WIFI client - VPN Wireguard

Hello
I am struggling to configure my router to work with wireguard. What I am doing
connecting to wan through wifi client and want to use the VPN( wireguard) trough port 1

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd0:e293:2785::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'd4:6e:0e:ed:42:f3'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1 2 3 4'

config interface 'wwan'
        option proto 'dhcp'

config interface 'WG'
        option proto 'wireguard'
        list addresses '**********'
        option private_key '**********'

config wireguard_WG
        option description '**********'
        option public_key '**********'
        option preshared_key '**********'
        option route_allowed_ips '1'
        option endpoint_host '**********'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wwan'
        list network ''
        list network 'WG'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config forwarding
        option src 'lan'
        option dest 'wan'

config zone
        option name 'vpn'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option input 'ACCEPT'
        option mtu_fix '1'

Will appreciate any help i am very new

Can you describe what is happening in general right now? Are you able to get connectivity when your WG tunnel is not running? What happens if you ping 8.8.8.8 and google.com from one of your wifi clients when WG is down?

Is the WG tunnel being established successfully (are you getting handshakes)? Where is the other WG peer -- is it a commercial VPN service? or another endpoint somewhere such as your home?

At the moment I am getting internet through cable but not pass from the VPN. The VPN is hosted by myself(not at the same network) and can confirm it is working because I am connecting it from my phone

I'm not personally familiar with how to configure VPN PBR (since I don't use it myself), but I think the first thing to check is to verify that your tunnel is working in general. You didn't answer about if you're getting handshakes.

But let's look at the complete config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd0:e293:2785::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr 'd4:6e:0e:ed:42:f3'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 1 2 3 4'

config interface 'wwan'
        option proto 'dhcp'

config interface 'WG'
        option proto 'wireguard'
        list addresses '10.253.0.2'
        option private_key '*************'

config wireguard_WG
        option description '*************'
        option public_key '*************'
        option preshared_key '*************'
        option route_allowed_ips '1'
        option endpoint_host '*************'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wwan'
        list network ''
        list network 'WG'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'



I haven't changed anything from my first post.

What is the output from:
wg show

interface: WG
public key: N1DIa50VaUZ1xjXa9aA4aC02a0BLs9azpv6kMgbCaCk=
private key: (hidden)
listening port: 34895

peer: lTkHorpXvB9fATjZWSc0LBQ2aUe0U28DL9erZyEmOAw=
preshared key: (hidden)
endpoint: ***. ***. ***. ***:51820
allowed ips: 0.0.0.0/0
transfer: 0 B received, 740 B sent

Seems that you don’t have a working handshake.

Maybe check the keys.

interface: WG
  public key: vNIIBFsenGpro7UHMiEdEPVOBeQo7eRADTWH0mlMRmI=
  private key: (hidden)
  listening port: 51710

peer: lTkHorpXvB9fATjzWSc0LBQ2aUe0U28DL9erZyWmOAw=
  preshared key: (hidden)
  endpoint: *:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 4 hours, 8 minutes, 38 seconds ago
  transfer: 1.84 KiB received, 2.27 KiB sent

I pasted the keys again and now there is handshake but there is no tunnel my ip is the same

That doesn't seem right. This should be seconds or minutes.

 allowed ips: 0.0.0.0/0
  latest handshake: 2 minutes, 3 seconds ago
  transfer: 67.37 KiB received, 9.76 KiB sent

I redo it again result is the same no tunnel

at least you now seem to have an active connection remote peer based on the handshake and transfer values.

Have you tried disabling VPN PBR? If that is misconfigured, it might not allow the traffic to flow as expected, but if entirely disabled, the traffic should all be routed through the tunnel if it is working.

Thank you I have complete remove VPN PBR and now it is working. Thank you spent your time to help me find a solution. Wish you all the best and let the time spent for me come/transform in something else you wish most

I don't know why but today after I turn on the router again the VPN connection has been lost only TX packets. I delete it the interface and recreate it no tunnel again. I don't know why can't make it stable