WireGuard help (connecting, but nothing working)

Able to connect, so that's not the issue.

Can't access the internet, so tried to access a local resource (Plex) and that's not working either. (Plex is working, connecting to it is not.)

Firewall (unimportant entries removed):

config defaults
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'ACCEPT'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule 'wg'
	option name 'Allow-WireGuard'
	option target 'ACCEPT'
	list proto 'all'
	option src 'lan'
	option dest 'wireguard'

config zone
	option name 'wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wireguard_0'

config forwarding
	option src 'wireguard'
	option dest 'wan'

Network (keys, macs, port removed):

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	option stp '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option netmask '255.255.0.0'
	option ipaddr '192.168.0.1'

config device
	option name 'wan'

config interface 'wan'
	option device 'wan'
	option proto 'static'
	option ipaddr '192.168.254.2'
	option netmask '255.255.0.0'
	option gateway '192.168.1.1'
	list dns '8.8.8.8'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wireguard_0'
	option proto 'wireguard'
	option mtu '1412'
	list addresses '192.168.209.1/24'
	list dns '192.168.0.1'

config interface 'vpn'
	option proto 'static'
	option auto '0'

config route
	option interface 'wireguard_0'
	option target '192.168.209.0/8'
	option gateway '192.168.254.2'
	option disabled '1'

config device
	option name 'wireguard_0'
	option ipv6 '0'

DHCP (hosts removed):

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option ednspacket_max '1232'
	list server '1.1.1.1'
	list server '1.0.0.1'
	option sequential_ip '1'
	option confdir '/tmp/dnsmasq.d'
	option boguspriv '0'
	option authoritative '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option localservice '0'

config dhcp 'lan'
	option interface 'lan'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option leasetime '5m'
	option start '1792'
	option limit '64'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config mac 'mac1'
	option mac '00:00:00:*:*:*'
	option networkid 'vpn'
	list dhcp_option '3'
	list dhcp_option '6,192.168.253.3'

config dhcp 'vpn'
	option interface 'vpn'
	option ignore '1'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	list dhcp_option '6,8.8.8.8'

This route is definitely incorrect. It conflicts with LAN. This /8 specified 192.0.0.0-192.255.255.255.

Your lan and wan are overlappng and the overall configuration is invalid here...

as a result, your wireguard config is also invalid since it is in an overlapping subnet.

There are many other major issues with your config.

Can you please describe why you are using /16 (and larger) networks? What is the actual goal here -- is this intended to be a road-warrior type configuration? What is the upstream subnet (both the IP address and subnet mask or CIDR of the upstream router)?

Also, I'm not so certain that it is able to connect. Wireguard will appear to connect on a phone or other device, but it doesn't mean that there has been a successful handshake.

For that, you would need to look at the output of:

wg show

But that is irrelevant at the moment because the configuration of this device has major issues. We'll need to understand your goals and the upstream configuration first... then we can help you fix it. (pro-tip: we'll probably suggest that you reset to defaults as it is the fastest way to fix the problems).

The /16 is just so I can have group devices based on type or person. There are less than 254 (2^8-2) devices overall, and it's just to make mapping easier to me. As an example, devices like home automation (lights) and TV's are on 4.x, with gaming systems being on 47.x. Home server and VM's are 200.x. So it's not like I'm abusing my router with thousands upon thousands of clients.

This is the main router and connects to the modem/router (FIOS).

It's also disabled. I did correct it to be /24. I sometimes get the values backwards, where I'm thinking /8 for the number to allow, vs 32-8=24.

If that's the case, you can fit everything into a /24 network.

If you want to use a /16 (which is just not necessary), you'll need to ensure that use an entirely different range for your upstream vs your lan vs your wg networks.

Is your main router at 192.168.1.1/24?

Main is 192.168.0.1/16, and the connection to FIOS is 192.168.254.2.

is the OpenWrt router connected by the lan or wan port?

Does the fios router support static routes?

This wan interface line is inconsistent with:

Oddly enough, when I change 192.168.1.1 to 192.168.0.1, I lose connection. I also tried 192.168.254.1 and of course 192.168.254.2 won't work.

Yes, 192.168.0.1 is the router's actual IP (in case you're thinking that I'm using 1.1 and not 0.1 without realizing it).

What other issues are you seeing?

Also, if I were to move the WG IP range to 10.x.y.z, would it still work with connecting to the main LAN? I'm not opposed to doing that.

These overlap. 192.168.0.0/16 includes every IP that starts with 192.168.

If you want /16 subnets you'll have to work in the 10.0.0.0 space.

The connection to FIOS is on the WAN port with that IP address. It's akin to getting a dynamic IP from a cable modem. The WAN port is treated as a WAN port and not as a 5th LAN port switch. Just to point that out. Other routers on the network are set to treat it like a LAN port though. Just not the main router.

As far as I know, it's separate from the main LAN, so is its own LAN. Which just jogged my memory of something. It's why the gateway has to be 1.1, as the FIOS is probably that, with the router's client IP being 254.2.

So then that part of the config shouldn't be an issue.

It has been stated multiple times -- your subnets overlap since you seem to want to use a /16.

Your config is invalid as shown and it will never work unless you use (as @mk24 stated) addresses in the 10.0.0.0/8 or 172.16.0.0/12 blocks for either or both the OpenWrt lan and the wireguard interfaces.

You don't need to use the wan port on the OpenWrt router -- by properly assigning the lan, you can avoid needing 3 unique subnets and reduce that to just two.

Well, fundamentally, your lan and wan (and wireguard) interfaces overlap, so all bets are off. However, you've stated that your FIOS router is 192.168.0.1, but then your wan gateway address is set to 192.168.1.1 -- this means one or the other (or both) are wrong.

Basically you should simply reset your OpenWrt router to defaults and start over... you've only shown us some snippets of the config, and most of what you've shown is wrong.... easier to simply start over.

No. Main router (OpenWRT) is 192.168.0.1. Connection to FIOS (WAN port) is 192.168.254.2, with FIOS router being 192.168.1.1 (on the WAN/FIOS side, not the router side). WAN port is the client to the FIOS router. I recall having issues when trying to get the FIOS router to be anything except 192.168.1.1. But since I have it sending everything (DMZ) to 192.168.254.2 (ie, main router), it's as though it's a passthrough. There are a couple of devices connected to it (FIOS) wirelessly, but they're not on the main network since they are connected to the FIOS router directly.

Under the br-bridge, lan[1-4] are there, but 'wan' isn't. If it was, I'm sure the FIOS router and the main router would be fighting.

So moving WG to 172.16.0.0/16 (I know you said /12, but I'd rather keep it simple so /16). When adding peers, would I use /16 for them too, or /24 or /32?

Wait, what?? The fios wan is connected to the OpenWrt lan??

Can you draw a diagram of your netwrok topology?

No, WAN.

FIOS <---> WAN port (OpenWRT)

WAN is not bridged to LAN ports, they're separate.

Use a simple /24 network. I don't understand why you want to use such massively large subnets.

peers are defined as /32.

Where does the internet come in?