Waving the white flag on WireGuard S2S

Okay, I have been beating my head against a brick wall with this, and frustrated to the point where I finally am caving in to join the forum and ask for help...

I have been trying to get a site-to-site VPN working for weeks now. I have a home office and a rented office in the same town. Both are on AT&T, and both use Arris BGW210 which I have configured as an IP Passthrough gateway. Each OpenWRT router (OrangePI R1+ LTS) is setup as the NAT/Firewall at each location with Dynamic DNS. I can login to each remotely (while trying to get this working) using Luci as well as SSH, by name.

The gateways (BGW210) have all packet filtering turned off and are also accessible (web interface) from within each LAN locally.

WGDiagram.drawio1522×532 144 KB

I initially configured both OpenWRT appliances using the automated script. It worked in so far as I can ping the LAN gateway of the opposite OpenWRT router - from home I can ping 192.168.1.1 successfully, and vice-versa. Then OpenWRT would just stop - I discovered even with packet filtering disabled on the BGW210s they are STILL FILTERING UDP packets. AT&T are deliberately using the gateway firmware to prevent exactly what I'm trying to do.

So I tried OpenVPN instead (watched and followed the Van Tech Tips tutorial on YT - very good content). However there were other problems with OpenVPN - it's really only suitable for mobile-to-server VPN setups and I need site-to-site. So I abandoned that and uninstalled the OpenVPN software.

Now I am back to WireGuard. To get around the UDP filtering I've resorted to using WG over TCP and using a random different port. That's kind of working again.

Now I have two major issues left which I can not seem to resolve and have been spinning my wheels on:

1. On the office OpenWRT appliance, the wireguard interface simply STOPS. It shows that the interface is up in Luci however it is not, and wg show returns nothing, and the Luci Wireguard status page is empty. If I restart the interface, it works for just long enough to ping one side or the other and then 30 seconds or so later the wg connection is gone. On the HOME OpenWRT device, this does not happen. It remains up and keeps trying to send handshakes but gets no reply.

2. Routing to opposite LANs - no matter how many times I go step-by-step through the guides in the documentation, or on the varous YT tutorials, LAN to LAN routing DOES NOT WORK. I can tracert or ping up to the LAN gateway and NO FURTHER in either direction. As far as I can tell I have correctly set up all Firewall rules and WG configuration on both devices shows that LAN forwarding/routing is ENABLED.

I'm really frustrated and confused. Would definitely buy a beer or two for anyone who has advice that actually solves the problem.
OFFICE (SERVER & PEER) CONFIGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
OFFICE uci show network (redacted)

# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fdac:0e80:dfb3::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.@device[1]=device
network.@device[1].name='eth1'
network.@device[1].macaddr='<OrangePI_MAC_ETH1>'
network.lan=interface
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.device='eth1'
network.lan.gateway='192.168.3.254'
network.lan.broadcast='255.255.255.255'
network.@device[2]=device
network.@device[2].name='eth0'
network.@device[2].macaddr='<OrangePI_MAC_ETH0>'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='eth0'
network.wan6.proto='dhcpv6'
network.docker=interface
network.docker.device='docker0'
network.docker.proto='none'
network.docker.auto='0'
network.@device[3]=device
network.@device[3].type='bridge'
network.@device[3].name='docker0'
network.wg_s2s_a=interface
network.wg_s2s_a.proto='wireguard'
network.wg_s2s_a.private_key='<SERVER_PRIVATE_KEY>'
network.wg_s2s_a.listen_port='2345'
network.wg_s2s_a.addresses='192.168.8.1'
network.s2s_vpn_site_b=wireguard_wg_s2s_a
network.s2s_vpn_site_b.public_key='<HOME_PUBLIC_KEY'
network.s2s_vpn_site_b.preshared_key='<HOME_PRESHARED_KEY>'
network.s2s_vpn_site_b.description='Site B, home.dynamicdns.name'
network.s2s_vpn_site_b.route_allowed_ips='1'
network.s2s_vpn_site_b.persistent_keepalive='25'
network.s2s_vpn_site_b.endpoint_host='home.hostname'
network.s2s_vpn_site_b.endpoint_port='2345'
network.s2s_vpn_site_b.allowed_ips='192.168.0.0/24' 'fda7:bbb4:8db5::/48' '192.168.8.0/24'
#

