(re)Flash update and Wireguard woes

I've searched the openwrt sites and the web and come up with nothing of use. I just flashed an update for my router and a few things are borked, one of which is wireguard.

I used my original roadwarrior scripts to set things up but at first all I got was a missing proto on the interface. Turns out a reboot fixed that. I've restored the server keys and peer stuff from a previous backup but still nothing works and I can't find anything wrong.

wg show...shows no peers but when I connect from a peer I also get no errors or indication that anything is off other than it doesn't actually work.

	"kernel": "6.12.74",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:4",
	"model": "TP-Link Archer AX23 v1",
	"board_name": "tplink,archer-ax23-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32802-f505120278",
		"target": "ramips/mt7621",
		"description": "OpenWrt 25.12.2 r32802-f505120278",
		"builddate": "1774469393"
	}
}

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd73:82ca:ebd3::/48'
	option packet_steering '1'
	option dhcp_default_duid '0004b74b583a0508424ca728f6eae600e748'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.0.8'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option delegate '0'
	list dns '192.168.0.82'
	option multipath 'off'

config device
	option name 'wan'
	option macaddr ''

config interface 'wg_vpn'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.0.1/24'
	option mtu '1280'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option synflood_protect '1'
	option drop_invalid '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list device 'tun+'
	list network 'lan'
	list network 'wg_vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'http'
	option src 'wan'
	option dest_ip '192.168.0.80'
	option dest_port '80'
	option src_dport '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'https'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.0.80'
	option dest_port '443'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'smtp'
	option src 'wan'
	option src_dport '25'
	option dest_ip '192.168.0.80'
	option dest_port '25'

config rule 'wg_rule_vpn'
	option name 'Allow-WireGuard-vpn-wan'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'XMPP'
	option family 'ipv4'
	option src 'wan'
	option src_dport '5222'
	option dest_ip '192.168.0.82'
	option dest_port '5222'

You've got a few obvious issues...

Possibly starting here...

Is this device the main router? The choice of the .8 address is unusual (but not invalid) for a main router, thus the question...

Your wg subnet overlaps your lan subnet. They must be unique and non-overlapping:

You don't have any peers defined. That will prevent any connections from working, and is why you don't see anything in wg show.

Yes it's the main router and .8 is correct. Well where would I define the peers if not via the peers section in /etc/wireguard/networks/vpn/peers?

I've never seen any such file.

Peers are defined in the network file (/etc/config/network)

Is where the client conf and keys are.

OK I checked the file you mention in a backup and yes they are also defined there...I'll give this a try. As always thank you...you're a damned ninja around here.

Just to be clear, the file you've referenced is not read or used in any way by Wireguard on OpenWrt. It all belongs in the /etc/config/network file and that will be backed up normally anytime you make a backup.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

I will (mark solved) but I need a few minutes to copy from backups and such. (also make notes for the next upgrade flash so I'm not scrambling again to remember how I did this and where that was saved and why this is broken...)

So is there an elegant way to keep this stuff between flashes without resorting to some hacky scripting?

You are aware that OpenWrt has a configuration backup via CLI and web GUI, correct?

"I've restored the server keys and peer stuff from a previous backup..." <-- Where do you think I got this from?

Are you saying I can do a backup, flash to a newer version then use the previous backup on the new version? This seems like a good way to blow things up if that's what you are getting at.

I assumed from the same script and the peers file of unknown origin.

Yes. Generally, you can upgrade to the next version up (e.g., 24 -> 25) - or just upgrade in place, keeping settings. Feel free to review the Wiki and release notes for any version you wish to upgrade to.

Not sure why you believe that. I'm not sure what you're getting at, TBH.

The road warrior scripts that are from openwrt.org. ;p https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior

I will have to reread because everything I have read in the past said to update/upgrade versions DO NOT update packages and such. The way to update/upgrade was reflash with the desired version for your hardware. Which I did. However the Flash operations > configuration only saved what would turn out to be the peer files and a few other things so when I reinstalled the packages things still didn't work and with no server or client errors debugging what was missing/wrong/broken was problematic.

Because the things that change from version to version may not be compatible. I mean 24 used opkg so unless the backup restore knows to purge all that I'm just adding cruft to the new flash that uses apk and so on. I.e. you're readding cruft or breaking things with now depreciated setting syntaxes.

I've done tons of reading but some things I've read I can no longer find. Either I'm using different search terms (that fail to find what I remember) or external web search isn't finding reference material because it seems to be worsening into a puddle of useless goo.

You said read the wiki, searching for openwrt wiki in one search engine brings up a lot of nothing other than reddit posts about an old version. Trying another search engine brings up the openwrt.org page which doesn't call itself a wiki until you load it. Search for update or upgrade on openwrt.org brings up a lot of old version specific things or (seemingly wiki management related texts. i.e. nothing relevant.

Only after very manual digging and reading and following several links can I find what I think you may be alluding to which would be owut? Not only was it buried and not coming up in searches but countless articles and videos I watched a long long time ago all had the same consensus to always reflash to "update/upgrade" between versions.

I'm terribly sorry if it seems like I didn't do my due diligence but I do. Search engines are getting crappier, but even on the openwrt site this stuff takes very pointed digging because the search didn't bring up the relevant pages. This with normal day to day chaos, forgetting various details because it's been a long time between reading/watching info and now having to recall it and I'm just trying to get things working again and plan for future upgrades so I'm not back scrambling through docs and again not finding the info I need. Plus this is my first upgrade with openwrt so the curve is ongoing.

Really?

Browse to any version's release notes.

Also, in the "Release and security announcement" section of this forum, the first post for every version's thread - you'll find it as well.

I am ping ponging between search engines constantly because they are all useless. Thanks Ai-bama...Between guessing as terms and phrases finding anything has become a nightmare of wasted time. Of course I could always just ask the search Ai to learn if I just put a ham sandwich in the routers TCP port and rotate the cat5 clockwise until it is cat12 everything will work.

Again your link shows OpenWrt Wiki but unless you load the page and look at the title in the tab you never see "Wiki." There is a very small link down the page that says "Contributing to wiki." This is likely off screen on a laptop and depending on how many tabs you have open and your screen width you will never see "wiki" in the tab title. Not trying to be annoyingly pedantic, just saying if you don't know a lot of this stuff isn't obvious.

I see (now) that the release notes have a link to Attended Sysupgrade but I'd not have thought to check there for basic use. Also when searching for update/upgrade with the wiki search the one seemingly valid match in English when I click it it's all in German...so again this has all been less than linear. However now I know release notes have more useful info than just changes and I will read up on the Attended Sysupgrade if this is a safe way to do so. It certainly sounds like what I would have wanted but again sooo much info online about reflash every update...

So I went to read that page on sysupgrade and feel like I'm being gaslit

1. Uncheck/clear the “Keep settings” checkbox especially for major version upgrades, so that new defaults will get applied. Keeping settings may be possible for minor upgrades, but there is always a risk of incompatible settings. (more info regarding the "Keep settings" checkbox and its use cases).

First off I don't have a keep settings checkbox and this is basically describing exactly how I upgraded. So then I was right about restoring old backup settings to new flashes and I did everything right? (shakes head...)

OK, I think the gaslight are in the use cases. I don't think any apply to you. Nonetheless, I think the first sentences of the "Upgrading" section would hold more weight, I apologize for the assumption.

Fair enough.