Set up a Wireguard client network

Installing and Using OpenWrt
1

Actual state

I have a Raspberry Pi as a router. This has several networks configured. Besides a WAN and LAN network, i have a guest network and a tor network, whose external communication is routed via the tor network.
All these networks have their own address range and the access of end devices to these networks is achieved via VLAN and through corresponding Wifi SSIDs.

I have also set up a wireguard server so that I can access my LAN network from the outside.

So far, all this works basically as it should. (if there are any comments to this config - see files below - I am open for suggestions)

What do I want to achieve?

I have a wireguard server at another location as well.
With my endpoints and the corresponding Wireguard software (Windows + Android) I can get in there from outside without any problems.
But now I want to set up an additional new network at my place, where the outside communication of all devices which are in this network (via VLAN or Wifi SSID) are routed via this VPN.
So in short, when they log into the network at my home, they should automatically be on the network of the remote location.

What am I failing at so far?

I have started to create a new interface "wgExtern".
Most of the configuration is taken from the standalone client.
Currently it does not even manage a handshake with the remote wireguard server.

Outputs and configs

logread or dmesg doesn't tell me anything about the status of wireguard.

output from wg show 
interface: wgExtern
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 52706

peer: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
  endpoint: xx.xx.xx.xx:1337
  allowed ips: 0.0.0.0/0
/etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix '1ce:1ce:babe::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	option igmp_snooping '1'

config interface 'lan'
	option broadcast '192.168.0.255'
	option device 'br-lan.1'
	option igmp_v3 '1'
	option ip6assign '64'
	option netmask '255.255.255.0'
	option proto 'static'
	option ipaddr '192.168.0.2'
	option ip6ifaceid '::2'
	list dns '127.0.0.1'
	option ip4table '1'
	option ip6table '1'
	list ip6class 'local'
	list ip6class 'wan_6'

config interface 'tor'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.4.2'
	option device 'br-lan.4'
	option ip4table '4'
	option ip6table '4'

config interface 'gast'
	option device 'br-lan.3'
	option force_link '0'
	option gateway '192.168.0.2'
	option ip6assign '64'
	option ipaddr '192.168.3.2'
	option netmask '255.255.255.0'
	option proto 'static'
	list dns '192.168.3.2'
	option ip4table '3'
	option ip6table '3'
	option ip6hint '3'
	list ip6class 'local'
	list ip6class 'wan_6'
	option ip6ifaceid '::2'

config device
	option type '8021q'
	option ifname 'eth1'
	option vid '7'
	option name 'eth1.7'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth0:t'

config interface 'wan'
	option proto 'pppoe'
	option device 'eth1.7'
	option username 'xxx@yyy'
	option password 'zzzz'
	option ipv6 'auto'
	option ip6assign '64'
	option ip6ifaceid '::2'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '1337'
	option mtu '1300'
	option ip4table '2'
	option ip6table '2'
	list ip6class 'wan_6'
	list addresses 'fd02::1/64'
	list addresses '10.55.0.1/24'

config wireguard_vpn 'wgclient'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option description 'SmartphoneAndy'
	option route_allowed_ips '1'
	list allowed_ips '10.55.0.2/32'
	list allowed_ips 'fd02::2/64'

config wireguard_vpn
	option description 'Surface'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list allowed_ips '10.55.0.5/32'
	list allowed_ips 'fd02::5/64'
	option route_allowed_ips '1'

config interface 'wgExtern'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list addresses '10.13.13.2/32'
	option peerdns '0'
	list dns '10.13.13.1'

config wireguard_wgExtern
	option description 'MyVPNServer'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list allowed_ips '0.0.0.0/0'
	option endpoint_host 'xxxxxx.yyy'
	option endpoint_port '1337'
/etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option syn_flood '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan6'
	list network 'wan'

config zone
	option name 'gast'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'REJECT'
	option conntrack '1'
	list network 'gast'

config zone
	option output 'ACCEPT'
	option name 'tor'
	option conntrack '1'
	option syn_flood '1'
	option input 'DROP'
	option forward 'REJECT'
	list network 'tor'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'lan'
	option src 'gast'

config forwarding
	option dest 'wan'
	option src 'gast'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option dest_port '67-68'
	option src 'gast'
	option name 'allow-gast-dhcp-router'
	option target 'ACCEPT'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'allow-gast-dhcp-dns'
	option target 'ACCEPT'

config rule
	option src 'gast'
	option name 'allow-gast-input-icmp-router'
	option target 'ACCEPT'
	list proto 'icmp'
	option family 'ipv6'