OFFICE uci show firewall

# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='ACCEPT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='ACCEPT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.ss_rules=include
firewall.ss_rules.path='/etc/firewall.ss-rules'
firewall.ss_rules.reload='1'
firewall.@zone[2]=zone
firewall.@zone[2].name='VPN'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='wg_s2s_a'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='VPN'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='VPN'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='wg'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='2345'
firewall.@redirect[0].dest='VPN'
firewall.wg_s2s_2345=rule
firewall.wg_s2s_2345.name='Allow-WireGuard-2345'
firewall.wg_s2s_2345.src='wan'
firewall.wg_s2s_2345.dest_port='2345'
firewall.wg_s2s_2345.proto='tcp'
firewall.wg_s2s_2345.target='ACCEPT'
firewall.docker=zone
firewall.docker.input='ACCEPT'
firewall.docker.output='ACCEPT'
firewall.docker.forward='ACCEPT'
firewall.docker.name='docker'
firewall.docker.network='docker'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='wan'
firewall.@forwarding[3].dest='VPN'

OFFICE wg show (when wg interface is restarted and briefly up

# wg showconf wg_s2s_a
[Interface]
ListenPort = 2345
PrivateKey = <SERVER_PRIVATE_KEY>

[Peer]
PublicKey = <HOME_PUBLIC_KEY>
PresharedKey = <HOME_PRESHARED_KEY>
AllowedIPs = 192.168.0.0/24, fda7:bbb4:8db5::/48, 192.168.8.0/24
Endpoint = HOME_PUBLIC_IP_ADDRESS:2345
PersistentKeepalive = 25

HOME (SERVER & PEER) CONFIGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
HOME uci show network

# uci show network
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fda7:bbb4:8db5::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='eth1'
network.@device[1]=device
network.@device[1].name='eth1'
network.@device[1].macaddr='OrangePI_MAC_ADDRESS_ETH1'
network.lan=interface
network.lan.device='eth1'
network.lan.proto='static'
network.lan.ipaddr='192.168.0.1'
network.lan.netmask='255.255.255.0'
network.lan.broadcast='255.255.255.255'
network.lan.gateway='192.168.2.254'
network.@device[2]=device
network.@device[2].name='eth0'
network.@device[2].macaddr='OrangePI_MAC_ADDRESS_ETH0'
network.wan=interface
network.wan.device='eth0'
network.wan.proto='dhcp'
network.wan.hostname='home'
network.wan6=interface
network.wan6.device='eth0'
network.wan6.proto='dhcpv6'
network.docker=interface
network.docker.device='docker0'
network.docker.proto='none'
network.docker.auto='0'
network.@device[3]=device
network.@device[3].type='bridge'
network.@device[3].name='docker0'
network.wg_s2s_b=interface
network.wg_s2s_b.proto='wireguard'
network.wg_s2s_b.private_key='<HOME_PRIVATE_KEY>'
network.wg_s2s_b.listen_port='2345'
network.wg_s2s_b.addresses='192.168.8.2'
network.s2s_vpn_site_a=wireguard_wg_s2s_b
network.s2s_vpn_site_a.public_key='<SERVER_PUBLIC_KEY>'
network.s2s_vpn_site_a.preshared_key='<SERVER_PRESHARED_KEY>'
network.s2s_vpn_site_a.description='Site A, office.dynamicdns.name'
network.s2s_vpn_site_a.route_allowed_ips='1'
network.s2s_vpn_site_a.persistent_keepalive='25'
network.s2s_vpn_site_a.endpoint_host='office.hostname'
network.s2s_vpn_site_a.endpoint_port='2345'
network.s2s_vpn_site_a.allowed_ips='192.168.1.0/24' 'fdac:0e80:dfb3::/48' '192.168.8.0/24'
root@home:~#

HOME uci show firewall

# uci show firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='ACCEPT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='ACCEPT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.ss_rules=include
firewall.ss_rules.path='/etc/firewall.ss-rules'
firewall.ss_rules.reload='1'
firewall.@zone[2]=zone
firewall.@zone[2].name='VPN'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='wg_s2s_b'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='VPN'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='VPN'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='lan'
firewall.@forwarding[2].dest='wan'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='wg'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='2345'
firewall.@redirect[0].dest='VPN'
firewall.wg_s2s_2345=rule
firewall.wg_s2s_2345.name='Allow-WireGuard-2345'
firewall.wg_s2s_2345.src='wan'
firewall.wg_s2s_2345.dest_port='2345'
firewall.wg_s2s_2345.proto='tcp'
firewall.wg_s2s_2345.target='ACCEPT'
firewall.docker=zone
firewall.docker.input='ACCEPT'
firewall.docker.output='ACCEPT'
firewall.docker.forward='ACCEPT'
firewall.docker.name='docker'
firewall.docker.network='docker'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='wan'
firewall.@forwarding[3].dest='VPN'
root@office:~#

HOME wg show

# wg show
interface: wg_s2s_b
  public key: <home site public key>
  private key: (hidden)
  listening port: 2345

peer: <my server key>
  preshared key: (hidden)
  endpoint: SERVER_PUBLIC_IP_ADDR:2345
  allowed ips: 192.168.1.0/24, fdac:e80:dfb3::/48, 192.168.8.0/24
  latest handshake: 12 minutes, 41 seconds ago
  transfer: 11.21 KiB received, 1.30 MiB sent
  persistent keepalive: every 25 seconds

This is a BIG post, so to anyone who bothers reading, thankyou very much. To any who have solid advice thankyou even more!
-BJ.

OpenVPN can be used for a site-site VPN. Just set one endpoint up as the server and the other endpoint as the client. It's a bit of a hack, but it works. However, it's dependent on the "client" always initiating the connection, unlike WireGuard where either side can initiate the connection. So if you do get completely stuck with WireGuard, then OpenVPN might still be a possibility.

Remove these. The LAN interface doesn't need to be told about a gateway. The LAN interface is the gateway.

Not sure but...
With the 192.168.8.1 and .2 addresses are you just using those as place holder to public IP?

I don't think you want the 192.168.8.0/24 in the allowed IP. this is for traffic you want tunneled. Since your peer is 192.168.8.2 you don't want that traffic tunneled.

I'm not convinced that you need DNAT rules for this. Normally I'd expect to see rules to allow inbound traffic to the WAN interface, and then additional firewall and routing rules to permit/deny traffic to/from the VPN.

How?

https://www.wireguard.com/known-limitations/ explicitly says that TCP isn't supported. I can see that you have firewall rules set up which permit TCP but not UDP; that's not the same as configuring WG to use TCP.

However, that Known Limitations page does suggest some workarounds to tunnel UDP over TCP. I haven't checked to see if any of those workarounds are available for OpenWRT (they might be; I just don't know).

I think that's a holdover from a prior attempt. I have removed those. As far as I read the docs, WG should get it's direction from the zone based firewall rules.

The IP of the wireguard interface needs to be /24 (or otherwise large enough to include itself and all peers). If you specify an IP with no network size you get a /32.
The allowed IPs need to include the peer's tunnel IP and the other lan
route_allowed_ips should be set on both ends
The wireguard interface should be in the lan firewall zone.

DNAT - I think these were enabled by default and I don't know why. There's nothing in Luci to indicate I've enabled NAT/Masquerading... I'll try removing these from the config file.

The only other change you need in the firewall is to allow input UDP from wan to the wireguard listen_port. This is not a redirect since the wireguard process is inside the same router, not on a different machine on the lan.

I had originally included the networks of the tunnel itself in "allowed IPs". Others replying to this post have said the opposite... who's true?

Where did you read the /32? As far as I can tell I set everything up with last octet of mask 0, I'll go back and look.

I'm fairly sure that's not what my problem is, or the FW rule for allowing only TCP... because I CAN PING THE OTHER SIDE.

In your situation where both sides are originating connections to the other side on the same port, that will open a hole in the firewall and it isn't strictly necessary to have an input rule for the returning encrypted packets at all.

I got caught out by this only a couple of days ago.

DNAT rules are in the "Port Forward" section of LuCI.

SNAT/Masquerade rules are in the "NAT Rules" section.

image1006×83 5.8 KB

This is what happens when you spend a week burning midnight oil to try and get SOMETHING, ANYTHING to work.

I've reset this rule to NOT forward from wan to VPN zone. That's taken care of elsewhere in the firewall rules with WG.

I think this setting in Luci was a holdover from trying to get OpenVPN to work...

If you have a separate VPN zone it needs to be set to forward to lan, and also forwarding from lan to vpn allowed. Don't set masquerade on either zone.

I suggest having the wireguard in the lan zone as you trust everything in both LANs and intra-zone forwarding lan-lan is accepted by default (make sure that is still the case). Once that works you can consider using separate zones if there is a need for more sophisticated security.

Also note that firewall rules serve to place limits on what is allowed, but the routing table(s) determine where traffic will actually be attempted to route.

Actually the WAN masquerading is meant to be there. These endpoints are NAT devices for the each LAN to access the internet. I think the confusion was with the zone forwarding. In all WG documentation I've seen so far this is not something people do.

Yes that's setup according to what you had said. LAN => VPN and VPN => LAN on both devices.

So should I configure the opposite sites to use different ports?

I will do that, but I believe this has nothing to do with the main issues I'm having...

1. Office side WG interface stopping (maybe it does?)

2. no routing to other LAN

You can, but it's not necessary. WireGuard works well with the listen port identical on both sides, or with the listen port non-identical on both sides. Just remember to adjust the Endpoint port number if the other end's Listen port changes.

Revert the WG firewall traffic rules to UDP, not TCP.

This should just be a matter of setting the routing and firewall rules (if any) correctly.

Look at the routing tables-- run route on each router.