Site to Site with WireGuard stopped working

From both side I can ping system on both side.

I can ssh or luci into openwrt of remote system.

The firewall rules look OK and this was working and stopped.

What files will help?

What changed?

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

Please show this for both sides

root@SalemOpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "SalemOpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@SalemOpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'x'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'wan'
        option macaddr 'x'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'lan1:t'
        list ports 'lan3:t'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '12'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '13'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '14'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '16'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '17'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '18'
        list ports 'lan1:t'
        list ports 'lan3:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '19'
        list ports 'lan1:t'
        list ports 'lan3:t'

config interface 'vlan4'
        option proto 'static'
        option device 'br-lan.4'
        option ipaddr '192.168.4.1'
        option netmask '255.255.255.0'

config interface 'vlan11w'
        option proto 'static'
        option device 'br-lan.11'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'

config interface 'vlan10l'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config interface 'vlan12p'
        option proto 'static'
        option device 'br-lan.12'
        option ipaddr '192.168.12.1'
        option netmask '255.255.255.0'

config interface 'vlan1'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'

config interface 'vlan13i'
        option proto 'static'
        option device 'br-lan.13'
        option ipaddr '192.168.13.1'
        option netmask '255.255.255.0'

config interface 'vlan14o'
        option proto 'static'
        option device 'br-lan.14'
        option ipaddr '192.168.14.1'
        option netmask '255.255.255.0'

config interface 'vlan16m1'
        option proto 'none'
        option device 'br-lan.16'

config interface 'vlan17m2'
        option proto 'none'
        option device 'br-lan.17'

config interface 'vlan18m3'
        option proto 'none'
        option device 'br-lan.18'

config interface 'vlan19m4'
        option proto 'none'
        option device 'br-lan.19'

config interface 'vlan2'
        option proto 'none'
        option device 'br-lan.2'

config device
        option name 'br-lan.11'
        option type '8021q'
        option ifname 'br-lan'
        option vid '11'
        option ipv6 '0'

config interface 'vlan20m5'
        option proto 'static'
        option device 'br-lan.20'

config device
        option name 'br-lan.10'
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'

config interface 'vlan15vpn'
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '192.168.15.1/24'

config wireguard_vlan15vpn
        option description 'Kevin Cell'
        option public_key 'x='
        option private_key 'x='
        option preshared_key 'c='
        option route_allowed_ips '1'
        option endpoint_port '51820'
        list allowed_ips '192.168.15.10/32'

config wireguard_vlan15vpn
        option description 'Kevin PC'
        option public_key 'x='
        option private_key 'x='
        option preshared_key 'x='
        option route_allowed_ips '1'
        option endpoint_port '51820'
        list allowed_ips '192.168.15.12/32'

config wireguard_vlan15vpn
        option description 'Tablet'
        option public_key 'x='
        option private_key 'x='
        option preshared_key 'xo='
        list allowed_ips '192.168.15.14/32'
        option endpoint_port '51820'

config interface 'SiteToSite'
        option proto 'wireguard'
        option private_key 'x='
        option listen_port '51821'
        list addresses '172.16.1.1/32'

config wireguard_SiteToSite
        option description 'Seaside'
        option public_key 'IN//BsD4='
        option route_allowed_ips '1'
        option endpoint_host 'xx.xx.xx.xx'
        option endpoint_port '51821'
        option persistent_keepalive '25'
        list allowed_ips '192.168.212.0/24'
        list allowed_ips '192.168.210.0/24'
        list allowed_ips '172.16.1.0/24'
        list allowed_ips '192.168.211.0/24'
        list allowed_ips '192.168.213.0/24'
        list allowed_ips '192.168.214.0/24'
        list allowed_ips '192.168.215.0/24'

root@SalemOpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config zone
        option name 'VLAN4'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan4'

config forwarding
        option src 'VLAN4'
        option dest 'wan'

config zone
        option name 'VLAN11W'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan11w'

config zone
        option name 'VLAN10L'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan10l'

config zone
        option name 'VLAN12P'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan12p'

