Wireguard + DDNS

Good day everyone!
I ran into an unpleasant problem - the wireguard client on the router remembers the Ip of the server when connected.
My home wireguard server is located behind a dynamic white ip. There is a DDNS name whose ip is updated by the router with the server.
Question:
How to make wireguard not remember the ip, but address by name, if possible.
If this is not possible, then how can I get him (the client) to reconnect if there is no handshake for 30 seconds /minute?

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#dynamic_address

1 Like

Thank you) But I probably hurried with the question and will abandon wireguard because it somehow strangely works with clients for nat. They either can't connect or there are no new handshakes.

Wireguard is pretty flexible and very solid in many situations. Maybe you can explain your specific issues? It might be related to a config problem.

I'll try it in my broken English :wink:
There is a router with openwrt with wireguard interface 172.16.24.1/24. This router receives internet from the gateway. There is DDNS on the gateway and a port for wireguard has been forwarded, the provider provides a dynamic white ip.
There is an openwrt router client with wireguard 172.16.24.2/24 and a windows client with mobile Internet 172.16.24.3/24.

I would like to have a permanent connection with the ability to exchange data between clients

Server:




Openwrt-client

10.0.45.0/24 - the address of the network where the router client is located. I would like to be able to get access to the machines of that network )

It's best to see the config files in text format from OpenWrt:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

server:
ubus call system board

{
        "kernel": "5.10.201",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "TP-Link TL-WR842N v3",
        "board_name": "tplink,tl-wr842n-v3",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.6",
                "revision": "r20265-f85a79bcb4",
                "target": "ath79/generic",
                "description": "OpenWrt 22.03.6 r20265-f85a79bcb4"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6b:8be3:0b90::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2 1'

config interface 'wg_server'
        option proto 'wireguard'
        option private_key '*******'
        option listen_port '51820'
        option defaultroute '0'
        option delegate '0'
        list addresses '172.16.24.1/24'

config wireguard_wg_server
        option description 'Office_router'
        option public_key 'nUYDqYENJwPODLepLeCbssNyC0luKAd6MThwskdkymI='
        option private_key '***************'
        list allowed_ips '172.16.24.2/32'
        list allowed_ips '10.0.45.0/24'
        option route_allowed_ips '1'
        option persistent_keepalive '20'

config wireguard_wg_server
        option public_key 'qlXetmpmKbKEd2IBTSxVU1swXXIGK0v3mDy13jW90w0='
        option private_key '***************'
        list allowed_ips '172.16.24.3/32'
        option description 'Client_1'
        option route_allowed_ips '1'
        option persistent_keepalive '20'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'allow_wg'
        list proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '51820'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow_p910'
        option target 'ACCEPT'
        option dest_port '9100-9105'
        list proto 'tcp'
        option family 'ipv4'
        option src 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '7days - my pc'
        option family 'ipv4'
        option src 'wan'
        option src_dport '26900-26903'
        option dest_ip '192.168.2.8'
        option dest_port '26900-26903'

config zone
        option name 'wg_server_test'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option input 'ACCEPT'
        list network 'wg_server'

wg show

interface: wg_server
  public key: oxJyUEB9JRCH6cVEw0Cft1J+tMXbn9pKgh7Gg44oATs=
  private key: (hidden)
  listening port: 51820

peer: qlXetmpmKbKEd2IBTSxVU1swXXIGK0v3mDy13jW90w0=
  endpoint: 192.168.1.1:51820
  allowed ips: 172.16.24.3/32
  latest handshake: 16 minutes, 36 seconds ago
  transfer: 8.49 KiB received, 25.67 KiB sent
  persistent keepalive: every 20 seconds

peer: nUYDqYENJwPODLepLeCbssNyC0luKAd6MThwskdkymI=
  endpoint: 85.26.176.197:25026
  allowed ips: 172.16.24.2/32, 10.0.45.0/24
  latest handshake: 18 minutes, 2 seconds ago
  transfer: 420 B received, 20.89 KiB sent
  persistent keepalive: every 20 seconds

client-owrt:
ubus call system board

{
        "kernel": "4.4.182",
        "system": "Atheros AR9341 rev 3",
        "model": "TP-Link TL-MR3420 v2",
        "board_name": "tl-mr3420-v2",
        "release": {
                "distribution": "LEDE",
                "version": "17.01.7",
                "revision": "r4030-6028f00df0",
                "codename": "reboot",
                "target": "ar71xx\/generic",
                "description": "LEDE Reboot 17.01.7 r4030-6028f00df0"
        }
}

cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdee:5461:5f4b::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipaddr '192.168.100.1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'wg'
        option proto 'wireguard'
        option delegate '0'
        option private_key '******************'
        list addresses '172.16.24.2/24'

config wireguard_wg
        option endpoint_host '****************.ddns.net'
        option endpoint_port '443'
        option public_key 'oxJyUEB9JRCH6cVEw0Cft1J+tMXbn9pKgh7Gg44oATs='
        option persistent_keepalive '25'
        list allowed_ips '172.16.24.1/32'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wifi_clients'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'DROP'
        option network 'wan6 wwan1 wwan wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'wan'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option mtu_fix '1'
        option network 'wg'

config forwarding
        option dest 'wan'
        option src 'wg'

wg show

interface: wg
  public key: nUYDqYENJwPODLepLeCbssNyC0luKAd6MThwskdkymI=
  private key: (hidden)
  listening port: 48261

peer: oxJyUEB9JRCH6cVEw0Cft1J+tMXbn9pKgh7Gg44oATs=
  endpoint: *.134:443
  allowed ips: 172.16.24.1/32
  transfer: 0 B received, 1.16 KiB sent
  persistent keepalive: every 25 seconds

This version of OpenWrt is EOL and unsupported. You should upgrade:

https://firmware-selector.openwrt.org/?version=23.05.3&target=ath79%2Fgeneric&id=tplink_tl-wr842n-v3

Is the 10.0.45.0/24 network the upstream (wan) of the TL-WR842N?

Remove the default route and the delegate lines from below:

Remove the allowed IPs for 10.0.45.0/24 (assuming that this is the upstream network for the WR842N; if not, please explain where this specific network exists):

Add forwarding as follows for your wg_server_test firewall zone:

config forwarding
        option src 'wg_server_test'
        option dest 'wan'

config forwarding
        option src 'wg_server_test'
        option dest 'lan'

This version is beyond ancient:

That version went EOL just a bit over 5 years ago and thus has been unsupported for a half decade already. There are many known and actively exploited security vulnerabilities in that firmware that will never be patched. It should not be used anymore. Further, the syntax of the config files has changed significantly since that release, so it's hard to even remember what is correct vs misconfigured in the config files.

The hardware you're using is obviously really old, too...

It cannot run a modern version of OpenWrt and should really be e-cycled at this point.

That said, the only thing I can speak to is the allowed_ips:

If you want it to tunnel all traffic, you would put 0.0.0.0/0 in that field. Or if it is just for specific networks, it might look like 192.168.2.0/24, 172.16.24.0/24 and 10.0.45.0/24. You also need to add option route_allowed_ips '1' to this in order for those allowed_ips to work.

Reboot both machines and try again.

And please upgrade your main router and get new hardware for your secondary one.

Yes

If I delete 10.0.45.0/24, will I be able to access the machines on this network?

Do I understand correctly that I should enable this even if specific Ip addresses are specified and not 0.0.0.0?

About the new versions. I think I've already tried updating, but it worked very slowly.

Yes, you will, provided that you add the forwards in the firewall as I specified.

0.0.0.0/0 means "all IPs" -- basically put everything (including normal internet traffic) through the tunnel. If you want to tunnel everything, that's what should be in allowed_ips on the remote side. On the other hand, if you only want to push the specific networks of the server-side network through the tunnel, you manually specify the individual subnets.

I probably didn't explain it well. 10.0.45.0/24 is the owrt-client's wan. There is no such network on the server, but I would like to access 10.0.45.0/24 through a tunnel from the server and some clients

I understood the topology. And yes, this will work, but you need to include the forwards (in the firewall) as I had specified.

I Remove the default route and the delegate lines from server config
Add Add forwarding to wg_server_test firewall zone
Switch route_allowed_ips to '1' on owrt-client and reboot all, exist handshake 5 min ago and i can't ping client from server and server from client

let's see the configs again (including wg_show).

