Managed to get client to access LAN behind server using wireguard. Have I been too complicated? Is this secure or have I opened up too much on the Firewall and Interfaces. Setup of server is Openwrt 19.07.2 on BT home hub 5a behind a Virgin media hub 3. Client is another Opwnwrt 19.07.2 on BT hub 5a. This connects to internet by android phone usb teathering . This is all for learning and not a practical setup. My network and firewall.
`Network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd26:2c2d:0bc0::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'a'
option tone 'av'
option ds_snr_offset '0'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.73.1'
option ipaddr '192.168.7.87'
list dns '192.168.73.113'
list dns '192.168.73.85'
list dns '192.168.73.1'
option ifname 'eth0.1 wg0'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr '84:a4:23:0e:eb:b8'
config interface 'wan'
option ifname 'eth0.2'
option proto 'static'
option netmask '255.255.255.0'
option gateway '192.168.73.1'
option ipaddr '192.168.73.88'
list dns '192.168.73.113'
list dns '192.168.73.1'
list dns '8.8.8.8'
list dns '192.168.73.85'
config device 'wan_dsl0_dev'
option name 'dsl0'
option macaddr '84:a4:23:0e:eb:b9'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 6t'
config interface 'TetheringWAN'
option proto 'dhcp'
option ifname 'usb0'
option delegate '0'
config interface 'wg0'
option proto 'wireguard'
option delegate '0'
option private_key 'Redacted'
list addresses '10.100.100.5/24'
config wireguard_wg0
option public_key 'Redacted'
option description 'Server'
option endpoint_port '1699'
option route_allowed_ips '1'
option endpoint_host 'Redacted'
list allowed_ips '0.0.0.0/0'
Firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
option network 'lan wg0'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6 TetheringWAN TetheringWAN'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule 'AllowWireguard'
option name 'Allow-Wireguard'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '60073'
option src '*'
option dest '*'
list proto 'udp'
config zone 'wireguard'
option name 'wireguard'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option mtu_fix '1'
list device 'wg0'
option masq '1'
option network 'wireguard'
config forwarding 'wireguard_wan'
option src 'wireguard'
option dest 'wan'
config forwarding 'wireguard_lan'
option src 'wireguard'
option dest 'lan'
config forwarding 'lan_wireguard'
option src 'lan'
option dest 'wireguard' `
It works and it may help others.