(sort of) wireguard site-2-site using only WAN port of another openWrt device, instead of using the main lan router: how? (draw inside)

Hi everybody,
I'm trying to understand how to access to my lan 172.16.1.0 from outside via wireguard using a dedicated openWrt device. This last point is expecially important: infact I do not want to use my main router to do this, but another openWrt one only connect via its WAN port. So, this device should not route the package from the tunnel to the lan it has onboard (that is unused/disconnected), but to the lan it belongs to, the one managed by the main router. This config seems a little different to the ones I found online, which described how config a wireguard tunnel on the main router.
Let explain, hopefully, better, with an image.

Now, I've already config an easy 10.0.0.0/24 tunnel between this device and an outside VPS and everything work (I added the created wireguard interfaces to the , I can reach the device and also if I ping its lan ip - no the wireguard one - it answers. Please note that at this point, no firewall rule has been config.
Now, I've tried to add the whole home lan subnet into the allowedIPs section but doing this something goes wrong and I can access via luci and via ssh I have to remove the list allowed_ips '172.16.1.0/24' from the /etc/config/network.

Now, I have a couple of questions:
how config both routing aspects and firewall ones (eventually) of the device to allow me to access to other hosts in the home 172.16.1.0/24 subnet?
(Or should I study a different approach, for example changing wan to lan port? Or, I may connect the lan port to the switch that connects the home lan manage by the other router? Or, I can connect the WAN port of the device directly to the fiber router of the ISP and the lan port to the switch? The only things I cannot directly connect its the device to the router)

Thanks for any advice as usual!!!!

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

here you are!!!

/etc/config# cat network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix ''

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config interface 'wg_backup'
        option proto 'wireguard'
        option delegate '0'
        list addresses '10.0.0.2/32'
        option private_key ''

config wireguard_wg_backup
        option description 'VPS1'
        option endpoint_host ''
        option preshared_key ''
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option endpoint_port ''
        option public_key ''
        list allowed_ips 'PEER_1/32'
        list allowed_ips 'PEER_2/32'

and for the firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        list network 'wan'
        list network 'wan6'
        list network 'wg_backup'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

Try adding

config forwarding
        option src 'wg_backup'
        option dest 'wan'

Make sure the remote peer has allowed ips to cover the range of your network.

added to the firewall and then done uci commit firewall and service firewall restart, the remote peer correctly tried to route to device, but the ping result is:

PING 172.16.1.18 (172.16.1.18) 56(84) bytes of data.
From device_tunnel_ip icmp_seq=1 Destination Port Unreachable
From device_tunnel_ip icmp_seq=2 Destination Port Unreachable
From device_tunnel_ip icmp_seq=3 Destination Port Unreachable

Let’s see the peer configs.

Be sure not to redact rfc1918 addresses.

how can I check the rfc 1918? and on what host?

wait sorry me, there was a warning, maybe a put the section in the wrong part?!?

service firewall restart
Warning: Section @forwarding[1] refers to not existing zone 'wg_backup'
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

I "solved" adding a zone... reallystrange this concept to me, I create a zone and it added two linee in the recap on luci, by the way this is the firewall config...suggestion to make it better?!?

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        list network 'wan'
        list network 'wan6'
        list network 'wg_backup'

config forwarding
        option dest 'wan'
        option src 'lan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'lan'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'lan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wg_backup'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'wg_backup'
        option output 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'wg_backup'

config forwarding
        option dest 'wg_backup'
        option src 'wan'

this is th code added, via luci:

config zone
        option name 'wg_backup'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'
        list network 'wg_backup'
        option output 'ACCEPT'

config forwarding
        option dest 'wan'
        option src 'wg_backup'

config forwarding
        option dest 'wg_backup'
        option src 'wan'

I would start with the VPN client being a LAN device, and use the LAN network and zone for its connection to the house network. You trust the other side of the VPN to be part of the LAN, that's really how you want it to work. The OpenWrt VPN client will have two networks, lan and vpn. These can both be in the lan zone if you don't want to block anything.

When the VPN client is not the main router, the network needs to be set up so the route back to the VPN is known. Otherwise the LAN machines will try to return the packets from 10.0.0.X to the main router, and they are lost. The gateway from the house to 10.0.0.0 is through the VPN client's IP on the LAN, not the main router. This is usually done with a route installed in the main router: 10.0.0.0/24 via 172.16.1.X where X is the VPN client's IP on the house LAN.