config zone
        option name 'VLAN1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan1'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN11W'
        option dest 'wan'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN1'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN10L'
        option dest 'wan'

config forwarding
        option src 'VLAN1'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN12P'
        option dest 'wan'

config forwarding
        option src 'VLAN1'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN1'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN1'
        option dest 'wan'

config zone
        option name 'VLAN13I'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan13i'

config zone
        option name 'VLAN14O'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan14o'

config zone
        option name 'VLAN15V'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan15vpn'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN14O'

config forwarding
        option src 'VLAN13I'
        option dest 'VLAN15V'

config forwarding
        option src 'VLAN13I'
        option dest 'wan'

config forwarding
        option src 'VLAN1'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN13I'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN14O'
        option dest 'VLAN15V'

config forwarding
        option src 'VLAN14O'
        option dest 'wan'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN14O'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN14O'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN14O'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN14O'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN14O'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN1'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN4'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN10L'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN11W'

config forwarding
        option src 'VLAN15V'
        option dest 'VLAN12P'

config forwarding
        option src 'VLAN15V'
        option dest 'wan'

config forwarding
        option src 'VLAN4'
        option dest 'VLAN15V'

config forwarding
        option src 'VLAN10L'
        option dest 'VLAN15V'

config forwarding
        option src 'VLAN11W'
        option dest 'VLAN15V'

config forwarding
        option src 'VLAN12P'
        option dest 'VLAN15V'

config zone
        option name 'VLAN16M1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan16m1'

config zone
        option name 'VLAN17M2'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan17m2'

config zone
        option name 'VLAN19M4'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan19m4'

config zone
        option name 'VLAN18M3'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan18m3'

config forwarding
        option src 'VLAN16M1'
        option dest 'VLAN17M2'

config forwarding
        option src 'VLAN16M1'
        option dest 'VLAN18M3'

config forwarding
        option src 'VLAN16M1'
        option dest 'VLAN19M4'

config forwarding
        option src 'VLAN17M2'
        option dest 'VLAN16M1'

config forwarding
        option src 'VLAN17M2'
        option dest 'VLAN18M3'

config forwarding
        option src 'VLAN17M2'
        option dest 'VLAN19M4'

config forwarding
        option src 'VLAN18M3'
        option dest 'VLAN17M2'

config forwarding
        option src 'VLAN19M4'
        option dest 'VLAN17M2'

config forwarding
        option src 'VLAN19M4'
        option dest 'VLAN16M1'

config forwarding
        option src 'VLAN19M4'
        option dest 'VLAN18M3'

config forwarding
        option src 'VLAN18M3'
        option dest 'VLAN16M1'

config forwarding
        option src 'VLAN18M3'
        option dest 'VLAN19M4'

config zone
        option name 'VLAN2M'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan2'

config forwarding
        option src 'VLAN2M'
        option dest 'VLAN16M1'

config forwarding
        option src 'VLAN2M'
        option dest 'VLAN17M2'

config forwarding
        option src 'VLAN2M'
        option dest 'VLAN18M3'

config forwarding
        option src 'VLAN2M'
        option dest 'VLAN19M4'

config forwarding
        option src 'VLAN16M1'
        option dest 'VLAN2M'

config forwarding
        option src 'VLAN17M2'
        option dest 'VLAN2M'

config forwarding
        option src 'VLAN18M3'
        option dest 'VLAN2M'

config forwarding
        option src 'VLAN19M4'
        option dest 'VLAN2M'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'http'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.10.141'
        option dest_port '80'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'https'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.10.141'
        option dest_port '443'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'mqtt'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '8883'
        option dest_ip '192.168.10.141'
        option dest_port '8883'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'ssh seaside'
        list proto 'tcp'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.10.141'
        option dest_port '22'
        option src_ip 'xx.xx.xx.xx'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'server ssh'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_ip '162.254.35.211'
        option src_dport '9443'
        option dest_ip '192.168.10.141'
        option dest_port '22'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'ssh'
        list proto 'tcp'
        option src 'wan'
        option src_dport '9922'
        option dest_ip '192.168.10.141'
        option dest_port '22'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'mysql'
        list proto 'tcp'
        option src 'wan'
        option src_dport '3306'
        option dest_ip '192.168.10.225'
        option dest_port '3306'