server
cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6b:8be3:0b90::/48'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 4 3 2 1'

config interface 'wg_server'
        option proto 'wireguard'
        option private_key '**********'
        option listen_port '51820'
        list addresses '172.16.24.1/24'

config wireguard_wg_server
        option description 'Office_router'
        option public_key 'nUYDqYENJwPODLepLeCbssNyC0luKAd6MThwskdkymI='
        option private_key '**************'
        list allowed_ips '172.16.24.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '20'

config wireguard_wg_server
        option public_key 'qlXetmpmKbKEd2IBTSxVU1swXXIGK0v3mDy13jW90w0='
        option private_key '***************'
        list allowed_ips '172.16.24.3/32'
        option description 'Client_1'
        option route_allowed_ips '1'
        option persistent_keepalive '20'

cat /etc/config/firewall


config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'allow_wg'
        list proto 'udp'
        option src 'wan'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest_port '51820'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow_p910'
        option target 'ACCEPT'
        option dest_port '9100-9105'
        list proto 'tcp'
        option family 'ipv4'
        option src 'wan'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name '7days - my pc'
        option family 'ipv4'
        option src 'wan'
        option src_dport '26900-26903'
        option dest_ip '192.168.2.8'
        option dest_port '26900-26903'

config zone
        option name 'wg_server'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option input 'ACCEPT'
        list network 'wg_server'

config forwarding
        option src 'wg_server'
        option dest 'lan'

config forwarding
        option src 'wg_server'
        option dest 'wan'

wg show

interface: wg_server
  public key: oxJyUEB9JRCH6cVEw0Cft1J+tMXbn9pKgh7Gg44oATs=
  private key: (hidden)
  listening port: 51820

peer: qlXetmpmKbKEd2IBTSxVU1swXXIGK0v3mDy13jW90w0=
  endpoint: 192.168.1.1:51820
  allowed ips: 172.16.24.3/32
  latest handshake: 1 minute, 54 seconds ago
  transfer: 4.27 KiB received, 316 B sent
  persistent keepalive: every 20 seconds

peer: nUYDqYENJwPODLepLeCbssNyC0luKAd6MThwskdkymI=
  endpoint: 85.26.185.170:8280
  allowed ips: 172.16.24.2/32
  latest handshake: 2 minutes, 7 seconds ago
  transfer: 308 B received, 3.01 KiB sent
  persistent keepalive: every 20 seconds

client
cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdee:5461:5f4b::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'
        option ipaddr '192.168.100.1'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'
        option delegate '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4'

config interface 'wg'
        option proto 'wireguard'
        option delegate '0'
        option private_key '******'
        list addresses '172.16.24.2/24'

config wireguard_wg
        option endpoint_host '*****.ddns.net'
        option public_key 'oxJyUEB9JRCH6cVEw0Cft1J+tMXbn9pKgh7Gg44oATs='
        option persistent_keepalive '25'
        option endpoint_port '443'
        option route_allowed_ips '1'
        list allowed_ips '172.16.24.0/24'

cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wifi_clients'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'DROP'
        option network 'wan6 wwan1 wwan wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option src 'wan'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'DROP'
        option mtu_fix '1'
        option network 'wg'

config forwarding
        option dest 'wan'
        option src 'wg'

wg show

interface: wg
  public key: nUYDqYENJwPODLepLeCbssNyC0luKAd6MThwskdkymI=
  private key: (hidden)
  listening port: 56845

peer: oxJyUEB9JRCH6cVEw0Cft1J+tMXbn9pKgh7Gg44oATs=
  endpoint: 95.46.175.134:443
  allowed ips: 172.16.24.0/24
  latest handshake: 4 minutes, 41 seconds ago
  transfer: 268 B received, 8.30 KiB sent
  persistent keepalive: every 25 seconds

On the 'client' side, add masquerading tot he wg zone:

Delete this:

And add this:

config forwarding
        option dest 'wg'
        option src 'lan'

Then reboot and try again.

this same(

I'm noticing that the endpoint host is missing from the client side (unless this was redacted).

Additionally, try changing the allowed IP's to 0.0.0.0/0 on the client side.

Also, I hope that the private keys have been obfuscated in some way in the configs you shared above. If not, they should be considered compromised and replaced ASAP.

Finally, what is the specific test you are running to determine the connectivity?

Yes, I'll change the keys )
Finally, what is the specific test you are running to determine the connectivity?

ping 172.16.24.1 and 172.16.24.3 from clinet. ping 172.16.24.2 and 10.0.45.62 from server.

I noticed a strange thing. When reconnecting the client (restarting the interface), the first ping attempt passes (80%), the rest fail

From the client in what sense? The client router itself inside an ssh session? Or a device connected to the client?

Before the 172.16.24.2 will work, obviously the client side must be able to ping the server. But the test to 10.0.45.62 is a bit different -- what is the .62 address? is that the wan address of the server device? Or is it a host on the upstream network? And again, from where is this being tested (ssh session on the server itself or a host on the downstream lan)?