Hey guys.
I'm trying to set up a dumb AP with VPN capabilities on my RPI4. I use an external router (or during travel it will be a ethernet from wall cable in a hotel). The LAN interface is set up with a gateway to my router's IP - internet works fine over SSH. LAN is on 192.168.1.1
I made a second static address bridge interface for VPN users on 192.168.99.1 with force link enabled and a firewall zone called "vpnusers" for this iface. DHCP is enabled with options - 6,10.64.0.1 as this is the internal wireguard DNS server provided by mullvad.
Another interface, WGINTERFACE, private key set, IP address set to the wireguard interface, force link and a single peer. Allowed IPs set to 0.0.0.0/0. Firewall zone called "vpntunnel".
Wireless attached to the static interface.
wg show shows a handshake. No logread errors - but no connection when I'm connected.
root@rpi-dca632f961 /26# wg show
interface: WGINTERFACE
public key: yxMlV2AC2W+ObT1Xf+GK/s9tP3qee8uaR/r+09H1tlI=
private key: (hidden)
listening port: 47603
peer: uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI=
endpoint: 81.92.206.2:51820
allowed ips: 0.0.0.0/0
latest handshake: 1 minute, 56 seconds ago
transfer: 1.84 KiB received, 2.13 KiB sent
root@rpi-dca632f961 /26# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd75:fddf:4d3d::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.254'
list dns '192.168.1.254'
config interface 'vpniface'
option proto 'static'
option type 'bridge'
option ipaddr '192.168.99.1'
option ifname 'eth0'
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key 'hidden'
list addresses '10.71.240.227/32'
option force_link '1'
config wireguard_WGINTERFACE
option description 'mullvad gb29'
option public_key 'uaBPua4Tnbluy51WbNOahHx77RGJFGRr/MAqWFILJhI='
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'gb29-wireguard.mullvad.net'
option endpoint_port '51820'
config zone
option name 'vpnusers'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'vpniface'
config zone
option name 'vpntunnel'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'WGINTERFACE'
option mtu_fix '1'
config forwarding
option src 'vpnusers'
option dest 'vpntunnel'
config forwarding
option src 'lan'
option dest 'wan'