Not able to connect with wireguard client

Dear All,
I am using my OpenWrt router as a peer and trying to create VPN server using Wireguard. I have applied the configuration but i am not able to handshake with client PC. I am sharing my network and firewall config.
Please suggest what I missed here...

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdf5:7e4d:1842::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.2'
	option gateway '192.168.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'WG_0'
	option proto 'wireguard'
	option private_key 'mCXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	option listen_port '38400'
	list addresses '10.14.0.3/24'
	option force_link '1'

config wireguard_WG_0
	option description 'SunilPC'
	option public_key 'HxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	option private_key 'IEXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'

Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WG_0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	list proto 'udp'
	option src 'wan'
	option src_dport '38400'
	option dest_port '38400'
	option dest_ip '192.168.0.1'

This appears to be a dumb ap, is that correct?

If so, we need to know about the main router:

• have you setup port forwarding for wireguard on the main router
• does your main router support static routes.

If it is not a dumb ap, there are other issues we should explore.

Hi,
Thanks for your quick response.
Yes, this is dumb. Main router is ISP's router and it is very basic. I have already applied port forwarding on my OpenWrt router. Nothing, No configuration on main router.
Is this not possible without main router?

Generally it is still possible, but some modifications are necessary.

Did you setup port forwarding on the main router? If this is not possible, that will present a major issue.

This needs to be a different IP than the other peer has. Conventionally .1/24 is used at a "server." The peer can remain as you have it .3/24 with an allowed IP .3/32.

The main router must forward UDP 38400 to your OpenWrt router or the server will never receive any connections. This is not optional. If the main router has a "DMZ" setting (forward all incoming ports to one LAN device) you could use it.

Once Wireguard packets do arrive at the OpenWrt router WAN port, they would be allowed in by an input rule. Remove your redirect "allow Wireguard" rule which is completely not the right way, and replace it with an input rule:

config rule
    option name 'Allow-Wireguard-WAN'
    option src 'wan'
    option dest_port '38400'
    option proto 'udp'
    option target 'ACCEPT'

Like others already noted you do need to setup port forwarding on the main router to the Openwrt router e.g. forward port 38400 to 192.168.0.2

there is an alternative for a static route on the main router and that is MASQUErADING on the LAN interface

In the LAN zone remove list network 'WG_0' and add option masq '1'`

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

Add an extra vpn zone for the WG interface (because we do not want masquerading on the WG interface)

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WG_0'

[/quote]

Add forwarding rules:

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'vpn'
	option dest 'lan'

Applied port forwarding on main router
PFA

image1001×777 37.4 KB

The port forwarding is wrong.

Must be udp.
Should keep the same port number (change 80 to 38400).

Whaat is in the drop down where it says voip?

ok... that looks better.

Have you made any changes to your OpenWrt config yet?

Yes, Applied interface, firewall and port forwarding. I think I have to remove port forwarding from OpenWrt config now.

Ok... try connecting. If it doesn't work, please post the latest configs for review.

Also make sure to adapt the list address, as your client already got 10.14.0.3, I would change the list address of WG_0 to: 10.14.0.1/24
As already noted by @mk24

Reboot after changing!

Dear @egc, let's apply one by one...
After changes suggested by @psherman config below

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'WG_0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdf5:7e4d:1842::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.0.2'
	option gateway '192.168.0.1'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'WG_0'
	option proto 'wireguard'
	option private_key 'mCXXXXXXXXXXXXXXXXXXXXXXXX='
	option listen_port '38400'
	list addresses '10.14.0.3/24'
	option force_link '1'

config wireguard_WG_0
	option description 'SunilPC'
	option public_key 'HxXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	option private_key 'IEXXXXXXXXXXXXXXXXXXXXXXXXXXXX='
	list allowed_ips '10.14.0.3/32'
	option route_allowed_ips '1'

I'll be repeating some of the previous advice, but let's make the following changes:

Remove WG_0 from the lan firewall zone and put it into it's own zone. Add masquerading on the lan zone. And add a forwarding rule for wg > lan. It will look like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WG_0'

config forwarding
	option src 'wg'
	option dest 'lan'

Next, fix the WG_0 network interface -- the address needs to be unique (currently it's the same as the peer)', and the force link is unnecessary. It will look like this:

config interface 'WG_0'
	option proto 'wireguard'
	option private_key 'mCXXXXXXXXXXXXXXXXXXXXXXXX='
	option listen_port '38400'
	list addresses '10.14.0.1/24'

Now restart and test again.

Applied.. No success..
Updated config:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option masq '1'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'WG_0'

config forwarding
	option src 'wg'
	option dest 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Next thing to test is to see if the OpenWrt config is correct...

In your windows configuration, change the endpoint (in the peer section) to:

Endpoint = 192.168.0.2:38400

Then, with your computer connected to the same wifi network, try starting the wireguard connection.

Yes, it's working with above Endpoint config and same Wi-Fi.

Ok... so that means that OpenWrt (and the Windows WG config) are all working.

My guess is that you do not have a true public IP address on your main router's WAN.
Does your main router have a status page with the wan/upstream address? If so, please post the first two octets of the IP address shown (in bold: aaa.bbb.ccc.ddd).