config redirect
        option target 'DNAT'
        option name 'na7kr'
        option src 'wan'
        option src_dport '8443'
        option dest_port '22'
        list proto 'tcp'
        option dest 'VLAN10L'
        option dest_ip '192.168.10.129'

config zone
        option name 'VLAN20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan20m5'

config forwarding
        option src 'VLAN20'
        option dest 'VLAN16M1'

config forwarding
        option src 'VLAN20'
        option dest 'VLAN17M2'

config forwarding
        option src 'VLAN20'
        option dest 'VLAN18M3'

config forwarding
        option src 'VLAN20'
        option dest 'VLAN19M4'

config forwarding
        option src 'VLAN16M1'
        option dest 'VLAN20'

config forwarding
        option src 'VLAN17M2'
        option dest 'VLAN20'

config forwarding
        option src 'VLAN18M3'
        option dest 'VLAN20'

config forwarding
        option src 'VLAN19M4'
        option dest 'VLAN20'

config redirect
        option dest 'VLAN15V'
        option target 'DNAT'
        option name 'VPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.15.1'
        option dest_port '51820'
        option family 'ipv4'

config forwarding
        option src 'wan'
        option dest 'VLAN15V'

config redirect
        option dest 'VLAN13I'
        option target 'DNAT'
        option name 'meshWireGuard'
        list proto 'udp'
        option src 'wan'
        option src_dport '5525-5535'
        option dest_port '5526-5535'
        option dest_ip '192.168.13.219'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'ssh Ansible'
        list proto 'tcp'
        option src 'wan'
        option src_dport '9923'
        option dest_ip '192.168.10.133'
        option dest_port '22'

config zone
        option name 'SiteToSide'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'SiteToSite'
        option masq '1'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN1'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN4'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN10L'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN11W'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN12P'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN13I'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN14O'

config forwarding
        option src 'SiteToSide'
        option dest 'VLAN15V'

config forwarding
        option src 'SiteToSide'
        option dest 'wan'

config forwarding
        option src 'VLAN1'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN4'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN10L'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN11W'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN12P'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN13I'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN14O'
        option dest 'SiteToSide'

config forwarding
        option src 'VLAN15V'
        option dest 'SiteToSide'

config redirect
        option dest 'SiteToSide'
        option target 'DNAT'
        option name 'SitetoSite'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '51821'
        option dest_ip '10.10.10.1'
        option dest_port '51821'

config redirect
        option dest 'VLAN10L'
        option target 'DNAT'
        option name 'ssh mail'
        option family 'ipv4'
        list proto 'tcp'
        option src 'wan'
        option src_ip '162.254.35.211'
        option src_dport '22'
        option dest_ip '192.168.10.141'
        option dest_port '22'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

root@SalemOpenWrt:~# ip route show
default via xx.xx.xx.xx dev wan proto static src xx.xx.xx.xx
xx.xx.xx.xx via xx.xx.xx.xx dev wan proto static
xx.xx.xx.xx/24 dev wan proto kernel scope link src xx.xx.xx.xx
172.16.1.0/24 dev SiteToSite proto static scope link
192.168.1.0/24 dev br-lan.1 proto kernel scope link src 192.168.1.1
192.168.4.0/24 dev br-lan.4 proto kernel scope link src 192.168.4.1
192.168.10.0/24 dev br-lan.10 proto kernel scope link src 192.168.10.1
192.168.11.0/24 dev br-lan.11 proto kernel scope link src 192.168.11.1
192.168.12.0/24 dev br-lan.12 proto kernel scope link src 192.168.12.1
192.168.13.0/24 dev br-lan.13 proto kernel scope link src 192.168.13.1
192.168.14.0/24 dev br-lan.14 proto kernel scope link src 192.168.14.1
192.168.15.0/24 dev vlan15vpn proto kernel scope link src 192.168.15.1
192.168.15.10 dev vlan15vpn proto static scope link
192.168.15.12 dev vlan15vpn proto static scope link
192.168.210.0/24 dev SiteToSite proto static scope link
192.168.211.0/24 dev SiteToSite proto static scope link
192.168.212.0/24 dev SiteToSite proto static scope link
192.168.213.0/24 dev SiteToSite proto static scope link
192.168.214.0/24 dev SiteToSite proto static scope link
192.168.215.0/24 dev SiteToSite proto static scope link
root@SalemOpenWrt:~# wg show
interface: vlan15vpn
  public key: x=
  private key: (hidden)
  listening port: 51820

