 443'
        option target 'ACCEPT'

Ok that makes sense and I'll try that as soon as I get back. The linked guide specifically states "<Peer_IP_or_FQDN>" so I assumed DDNS needs were taken into account.

Just to confirm, will this config result in a DNS leak for any clients that will be connected to the OpenWRT travel router? Once the Wireguard tunnel is up, I don't want 8.8.8.8 to be used anymore.

Ok luci now works. No traffic goes through the tunnel though but I can confirm that there is a handshake on both ends. I've poked around in OPNSense and can't see any firewall blocks in the live logs.

I noticed something odd in the Firewall rules. wg0_zone appears twice and I'm not sure if that means anything.

uci export network; uci export dhcp; uci export firewall
ubus call system board

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fddb:c930:0025::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan_int'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option delegate '0'
	option defaultroute '0'

config interface 'wan_int'
	option proto 'dhcp'
	option device 'eth1'

config interface 'wg0_int'
	option proto 'wireguard'
	option private_key ''
	list addresses '10.80.90.2/32'

config wireguard_wg0_int
	option public_key ''
	list allowed_ips '0.0.0.0/0'
	option endpoint_host '__.duckdns.org'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option description 'home-pt-opnsense'
	option route_allowed_ips '1'

package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '10.80.90.1'
	list server '/__.duckdns.org/8.8.8.8'

package firewall

config defaults
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan_zone'
	option output 'DROP'
	option forward 'DROP'
	option input 'DROP'
	list network 'lan_int'

config zone
	option name 'wan_zone'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan_int'

config forwarding
	option src 'lan_zone'
	option dest 'wg0_zone'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan_zone'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan_zone'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan_zone'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wg0_zone'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	list network 'wg0_int'
	option masq '1'

config rule
	option name 'Allow_DNS_IN'
	option family 'ipv4'
	option src 'lan_zone'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow_SSH_OUT'
	option family 'ipv4'
	option src 'lan_zone'
	list proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config forwarding
	option src 'lan_zone'
	option dest 'wg0_zone'

config rule
	option name 'Allow_Wireguard_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest 'wan_zone'
	option dest_port '51820'
	option target 'ACCEPT'

config rule
	option name 'Allow_DHCP_IN'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '67'
	option target 'ACCEPT'
	option src 'lan_zone'

config rule
	option name 'Allow_DHCP_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option dest 'lan_zone'

config rule
	option family 'ipv4'
	option dest 'wg0_zone'
	option target 'ACCEPT'
	option name 'Allow_DNS_OUT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53'

config rule
	option name 'Allow_HTTP(S)_OUT'
	option family 'ipv4'
	list proto 'tcp'
	option dest 'wg0_zone'
	option dest_port '80 443'
	option target 'ACCEPT'

config rule
	option name 'Allow_NTP_OUT'
	option family 'ipv4'
	list proto 'udp'
	option dest 'wg0_zone'
	option dest_port '123'
	option target 'ACCEPT'

config rule
	option name 'Allow_DNS_WAN_OUT'
	option family 'ipv4'
	option dest 'wan_zone'
	list dest_ip '8.8.8.8'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Allow_LuCI'
	option family 'ipv4'
	option src 'lan_zone'
	list proto 'tcp'
	option dest_port '80 443'
	option target 'ACCEPT'

{
	"kernel": "6.1.80",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 1",
	"model": "Raspberry Pi 5 Model B Rev 1.0",
	"board_name": "raspberrypi,5-model-b",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r25505-b72a7bf186",
		"target": "bcm27xx/bcm2712",
		"description": "OpenWrt SNAPSHOT r25505-b72a7bf186"
	}
}

Your firewall rules are very restrictive.

Start with setting option output 'ACCEPT' in wg0_zone and wan_zone and setting everything to ACCEPT in the lan_zone

Reboot after changing

After it works you can always use a more restrictive setting

Ok I'll try that tonight. I was only following the guide. Let me know if there is a travel router guide that actually works and I'll give it a go. I need to route all traffic through my home network when I'm out and about.

It is sometimes described as a road-warrior setup:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

Basically your home router is the WG server and your travel router the WG client

I think this guide is a little over my head. It talks a lot about IPv6 but my ISP at home doesn't provide an IPv6 address.

I'm not sure how how to set it up so it is all IPv4 only and I'm worried that I might end up leaking my location if I connect to an IPv6 network and all traffic just goes out through there rather than the tunnel.

Some bits that I'm not sure for example are:
Do I need kmod-ipt-nat6 for IPv4-only
Do I need to run enable-ula.sh for an IPv4 setup?
How do I do an IPv4 setup?
Do I (or why would I) need IPv6?

If you do not setup IPv6 on the travelrouter (and probably you shouldn't) then no need to implement any IPv6

Thanks for confirming I don't need IPv6 but I can't tell from the guide what I need to do to (or not do, as the case may be) in order to set up an IPv4-only tunnel. In other words, there is no "if you want IPv4, then set variable x to y" instruction.

Instead setup your home router as WireGuard server:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

and the travel router as WireGuard Client:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/client