It looks like the client is trying to connect to the server, but the server doesn't see the packets.
Did anything ever work? You mentioned in the first post:
Were you able to ping 10.9.0.X at any point?
Because if it never worked, I'd suspect also the keys.
There was a successful handshake in the OP.
It looks like some of the modifications resulted in a negative effect.
We can try to revert them for the time being to isolate the issue.
I suggest to comment out the sysntpd workaround and the mtu option on both client and server.
And restart the devices to apply changes.
But keep the wireguard_watchdog script to update IPs for peers that use DDNS.
It still don't work but does when I add 0.0.0.0/0 to the server's peer and add the other router's ddns and endpoint port. It still behaves the same as last time. The server becomes client and data pass through wireguard interface. However, on the client router no data is going through for connected devices. This is the only possible way it works, which I am not expecting it to.
But I am able to ping the other router and allowed IP's on both router.
Client
root@OpenWrt:~# ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1): 56 data bytes
64 bytes from 192.168.2.1: seq=0 ttl=64 time=5.000 ms
64 bytes from 192.168.2.1: seq=1 ttl=64 time=5.726 ms
64 bytes from 192.168.2.1: seq=2 ttl=64 time=5.846 ms
64 bytes from 192.168.2.1: seq=3 ttl=64 time=5.868 ms
64 bytes from 192.168.2.1: seq=4 ttl=64 time=5.609 ms
^C
--- 192.168.2.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 5.000/5.609/5.868 ms
root@OpenWrt:~# ping 192.168.2.152
PING 192.168.2.152 (192.168.2.152): 56 data bytes
64 bytes from 192.168.2.152: seq=0 ttl=63 time=944.357 ms
64 bytes from 192.168.2.152: seq=1 ttl=63 time=10.658 ms
64 bytes from 192.168.2.152: seq=2 ttl=63 time=837.502 ms
64 bytes from 192.168.2.152: seq=3 ttl=63 time=8.976 ms
^C
--- 192.168.2.152 ping statistics ---
37 packets transmitted, 35 packets received, 5% packet loss
round-trip min/avg/max = 8.884/240.686/944.357 ms
root@OpenWrt:~# ping 10.9.0.1
PING 10.9.0.1 (10.9.0.1): 56 data bytes
64 bytes from 10.9.0.1: seq=0 ttl=64 time=6.015 ms
64 bytes from 10.9.0.1: seq=1 ttl=64 time=6.244 ms
64 bytes from 10.9.0.1: seq=2 ttl=64 time=5.907 ms
64 bytes from 10.9.0.1: seq=3 ttl=64 time=5.925 ms
64 bytes from 10.9.0.1: seq=4 ttl=64 time=5.680 ms
64 bytes from 10.9.0.1: seq=5 ttl=64 time=6.000 ms
^C
--- 10.9.0.1 ping statistics ---
6 packets transmitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 5.680/5.961/6.244 ms
root@OpenWrt:~# wg
interface: wg0
public key: <new client private key>
private key: (hidden)
listening port: 51820
peer: <new server public key>
endpoint: xxx.xxx.101.90:51820
allowed ips: 192.168.2.0/24, 10.9.0.1/32
latest handshake: 1 minute, 44 seconds ago
transfer: 257.15 MiB received, 264.27 MiB sent
persistent keepalive: every 25 seconds
root@OpenWrt:~#
Server
root@OpenWrt:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: seq=0 ttl=64 time=6.112 ms
64 bytes from 192.168.1.1: seq=1 ttl=64 time=5.535 ms
64 bytes from 192.168.1.1: seq=2 ttl=64 time=6.276 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5.535/5.974/6.276 ms
root@OpenWrt:~# ping 192.168.1.211
PING 192.168.1.211 (192.168.1.211): 56 data bytes
64 bytes from 192.168.1.211: seq=0 ttl=63 time=87.072 ms
64 bytes from 192.168.1.211: seq=1 ttl=63 time=97.303 ms
64 bytes from 192.168.1.211: seq=2 ttl=63 time=14.101 ms
^C
--- 192.168.1.211 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 14.101/66.158/97.303 ms
root@OpenWrt:~# ping 10.9.0.2
PING 10.9.0.2 (10.9.0.2): 56 data bytes
64 bytes from 10.9.0.2: seq=0 ttl=64 time=5.865 ms
64 bytes from 10.9.0.2: seq=1 ttl=64 time=5.909 ms
64 bytes from 10.9.0.2: seq=2 ttl=64 time=5.791 ms
64 bytes from 10.9.0.2: seq=3 ttl=64 time=5.648 ms
^C
--- 10.9.0.2 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 5.648/5.803/5.909 ms
root@OpenWrt:~# wg
interface: wg0
public key: <new server private key>
private key: (hidden)
listening port: 51820
peer: <new client public key>
endpoint: xxx.xxx.6.121:51820
allowed ips: 10.9.0.2/32, 192.168.1.0/24, 0.0.0.0/0
latest handshake: 1 minute, 57 seconds ago
transfer: 264.64 MiB received, 260.23 MiB sent
persistent keepalive: every 25 seconds
The 0.0.0.0/0 is definitely not needed on the server and certainly diverts all traffic to the client, which you don't want.
I have the feeling that traffic on the server is not routed properly back to the client for some reason, because we were able to see the incoming packets, but nothing going back.
It doesn't really matter which router will be server and which one client, they are all called peers in wireguard.
What I would try is to make the now server a client and vice versa. If this doesn't work, start from scratch following the guides in wiki and don't use the:
I will reset everything and start over again. Will try to setup two routers on same network first. If it works then will proceed to set it up on separate networks.
First it is wrong to use different mtu. Start without mtu option on both server and client and add it in case of problems.
Other than that server is fine.
Client now is routing all traffic though server. Replace allowed_ips '0.0.0.0/0' with
list allowed_ips '10.9.0.1/32'
list allowed_ips '192.168.2.0/24'
This is quite technical and I am not sure how to do it. However, I just want to know any harm in allowing all traffic to pass through. I am asking this because the wiki guide stated the following for client configuration.
This is to route all client traffic to the VPN by default.
You can disable gateway redirection if you don't need it.
A site-to-site connection is used to provide connectivity between the server and client LANs.
It does not actually require to route all client traffic to the VPN.