peer: x=
  preshared key: (hidden)
  allowed ips: 192.168.15.10/32

peer: x=
  preshared key: (hidden)
  allowed ips: 192.168.15.12/32

peer: x=
  preshared key: (hidden)
  allowed ips: 192.168.15.14/32

interface: SiteToSite
  public key: x=
  private key: (hidden)
  listening port: 51821

peer: Ix=
  endpoint: xx.xx.xx.xx:51821
  allowed ips: 192.168.212.0/24, 192.168.210.0/24, 172.16.1.0/24, 192.168.211.0/24, 192.168.213.0/24, 192.168.214.0/24, 192.168.215.0/24
  latest handshake: 34 seconds ago
  transfer: 686.81 MiB received, 730.55 MiB sent
  persistent keepalive: every 25 seconds

Other Side

root@SeaSideOpenWrt:~# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "SeaSideOpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,wrt3200acm",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}
root@SeaSideOpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd22:d2ec:92a5::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr 'X'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option type 'bridge'

config bridge-vlan
        option device 'br-lan'
        option vlan '201'
        list ports 'lan1:t'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '201'
        option name 'br-lan.201'

config interface 'vlan201'
        option proto 'static'
        option device 'br-lan.201'
        option ipaddr '192.168.201.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '210'
        list ports 'lan1:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '211'
        list ports 'lan1:t'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '210'
        option name 'br-lan.210'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '211'
        option name 'br-lan.211'

config interface 'vlan210'
        option proto 'static'
        option device 'br-lan.210'
        option ipaddr '192.168.210.1'
        option netmask '255.255.255.0'

config interface 'vlan211'
        option proto 'static'
        option device 'br-lan.211'
        option ipaddr '192.168.211.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '212'
        list ports 'lan1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '213'
        list ports 'lan1:t'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '214'
        list ports 'lan1:t'

config interface 'vlan213i'
        option proto 'static'
        option device 'br-lan.213'
        option ipaddr '192.168.213.1'
        option netmask '255.255.255.0'

config interface 'vlan214o'
        option proto 'static'
        option device 'br-lan.214'
        option ipaddr '192.168.214.1'
        option netmask '255.255.255.0'

config interface 'vlan60'
        option proto 'static'
        option device 'br-lan.60'
        option ipaddr '10.60.1.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '60'
        list ports 'lan1:t'

config device
        option name 'br-lan.213'
        option type '8021q'
        option ifname 'br-lan'
        option vid '213'

config interface '27'
        option proto 'none'
        option device 'br-lan.27'

config bridge-vlan
        option device 'br-lan'
        option vlan '27'
        list ports 'lan1:t'

config interface 'vlan212p'
        option proto 'static'
        option device 'br-lan.212'
        option ipaddr '192.168.212.1'
        option netmask '255.255.255.0'

config interface 'vlan215vpn'
        option proto 'wireguard'
        option private_key 'x='
        option listen_port '51820'
        list addresses '192.168.215.1/24'

config wireguard_vlan215vpn
        option description 'Kevin Cell'
        option public_key 'x='
        option private_key 'x='
        option preshared_key 'x='
        list allowed_ips '192.168.215.10/32'
        option route_allowed_ips '1'

config interface 'SiteToSide'
        option proto 'wireguard'
        option private_key 'x='
        option listen_port '51821'
        list addresses '172.16.1.2/32'

