Trouble configuring Wireguard peer client

After successfully installing DNScrypt-proxyv2 with Anonymised DNS (as confirmed by multiple DNS testing sites) I installed a Wireguard server on my router. Upon installing/configuring the Wireguard peer/client on a computer (connected to network via ethernet), I have no internet connectivity. I presume this is due to the DNS configuration in relation to the WG peer, but I am not certain.

The install script I used establishes a firewall Traffic Rule to accomodate the Wireguard server. However, one install video I watched opts to establish a firewall port forward rule instead. Assuming one of these is the cause, is there a preference here? How do they differ from eachother?

One suggestion I saw said to point the listen_address of the dnscrypt conf file to point to the Wireguard server & port. Could it be this simple to fix?

Below are the neccessary conf files. If I've missed any, please request and I will provide. Can someone please help me get this sorted?
@mittkonto @trendy you appear to have advanced knowledge of this setup. Would you be able to weigh in?

Firewall conf:

        option proto 'icmp'                    
        list icmp_type 'echo-request'        
        list icmp_type 'echo-reply'             
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'         
        list icmp_type 'time-exceeded'         
        list icmp_type 'bad-header'          
        list icmp_type 'unknown-header-type'    
        option limit '1000/sec'             
        option family 'ipv6'                    
        option target 'ACCEPT'                 
                                             
config rule                                     
        option name 'Allow-IPSec-ESP'       
        option src 'wan'                        
        option dest 'lan'                      
        option proto 'esp'                   
        option target 'ACCEPT'                  
                                            
config rule                                     
        option name 'Allow-ISAKMP'             
        option src 'wan'                     
        option dest 'lan'                       
        option dest_port '500'              
        option proto 'udp'                      
        option target 'ACCEPT'                 
                                             
config redirect                                 
        option name 'Divert-DNS, port 53'   
        option src 'lan'                        
        option dest 'lan'                      
        option src_dport '53'                
        option dest_port '53'                   
        option target 'DNAT'                
                                                
config rule 'wg'                               
        option name 'Allow-WireGuard'        
        option src 'wan'                        
        option dest_port '51820'            
        option proto 'udp'                      
        option target 'ACCEPT'                 
                                             

Network conf

config globals 'globals'         
        option ula_prefix ''
        option packet_steering '1'
                             
config device                                  
        option name 'br-lan'      
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'                      
        list ports 'lan3'         
        list ports 'lan4'
                         
config interface 'lan'      
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
                                   
config interface 'wan'                
        option device 'wan'   
        option proto 'dhcp'  
        option peerdns '0'         
                                      
config interface 'wan6'      
        option device 'wan'
        option proto 'dhcpv6'
                           
config interface 'wg0'     
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '192.168.9.1/24'
        list addresses 'fdf1:7610:d152:3a9c::1/64'                       
                                  
config wireguard_wg0                   
        option public_key ''
        option private_key ''
        option description 'Client 1'
        option route_allowed_ips '1'                                    
        list allowed_ips '192.168.9.2/32'                                
                                     

DHCP conf

        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'        
        option domain 'lan'        
        option expandhosts '1'      
        option nonegcache '0'      
        option cachesize '0'        
        option authoritative '1'   
        option readethers '1' 
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'             
        option localservice '1'                                
        option ednspacket_max '1232'       
        option filter_aaaa '0'                                 
        option filter_a '0'                
        list server '127.0.0.53'                               
        option noresolv '1'         
        option localuse '1'     
                                    
config dhcp 'lan'               
        option interface 'lan'
        option start '100'      
        option limit '150'    
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'    
        option ra_slaac '1'   
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
                                      
config dhcp 'wan'                   
        option interface 'wan'        
        option ignore '1'           
                                      
config odhcpd 'odhcpd'              
        option maindhcp '0'   
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'                 
                                                     