config rule
	option src 'gast'
	option name 'allow-gast-icmp-requests'
	option family 'ipv6'
	option target 'ACCEPT'
	option dest 'wan'
	list proto 'icmp'

config nat
	option dest_port '53'
	option proto 'tcp udp'
	option name 'Redirect-DNS'
	option target 'SNAT'
	option dest_ip '192.168.0.9'
	option src 'lan'
	option snat_ip '192.168.0.2'
	option enabled '0'

config rule
	option dest_port '53'
	option src 'gast'
	option name 'Allow-PiHole-from-gast'
	option dest 'lan'
	option target 'ACCEPT'
	list proto 'udp'
	list dest_ip '192.168.0.9'
	list dest_ip 'fe80::dea6:32ff:fe30:907d'

config rule
	option name 'Allow-Tor-DNS-Proxied'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '9053'
	option src 'tor'

config rule
	option name 'Allow-Tor-Proxy'
	option target 'ACCEPT'
	option proto 'tcp'
	option dest_port '9040'
	option src 'tor'

config rule
	option name 'Allow-Tor-DHCP'
	option target 'ACCEPT'
	option proto 'udp'
	option src 'tor'
	option dest_port '67'

config rule
	option src 'lan'
	option dest 'wan'
	option dest_port '53'
	option target 'REJECT'
	option name 'Block_DNS_FROM_LAN'
	list src_ip '!192.168.0.9'
	list src_ip '!fe80::dea6:32ff:fe30:907d'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '1337'

config redirect
	option target 'DNAT'
	option name 'tor-redirect-53-to-9053'
	list proto 'udp'
	option src 'tor'
	option src_dport '53'
	option dest_port '9053'

config redirect
	option target 'DNAT'
	option name 'tor-redirect-tcp-to-9040'
	list proto 'tcp'
	option src 'tor'
	option src_dport '1:60000'
	option dest_port '9040'

config redirect
	option target 'DNAT'
	option name 'tor-redirect-.onion-to-9040'
	list proto 'tcp'
	option src 'tor'
	option src_dip '10.192.0.0/16'
	option dest_port '9040'
	option src_dport '1:60000'

config zone
	option name 'vpnkevin'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
/etc/config/dhcp 

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option port '553'
	list server '127.0.0.1'
	option filterwin2k '1'
	list notinterface 'pppoe-wan'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option start '150'
	option limit '103'
	option leasetime '4h'
	option ra_default '2'
	list dhcp_option '6,192.168.0.2'
	list dns 'fe80::dea6:32ff:fe3b:3559'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config dhcp 'tor'
	option interface 'tor'
	option start '200'
	option limit '50'
	option leasetime '1h'
	list dhcp_option '6,192.168.4.2'
	list ra_flags 'none'

config dhcp 'gast'
	option interface 'gast'
	option start '100'
	option limit '150'
	option leasetime '1h'
	option ra 'server'
	option dhcpv6 'server'
	list dns 'fe80::dea6:32ff:fe3b:3559'
	list dhcp_option '6,192.168.3.2'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

[...
	host and domain definitions
...]

config dhcp 'wireguardkevin'
	option interface 'wireguardkevin'
	option ignore '1'
2

Normally I am not a friend of pushing but here I would do it, because I just can not imagine that no one could help here.

So if someone has a tip on how I could realize my project I would be extremely grateful.

3

Then you should fix this first. Check proper key setup on both ends.

BTW, these configs are unused on a WG interface.

(There's little information provided; and your issue seems to be with establishing the handshake with an unknown remote device.)

4

Thank you very much - that is exactly my problem.
Exactly the same configuration with all keys works fine from a Windows Fireguard client as well as from the Android client.
Here in OpenWRT, however, it does not work even though all keys and endpoints are configured completely the same.

I am struggling a bit to debug this.
Logread is silent and also wg show does not help me (see above) to isolate the problem.

I suspect in the meantime that there is some kind of interaction with the interface "vpn".
Because: Since I added the network wglient, I can't get to my vpn network from outside.
If I remove the network wgclient again, it works on the other hand.

Now I am missing some skills in some places, probably even more a basic understanding problem to vpn networks.
First of all, I have not yet understood how the network areas are related. Naively I would have thought, for example, that (in the case of my wg-server) a client from outside should end up in the lan network. So it should also get an IP from the 192.168.2.0/24 range. Instead clients get IPs from the range 10.55.0.0/24 and although it works I still lack the skills to know why.

Therefore I hoped that from my Config possibly already a basic misconfiguration is recognizable, which I do not see.

Good to know - thank you!