config wireguard_SiteToSide
        option description 'Salem'
        option public_key 'x='
        option route_allowed_ips '1'
        option endpoint_host 'x.x.x.x'
        option endpoint_port '51821'
        option persistent_keepalive '25'
        list allowed_ips '192.168.10.0/24'
        list allowed_ips '172.16.1.0/24'
        list allowed_ips '192.168.11.0/24'
        list allowed_ips '192.168.12.0/24'
        list allowed_ips '192.168.13.0/24'
        list allowed_ips '192.168.14.0/24'
        list allowed_ips '192.168.15.0/24'

config wireguard_vlan215vpn
        option description 'laptop'
        option public_key 'x='
        option private_key 'x='
        option preshared_key 'x='
        list allowed_ips '192.168.215.11/32'
        option route_allowed_ips '1'

root@SeaSideOpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vlan201'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan201'

config forwarding
        option src 'vlan201'
        option dest 'lan'

config forwarding
        option src 'vlan201'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vlan201'

config zone
        option name 'VLAN211W'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan211'

config zone
        option name 'VLAN210L'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan210'

config forwarding
        option src 'VLAN210L'
        option dest 'lan'

config forwarding
        option src 'VLAN210L'
        option dest 'vlan201'

config forwarding
        option src 'VLAN210L'
        option dest 'VLAN211W'

config forwarding
        option src 'VLAN210L'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'VLAN210L'

config forwarding
        option src 'vlan201'
        option dest 'VLAN210L'

config forwarding
        option src 'VLAN211W'
        option dest 'VLAN210L'

config forwarding
        option src 'VLAN211W'
        option dest 'lan'

config forwarding
        option src 'VLAN211W'
        option dest 'vlan201'

config forwarding
        option src 'VLAN211W'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'VLAN211W'

config forwarding
        option src 'vlan201'
        option dest 'VLAN211W'

config zone
        option name 'VLAN215VPN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan215vpn'

config forwarding
        option src 'VLAN215VPN'
        option dest 'lan'

config forwarding
        option src 'VLAN215VPN'
        option dest 'vlan201'

config forwarding
        option src 'VLAN215VPN'
        option dest 'VLAN210L'

config forwarding
        option src 'VLAN215VPN'
        option dest 'VLAN211W'

config forwarding
        option src 'VLAN215VPN'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'VLAN215VPN'

config forwarding
        option src 'vlan201'
        option dest 'VLAN215VPN'

config forwarding
        option src 'VLAN210L'
        option dest 'VLAN215VPN'

config forwarding
        option src 'VLAN211W'
        option dest 'VLAN215VPN'

config redirect
        option dest 'VLAN215VPN'
        option target 'DNAT'
        option name 'VPN'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '192.168.215.1'
        option dest_port '51820'
        option family 'ipv4'

config zone
        option name 'VLAN212P'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan60'
        list network 'vlan212p'

config zone
        option name 'VLAN214O'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan214o'

config forwarding
        option src 'VLAN212P'
        option dest 'lan'

config forwarding
        option src 'VLAN212P'
        option dest 'vlan201'

config forwarding
        option src 'VLAN212P'
        option dest 'VLAN210L'

config forwarding
        option src 'VLAN212P'
        option dest 'VLAN211W'

config forwarding
        option src 'VLAN212P'
        option dest 'VLAN214O'

config forwarding
        option src 'VLAN212P'
        option dest 'VLAN215VPN'

config forwarding
        option src 'VLAN212P'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'VLAN212P'

config forwarding
        option src 'vlan201'
        option dest 'VLAN212P'

config forwarding
        option src 'VLAN210L'
        option dest 'VLAN212P'

config forwarding
        option src 'VLAN211W'
        option dest 'VLAN212P'

config forwarding
        option src 'VLAN214O'
        option dest 'VLAN212P'

config forwarding
        option src 'VLAN215VPN'
        option dest 'VLAN212P'

config forwarding
        option src 'VLAN214O'
        option dest 'lan'

config forwarding
        option src 'VLAN214O'
        option dest 'vlan201'