DNSCrypt-proxy toml (only the active items are shown)

server_names = ['quad9-dnscrypt-ip4-filter-pri', 'dns.b33.network-dnscrypt']

listen_addresses = ['127.0.0.53:53']

max_clients = 250                                                           
                                                                              
ipv4_servers = true                                                      
                                                                            
ipv6_servers = false                                                            
                                                                                                        
dnscrypt_servers = true                                                    
                                                                                                        
doh_servers = true                                                             
                                                                                  
odoh_servers = false  

require_dnssec = true                                                      
                                                                                                  
require_nolog = true                                                        
                                                                                         
require_nofilter = true                                                         
                                                                           
force_tcp = false                                                           
                                                                                            
http3 = false              

timeout = 5000                                                                                
                                                                                   
keepalive = 30     

cert_refresh_delay = 240 

bootstrap_resolvers = ['9.9.9.11:53', '8.8.8.8:53']

ignore_system_dns = true  

netprobe_timeout = 60   

netprobe_address = '9.9.9.9:53'    

block_ipv6 = false                                                               
                                                                                         
block_unqualified = true                                                                 
                                                                                       
block_undelegated = true                                                           
                                                                                    
reject_ttl = 10 

cache = true                                                                         
                                                                                      
cache_size = 4096                                                                    
                                                                                        
cache_min_ttl = 2400                                                                 
                                                                                     
cache_max_ttl = 86400                                                                
                                                                                         
cache_neg_min_ttl = 60                                                               
                                                                                      
cache_neg_max_ttl = 600   

  [sources.public-resolvers]                                                                                                         
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md', 'https://download.dnscrypt
    cache_file = 'public-resolvers.md'                                                                                               
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'                             
    refresh_delay = 72                                                                                                               
    prefix = ''                                                                                                                      
                                                                                                          
  [sources.relays]                                                                                                                   
    urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md', 'https://download.dnscrypt.info/reso
    cache_file = 'relays.md'                                                                                                         
    minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'                                                        
    refresh_delay = 72                                                                                    
    prefix = '' 

fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familyshield-ipv6', 'cleanbrowsing-adult', 'cleanbrowsing-ad
 
routes = [                                                                                                                           
   { server_name='quad9-dnscrypt-ip4-filter-pri', via=['sdns://gRMxNzQuMTM4LjI5LjE3NToxNDQz', 'sdns://gRE3MC4zNi4xNzAuMTI2OjQ0Mw'] },
   { server_name='dns.b33.network-dnscrypt', via=['sdns://gQ4yMTMuMjAyLjIxNi4xMg', 'sdns://gQ8xNjMuMTcyLjE4MC4xMjU'] }               
]                                                                                                                                    
                                                                                                                                     
skip_incompatible = true  

Wireguard peer (client) tunnel conf:

[Interface]
PrivateKey = 
Address = 192.168.9.2/32
DNS = 127.0.0.53

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.x.x:51820

This is wrong.

It should probably be 192.168.1.1

Don’t get a successful handshake?

wg show

Thank you. With Peer DNS updated, I do get a handshake. Still no connectivity.

What is the output of the wg show command?

What happens if you try pinging things from your remote peer?

• 192.168.1.1
• 8.8.8.8
• openwrt.org

When the WG client is activated, I am unable to SSH into the router, nor access via LuCi.

With WG client deactivated, that command shows (with keys removed):

interface: wg0
 public key: ''
 private key: ''
 listening port: 51820

peer: 'public key'
 endpoint 192.168.1.100:58539
 allowed ips: 192.168.9.18/32
 latest handshake: 2 minutes, 33 seconds ago
 transfer: 148.24 KiB received, 435.08 KiB sent

Let’s look at the complete picture.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

If this means you are testing your WG server from inside your own network then that is often not working as expected.
You should test from outside e.g. with your phone on cellular.
WireGuard is a routed solution and needs three different subnets.
The subnet of the server, of WG itself and of the client all need to be different

Network config is same as in my original post.

ubus call system board

{
	"kernel": "5.15.134",
	"hostname": "Router",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Netgear R6700 v2",
	"board_name": "netgear,r6700-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}

Firewall config

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option name 'Divert-DNS, port 53'
	option src 'lan'
	option dest 'lan'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

Just following up to see if anyone has any ideas.

We need to see the latest complete network file and also the remote peer's config (keys redacted, of course).

Also, you never ran the ping tests (or never reported on the results)... please do that, too.

My apologies, I must be confused...

I posted the network config file in my original post. Was this not the file you're asking for? And the peer config is posted at the bottom of my initial post.

