Issues with WireGuard VPN

I've setup two EdgeRouter X with OpenWRT 24.10 and installed all updates on them as well as the WireGuard Packages. The interfaces are setup like this:
Router A:
LAN: 10.11.11.1/24
WAN: 192.160.1.1/24
WireGuard Tunnel: 10.1.1.1/32

Router B:
LAN: 10.3.3.1/24
WAN: 192.160.1.2/24
WireGuard Tunnel: 10.1.1.2/32

In the peers I've added the WireGuard Tunnel and the LAN of the opposite Router as allowed IPs and set the endpoint to the static IP of the WAN interfaces. I've also created a separate Firewall Zone for WG where the LAN Zone has forwarding to WG and WAN, and the WG Zone has forwarding to LAN and WAN, other than that I've not changed the rules.

I have a persistent keep-alive of 25 on both and the listening port is set to 51820 on both Routers.
Sometimes this setup works flawlessly, but for some reason the second time I've setup these Routers the exact same way, it didn't work. After changing things back and forth and rebooting multiple times, it would suddenly work again, still using the same configuration.

Does anyone have an idea why its so inconsistent? Any help would be great.

Upgrading packages (via the CLI opkg upgrade command or the LuCI Upgrade... button) can result in major problems. It is generally highly discouraged, unless you know what you are doing or if there is specific instruction to do so.

You may want to reset to defaults, then restore your config from a backup.

That said… from both devices:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

Router A

ubus call system board

{
        "kernel": "6.6.86",
        "hostname": "RouterX11",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti EdgeRouter X",
        "board_name": "ubnt,edgerouter-x",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbe:164d:923::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.11.11.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.160.1.1'
        option netmask '255.255.255.0'
        option gateway '192.160.1.20'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'KEY'
        option listen_port '51820'
        list addresses '12.12.12.1/32'

config wireguard_wg
        option description 'routerX03'
        option route_allowed_ips '1'
        option endpoint_host '192.160.1.2'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option public_key 'KEY'
        list allowed_ips '12.12.12.0/32'
        list allowed_ips '10.3.3.0/24'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '12.12.12.1/32'
        option dest_port '51820'
        option enabled '0'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'vpn'

wg show

interface: wg
  public key: KEY
  private key: (hidden)
  listening port: 51820

peer: KEY
  endpoint: 192.160.1.2:51820
  allowed ips: 12.12.12.0/32, 10.3.3.0/24
  latest handshake: 17 seconds ago
  transfer: 209.34 KiB received, 249.83 KiB sent
  persistent keepalive: every 25 seconds

Router B

ubus call system board

{
        "kernel": "6.6.86",
        "hostname": "RouterX03",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Ubiquiti EdgeRouter X",
        "board_name": "ubnt,edgerouter-x",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.1",
                "revision": "r28597-0425664679",
                "target": "ramips/mt7621",
                "description": "OpenWrt 24.10.1 r28597-0425664679",
                "builddate": "1744562312"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4b:1a97:3001::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.3.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option ipaddr '192.160.1.2'
        option netmask '255.255.255.0'
        option gateway '192.160.1.1'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'wg'
        option proto 'wireguard'
        option private_key 'KEY'
        option listen_port '51820'
        list addresses '12.12.12.2/32'

config wireguard_wg
        option description 'routerX11'
        option public_key 'KEY'
        option route_allowed_ips '1'
        option endpoint_host '192.160.1.1'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '12.12.12.0/32'
        list allowed_ips '10.11.11.0/24'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '12.12.12.2/32'
        option dest_port '51820'
        option enabled '0'

config forwarding
        option src 'vpn'
        option dest 'lan'

wg show

interface: wg
  public key: KEY
  private key: (hidden)
  listening port: 51820

peer: KEY
  endpoint: 192.160.1.1:51820
  allowed ips: 12.12.12.0/32, 10.11.11.0/24
  latest handshake: 58 seconds ago
  transfer: 308.61 KiB received, 257.45 KiB sent
  persistent keepalive: every 25 seconds