config forwarding
        option src 'VLAN214O'
        option dest 'VLAN210L'

config forwarding
        option src 'VLAN214O'
        option dest 'VLAN211W'

config forwarding
        option src 'VLAN214O'
        option dest 'VLAN215VPN'

config forwarding
        option src 'VLAN214O'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'VLAN214O'

config forwarding
        option src 'vlan201'
        option dest 'VLAN214O'

config forwarding
        option src 'VLAN210L'
        option dest 'VLAN214O'

config forwarding
        option src 'VLAN211W'
        option dest 'VLAN214O'

config forwarding
        option src 'VLAN215VPN'
        option dest 'VLAN214O'

config zone
        option name 'vlan213'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan213i'

config forwarding
        option src 'vlan213'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vlan213'

config forwarding
        option src 'vlan213'
        option dest 'lan'

config forwarding
        option src 'vlan213'
        option dest 'vlan201'

config forwarding
        option src 'vlan213'
        option dest 'VLAN210L'

config forwarding
        option src 'vlan213'
        option dest 'VLAN211W'

config forwarding
        option src 'vlan213'
        option dest 'VLAN212P'

config forwarding
        option src 'vlan213'
        option dest 'VLAN214O'

config forwarding
        option src 'vlan201'
        option dest 'vlan213'

config forwarding
        option src 'VLAN210L'
        option dest 'vlan213'

config forwarding
        option src 'VLAN211W'
        option dest 'vlan213'

config forwarding
        option src 'VLAN212P'
        option dest 'vlan213'

config forwarding
        option src 'VLAN214O'
        option dest 'vlan213'

config zone
        option name 'mesh27'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network '27'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'HTTP'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.210.163'
        option dest_port '80'
        option family 'ipv4'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'HTTPS'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.210.163'
        option dest_port '443'
        option family 'ipv4'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'SSH4'
        list proto 'tcp'
        option src 'wan'
        option src_dport '224'
        option dest_ip '192.168.210.163'
        option dest_port '22'
        option family 'ipv4'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'SSH3'
        list proto 'tcp'
        option src 'wan'
        option src_dport '223'
        option dest_ip '192.168.210.125'
        option dest_port '22'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'SSH'
        list proto 'tcp'
        option src 'wan'
        option src_dport '22'
        option dest_ip '192.168.210.139'
        option dest_port '22'
        option family 'ipv4'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'SSH2'
        list proto 'tcp'
        option src 'wan'
        option src_dport '222'
        option dest_ip '10.60.1.8'
        option dest_port '22'
        option family 'ipv4'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'ssh5'
        list proto 'tcp'
        option src 'wan'
        option src_dport '225'
        option dest_ip '192.168.210.105'
        option dest_port '22'
        option family 'ipv4'

config redirect
        option dest 'VLAN210L'
        option target 'DNAT'
        option name 'sip'
        option src 'wan'
        option src_dport '5060'
        option dest_ip '192.168.210.105'
        option dest_port '5060'
        option family 'ipv4'

config zone
        option name 'SiteToSite'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'SiteToSide'
        option masq '1'

config forwarding
        option src 'SiteToSite'
        option dest 'lan'

config forwarding
        option src 'SiteToSite'
        option dest 'vlan201'

config forwarding
        option src 'SiteToSite'
        option dest 'VLAN210L'

config forwarding
        option src 'SiteToSite'
        option dest 'VLAN211W'

config forwarding
        option src 'SiteToSite'
        option dest 'VLAN212P'

config forwarding
        option src 'SiteToSite'
        option dest 'vlan213'

config forwarding
        option src 'SiteToSite'
        option dest 'VLAN214O'

config forwarding
        option src 'SiteToSite'
        option dest 'VLAN215VPN'

config forwarding
        option src 'SiteToSite'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'SiteToSite'

config forwarding
        option src 'vlan201'
        option dest 'SiteToSite'

config forwarding
        option src 'VLAN210L'
        option dest 'SiteToSite'

config forwarding
        option src 'VLAN211W'
        option dest 'SiteToSite'