Re: pinging, when I attempt to ping those addresses with WG activated, the pages won't load, as if there is no internet connection.

Yes, but it looks like just segments of it, no? I'd like to see the whole file to make sure there's nothing that could be wrong. Further, it's a good idea to make sure we're looking at the latest of everything -- both the network config and the remote peer config -- there were some errors earlier, so we need to make sure they're correct now.

Adding a VPN server for road warriors should have no bearing on other networking. It is in effect another LAN.

Take that out. There is no firewall change needed for DNS proxy.
dnsmasq answers LAN or VPN queries on a lan or wireguard IP port 53. Then it forwards them to dnscrypt at a local IP 127.0.0.53, and dnscrypt consults the Internet based on its configuration.

You can test with 'nslookup openwrt.org 127.0.0.53` to go direct to the proxy, or don't specify a server to use the default of dnsmasq, which should be listening on 127.0.0.1. Usually a different port is used for proxy so there's no confusion.

Apologies for the delay...

Network config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdf3:3566:d767::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fdf1:7610:d152:3a9c::1/64'

config wireguard_wg0
	option public_key ''
	option private_key ''
	option description 'Client 1'
	option route_allowed_ips '1'
	list allowed_ips '192.168.9.2/32'

Peer tunnel config:

[Interface]
PrivateKey = 
Address = 192.168.9.2/32
DNS = 192.168.1.1

[Peer]
PublicKey = 
AllowedIPs = 0.0.0.0/0
Endpoint = 192.168.0.52:51820

To clarify:
-I am not able to SSH into the router with the WG peer activated, so I am only able to perform the 'nslookup' function with the VPN disabled.
-The peer is a computer, being used inside the network.
-Even with this firewall rule removed, the situation does not change:

config redirect
	option name 'Divert-DNS, port 53'
	option src 'lan'
	option dest 'lan'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'
     ```

This seems wrong...

is this the wan address of your OpenWrt router? If so, you must be behind another router, which would mean that router also needs to have port forwarding setup.

But before we get there...
For the moment, try using 192.168.1.1 for the endpoint, and then see if you can connect while you are connected to the lan (192.168.1.0/24). After making a connection attempt, see if you can reach the router itself (192.168.1.1) and/or the internet. Then check the output of this:

wg show

This doesn't surprise me -- I'm guessing you're not even getting a successful handshake based on the current endpoint host setting.

That firewall does literally nothing, so removing it won't fix anything, but it should be removed just to reduce clutter.

The phone's WAN can't be the same IP subnet that you are trying to reach through the tunnel. This creates a routing problem in the phone-- it will want to access 192.168.1.0/24 via WAN instead of by VPN.

VPNs need to be tested from "outside" the house network by using the phone's mobile connection to link to the house's public IP. Turn the phone wifi off so it is not on the house LAN.

Actually, I think for testing a handshake, this should work just fine. Even if other traffic fails... but it should actually work.

Yes, the OpenWRT router is behind a modem/gateway. I've attempted the solutions posed with the gateway both in and out of bridge mode.

With the WG peer (computer) activated and with endpoint revised to 192.168.1.1:51820 (I'm unable to leave the port off of the endpoint):

-I am able to reach the internet, but with my IP address exposed.

-I am NOT able to reach the router via browser (Your Internet access is blocked) nor SSH (Network error: Permission denied)

@mk24 - the WG peer is a computer inside the network, not a phone. I should be able to utilize the WG VPN from inside my network to protect my IP address, no?

A VPN "protects your IP address" by tunneling to someone else's computer that has a different Internet connection (thus a different IP address on the Internet) and NAT forwarding your Internet usage to it, so that web sites see the other guy's IP address as the source of the traffic.

Or you can take your phone or laptop out on the road, even to another country, and tunnel back to your house so that when you log into a bank or a TV service they see the IP is from your house and allow access.

This concept is not going to "change" your IP address if both ends of the VPN are inside your same network with the same Internet connection.

Thank you for the insight. I am not wishing to access my home network from outside. Would I have to have a 3rd party service (iVPN, etc) on my router in order to shield my IP address from the internet?

Is there no other benefit to having the Wireguard server on my router, other than for remote access?