The Windows Laptop, connected via the iPhone hotspot and VPN tunnel, wants to access the Router at 192.168.29.1 in the local network of the Android phone.
Note: I cannot do much on an Android phone or a router with an address of 192.168.29.1 other than import a wireguard configuration client file on an Android phone. Also, the router 192.168.29.1 provides internet to Android phone but the router is behind CGNAT not having public IP
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
Ok on the official latest Openwrt firmware, how can we achieve it with LUCI UI if that's explained I can try doing the same. today I worked on it for 18 hours but failed. I could only connect the VPN tunnel to the laptop and Android phone. Any help will be highly appreciated
This device is not supported by the official OpenWrt project. The firmware on it is from GL-Inet and is a fork that is heavily modified from that of the official project (and it is also based on a version that has long since been EOL'd for many years by the official project).
Because of the very significant differences in GL-inet's vendor firmware, you need to ask on their support channels.
As you guessed, the phone is not going to let you do that because it would be a big security risk for most use cases. A user would not want a commercial VPN service or corporate network able to reach their LAN backwards through a VPN.
Otherwise this is straightforward. The "server" router in the middle needs to be made aware of the 192.168.29 network:
192.168.29.0/24 (or at least 192.168.29.1/32 if that is the only host of interest) needs to be an allowed_ip on the phone peer.
If route_allowed_ips is not set, a route to 192.168.29.0 needs to be installed.
The firewall zone that the wg interface is in needs to be set to allow forwarding. Inter-peer traffic goes out of Wireguard to be considered by regular firewall and routing rules even if it ends up back at the same interface.
Then assuming the laptop is using the tunnel as its default route, a packet originated from the laptop with a destination of 192.168.29.1 will at least reach the phone, which the VPN app will then drop. It would require some special setup of the phone that if it is possible at all, is outside the scope of this forum.
With the official openwrt firmware, and assuming you have a public ip on your wan, yes, absolutely. I have done this myself and assisted others probably hundreds of times.
I have never used gl-inet firmware, so I don’t know if they do things differently. That is why you need to ask on their forums.
This is what is in the phone VPN I also have a static route in brume2 192.168.29.0/24 via 10.0.0.1 also enabled entire firewall rule still not possible to open
[Interface]
Address = 10.0.0.5/24
PrivateKey = (hidden)
DNS = 64.6.64.6
MTU = 1420
Anything that runs OpenWrt of course. You can place it on the 29 LAN and have it make an outgoing connection to the center server (Brume). Then it can forward packets back into the 29 LAN including to 192.168.29.1.
I don't want to place anything on 29 LAN. I know this can be done rather I want to place it WAN NBN side there is a personal reason for it. So let me know how can I do it.
On 29 LAN only an Android phone connects to the VPN wireguard server somewhere on the internet. Please advise how can I achieve it I am fine to purchase a new device as I am unable to do so with Brume2
Do you have a public ip on NBN WAN side of the burme2 router? Is your burme2 device the main router or are you using ISP/RSP provided router - I'm not talking about NBN's box?
I don't think android can do reverse NAT, but if you replace the android device with a linux box or another openwrt device, it could for sure do nat from your VPN to that local network.
No cant change on 29 network side its in my different house I will not go there for at least 1 year. Hence I am here in this forum even ready to buy a new device with Openwrt. If we put rasberrypi on 29 network it would be a cake walk. I even don't need brume2 or I can use tailscale and subnetrouting n 29 network.
My only option is as per the diagram, So any help would be appriciated
If other side is android only, and there is someone there, you can probably do ssh port forwarding. I have done so using the connectbot app, or you can use termux.