config forwarding
        option src 'VLAN212P'
        option dest 'SiteToSite'

config forwarding
        option src 'vlan213'
        option dest 'SiteToSite'

config forwarding
        option src 'VLAN214O'
        option dest 'SiteToSite'

config forwarding
        option src 'VLAN215VPN'
        option dest 'SiteToSite'

config redirect
        option dest 'SiteToSite'
        option target 'DNAT'
        option name 'siteTo Site'
        option family 'ipv4'
        list proto 'udp'
        option src 'wan'
        option src_dport '51821'
        option dest_ip '10.10.10.2'
        option dest_port '51821'

root@SeaSideOpenWrt:~# ip route show
default via xx.xx.0.1 dev wan  src xx.xx.xx.xx
10.60.1.0/24 dev br-lan.60 scope link  src 10.60.1.1
xx.xx.0.0/20 dev wan scope link  src xx.xx.xx.xx
xx.xx.xx.xx via xx.xx.0.1 dev wan
172.16.1.0/24 dev SiteToSide scope link
192.168.1.0/24 dev br-lan.1 scope link  src 192.168.1.1
192.168.10.0/24 dev SiteToSide scope link
192.168.11.0/24 dev SiteToSide scope link
192.168.12.0/24 dev SiteToSide scope link
192.168.13.0/24 dev SiteToSide scope link
192.168.14.0/24 dev SiteToSide scope link
192.168.15.0/24 dev SiteToSide scope link
192.168.201.0/24 dev br-lan.201 scope link  src 192.168.201.1
192.168.210.0/24 dev br-lan.210 scope link  src 192.168.210.1
192.168.211.0/24 dev br-lan.211 scope link  src 192.168.211.1
192.168.212.0/24 dev br-lan.212 scope link  src 192.168.212.1
192.168.213.0/24 dev br-lan.213 scope link  src 192.168.213.1
192.168.214.0/24 dev br-lan.214 scope link  src 192.168.214.1
192.168.215.0/24 dev vlan215vpn scope link  src 192.168.215.1
192.168.215.10 dev vlan215vpn scope link
192.168.215.11 dev vlan215vpn scope link
root@SeaSideOpenWrt:~# wg show
interface: vlan215vpn
  public key: x=
  private key: (hidden)
  listening port: 51820

peer: x=
  preshared key: (hidden)
  endpoint: 172.56.153.37:38452
  allowed ips: 192.168.215.10/32
  latest handshake: 16 hours, 28 minutes, 12 seconds ago
  transfer: 135.69 KiB received, 36.25 KiB sent

peer: x=
  preshared key: (hidden)
  allowed ips: 192.168.215.11/32

interface: SiteToSide
  public key: x=
  private key: (hidden)
  listening port: 51821

peer: x=
  endpoint: xx.xx.xx.xx:51821
  allowed ips: 192.168.10.0/24, 172.16.1.0/24, 192.168.11.0/24, 192.168.12.0/24, 192.168.13.0/24, 192.168.14.0/24, 192.168.15.0/24
  latest handshake: 5 seconds ago
  transfer: 96.68 MiB received, 94.09 MiB sent
  persistent keepalive: every 25 seconds 

There are a couple of (small) things which could use attention but that is probably not the main problem.

The wg show command shows a lot of traffic so I would concentrate on what has changed and what is not working.
Maybe the problem is not the routers but some clients you want to reach?

A simple thing to try, just reboot both routers.

1 Like

One thing that will prevent site to site VPN from working is an IP conflict. All of your networks must have independent non-overlapping subnets, including the immediate WAN at each Wireguard terminal router. A common situation is that site A's WAN is 192.168.1.0/24 from a typical ISP provided box, and that range overlaps site B's LAN. Router A now has two conflicting route entries for packets with a destination of 192.168.1.0/24. This prevents packets from A intended for the B LAN from going into the tunnel.

So if you have changed the ISP arrangement at one of the sites, that may be the problem.

1 Like

I can ping all systems just can not access pages or ssh any host.

Rebooted both end

Also removed 192.168.1.0/24 on both ends from the firewall