Wireguard connects, no traffic

Hi, I'm kind of new in openwrt. I just configured my router with Wireguard and I'm connecting via 4G interface. I can connect, but there is no traffic from my pc.

Can you help me on troubleshooting?
Network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fddd:bf52:e5ef::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '0'
        option igmp_snooping '0'
        option force_link '1'

config interface 'wan'
        option device 'eth0'
        option metric '100'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'cellular'
        option proto 'modemmanager'
        option device '/sys/devices/platform/soc/8af8800.usb3/8a00000.dwc3/xhci-hcd.1.auto/usb4/4-1'
        option apn 'xxxxxxxxxxx'
        option pincode 'xxxx'
        option auth 'none'
        option iptype 'ipv4v6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'xxxxxxxxxxx'
        list addresses '10.74.74.1'
        option listen_port '51820'
        list dns '8.8.8.8'

config wireguard_wg0
        option description 'RACD_PC'
        option public_key 'xxxxxxxxxxxxx'
        list allowed_ips '8.8.8.8'
        list allowed_ips '9.9.9.9'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option endpoint_host 'x.x.x.x'

config wireguard_wg0
        option description 'pc2'
        option public_key 'xxxxxxxxxxxxxxx'
        option private_key 'xxxxxxxxxxxxx'
        list allowed_ips '192.168.1.0/24'

Firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disabled '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'cellular'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

Thanks in advance

That is almost certainly wrong, replace it with:
list allowed_ips '0.0.0.0/0'

also remove this:

Hi,

Thanks for the reply. I did the changes and no luck. Still no access to internet via VPN. Router has internet access.

What I observe in Wireguard Windows client is that there are bytes sent, but zero received.

Let’s see the latest network and firewall files and the remote peer config.

Hi,

Here are the info

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5ef::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '0'
        option igmp_snooping '0'
        option force_link '1'

config interface 'wan'
        option device 'eth0'
        option metric '100'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'cellular'
        option proto 'modemmanager'
        option device '/sys/devices/platform/soc/8af8800.usb3/8a00000.dwc3/xhci-hcd.1.auto/usb4/4-1'
        option apn 'xxxx'
        option pincode 'xxxx'
        option auth 'none'
        option iptype 'ipv4v6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'iIxxx'
        list addresses '10.74.74.1'
        option listen_port '51820'
        list dns '8.8.8.8'

config wireguard_wg0
        option description 'RACD_PC'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        option endpoint_host '100.x.x.xx'
        option public_key 'xxx'
        option private_key 'xxx'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disabled '0'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'cellular'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'
        option family 'any'
        option reload '1'

PEER:

[Interface]
PrivateKey =xxxxxxxxxxx
ListenPort = 51820

[Peer]
PublicKey = xxxxxxxxxxxx
Endpoint = x.x.x.x:51820
AllowedIPs = 0.0.0.0/0

Remove the endpoint host and endpoint port.
Change allowed ips to 10.74.74.2/32.

Change the address to 10.74.74.1/24

The peer needs an address in this section. 10.74.74.2.
Remove the listen port.
You will also almost certainly need dns. Use 192.168.1.1

Restart and test again.

For my understanding you want to use WireGuard as a "client" so that all your traffic is routed via the VPN e.g. to a commercial VPN provider?

Does your 4g interface provide a public IPv4 address? Many carriers do not - often they hand out cg-nat addresses.

I have a wireguard windows client and wants to connect to my router via 4G interface and route all my windows via VPN.

Yes, I have a direct connection to my router. I have a public IP address. The connection establishes fine, but there is no traffic routed. I see traffic in outgoing direction, but no incoming

What are the first two octets of the “ipv4 upstream” in the luci main status page? In bold: aaaa,bbb,ccc.ddd.

Let’s also see the latest network config file and remote peer configuration as well as the output from:

wg show

For some reason I don't see in LUCI the wg information connection

interface: wg0
  public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
  private key: (hidden)
  listening port: 51820

How do you know your public IP then?

There's no peer information in wg_show?

While waiting for connection you should see a block with the peer's public key. Once connected it will add a handshake received time. If you don't see the handshake message the phone peer is not connected.

Ok, I understood. This is the IP 47.59.x.x

interface: wg0
  public key: 5coxxxxxxxxxxxxxxxxxxJAeYE8=
  private key: (hidden)
  listening port: 51820

peer: i92xxxxxxxxxxxxxxxxxxxxjvt8/2U+d0s=
  allowed ips: 0.0.0.0/0

I just realized that no matter the IP I set on Windows APP, it shows activated.

Example: