Wireguard IPv6 Roadwarrior setup not routing to WAN or LAN

I cannot get wireguard to route to my internal LAN or the internet.

I have successfully setup my iPv6 internet connection and can remotely connect to my OpenWRT router using the WebInterface (80) and SSH (22) with an IPv6 IP address and associated duckdns DDNS name. So I know that the IPv6 network is working. I have a /56 prefix delegation so effectively plenty of accessible public IPv6 IPs.
However, my ISP uses CNAT on IPv4, so I cannot have a dynamic IPv4 address and have to make the wireguard tunnel using IPv6 which can then encapsulate the IPv4 traffic.

I have followed the setup of Wireguard so that I can get remote access to internal LAN when I'm not at home. I can connect my mobile device to the wireguard VPN, but I cannot get the connected VPN client to route onto my LAN or out via my home ISP to the internet.

When I change the peer allowed IPs and reduce then down only specifying my LAN IPs only rather than 0.0.0.0 (which I believe is effectively a VPN split tunnel) I can access the internet but I still cannot access my local LAN.

I suspect it is something really simple and is ether down to a missing route, or a firewall rule between zones, but I have tried and cannot figure it out.

Happy to share some of my configs, but I have used the automated setup (https://openwrt.org/docs/guide-user/services/vpn/wireguard/road-warrior) as well as trying to set it up manually and I cannot get it to work. I believe the automated setup configures the one firewall traffic rule needed which permits the IPv4 or IPv6 tunnel via port 51281 (I have moved this from 51280 as I have a second wireguard VPN which I use for private internet access. I have tried a firewall port forward too, but that didn't make a difference.

One thing to note is that my internal LAN uses separate VLANs per subnet. I have a LAN subnet (LAN), private internet access subnet (LANVPN), guest network (GUEST) and IOT network (IOT), internet connection (WAN) which is IPv4 and a second internet interface (WAN6) which is an alias of WAN for IPv6. I also have a second wireguard PIA connection (WGPIA) as a subnet with no VLAN tag. I dont think this is causing an issue as the VLANs are routed by the router CPU at layer 3 not layer 2.

Internal subnets:
VLAN1 LAN 192.168.5.1/24
VLAN100 IOT 192.168.10.1/24
VLAN200 GUEST 10.1.20.1/24
VLAN300 LANVPN 192.168.30.1/24
VLAN1 WGPIA 10.14.0.2/16

I have tried my wireguard remote access LAN (wg_remoteaccess) on 192.168.40.1 and 10.20.30.1 which is where I believe the VPN client lands before it can then route to the LAN / Internet.

Can anyone help as I'm pulling out my hair! Much appreciated

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

Also show the remote config of your wireguard

root@FriendlyWrt:~# ubus call system board

{
	"kernel": "6.1.57",
	"hostname": "FriendlyWrt",
	"system": "ARMv8 Processor rev 0",
	"model": "FriendlyElec NanoPi R6S",
	"board_name": "friendlyelec,nanopi-r6s",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "rockchip/armv8",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

root@FriendlyWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd00:ab:cd::/48'

config device
	option name 'eth2'
	option macaddr ‘<REDACTED>’

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option ipv6 '1'
	option delegate '0'
	option ip6assign '64'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2620:119:35::35'
	list dns '2620:119:53::53'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr ‘<REDACTED>’

config device
	option name 'eth0'
	option macaddr ‘<REDACTED>’
	option peerdns '0'
	option dns '162.252.172.57 149.154.159.92'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.5.1'
	option device 'br-lan.1'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '5'
	option defaultroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'
	list ports 'eth1:u*'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.100'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.200'
	option ipaddr '10.1.20.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'LANVPN'
	option device 'br-lan.300'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'OPENVPNCLI'
	option proto 'none'
	option device 'tun0'
	option auto '0'

config interface 'WGPIA'
	option proto 'wireguard'
	list addresses '10.14.0.2/16'
	option defaultroute '0'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option private_key ‘<REDACTED>’
	option ip6assign '64'

config wireguard_WGPIA 'wireguard_WGPIA'
	option description ‘<REDACTED>’
	option public_key ‘<REDACTED>’
	option endpoint_host ‘<REDACTED>’
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'eth0:t'
	list ports 'eth1:t'

config wireguard_WG0 'wireguard_WG0'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config interface 'wg_remoteaccess'
	option proto 'wireguard'
	option private_key ‘<REDACTED>’
	option listen_port '51821'
	list addresses '10.20.30.1/24'
	list addresses 'fd00:ab:cd:30::1/64'
	option mtu '1280'

config wireguard_wg_remoteaccess
	option public_key ‘<REDACTED>’
	option preshared_key ‘<REDACTED>’
	option description 'jonesi'
	list allowed_ips '10.20.30.2/32'
	list allowed_ips 'fd00:ab:cd:30::10.20.30.2/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option private_key ‘<REDACTED>’

cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'OPENVPNCLI'

config zone
	option name 'GUEST'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'GUEST'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'IOT'

config zone
	option name 'WGPIA'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'WGPIA'

config zone
	option name 'OPENVPNCLI'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	list network 'OPENVPNCLI'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'wan'
	option src 'GUEST'

config forwarding
	option dest 'wan'
	option src 'IOT'

config forwarding
	option src 'lan'
	option dest 'OPENVPNCLI'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'LANVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LANVPN'

config forwarding
	option src 'lan'
	option dest 'GUEST'

config forwarding
	option src 'lan'
	option dest 'IOT'

config forwarding
	option src 'lan'
	option dest 'LANVPN'

config forwarding
	option src 'lan'
	option dest 'WGPIA'

config forwarding
	option src 'LANVPN'
	option dest 'GUEST'

config forwarding
	option src 'LANVPN'
	option dest 'IOT'

config forwarding
	option src 'LANVPN'
	option dest 'lan'

config forwarding
	option src 'LANVPN'
	option dest 'OPENVPNCLI'

config forwarding
	option src 'LANVPN'
	option dest 'wan'

config forwarding
	option src 'LANVPN'
	option dest 'WGPIA'

config rule
	option name 'Allow MONIT WebIF from WAN'
	option src 'wan'
	option dest_port '2812'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule 'wan_https_allow'
	option name 'Allow HTTPS WebIF from WAN'
	option src 'wan'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule 'wan_ssh_allow'
	option name 'Allow SSH from WAN'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule 'wg_rule_remoteaccess'
	option name 'Allow-WireGuard-remoteaccess-wan'
	option src 'wan'
	option dest_port '51821'
	option proto 'udp'
	option target 'ACCEPT'

ip route show

default via 100.101.64.1 dev eth2 proto static src 100.101.68.19 
10.1.20.0/24 dev br-lan.200 proto kernel scope link src 10.1.20.1 
10.14.0.0/16 dev WGPIA proto kernel scope link src 10.14.0.2 
10.20.30.0/24 dev wg_remoteaccess proto kernel scope link src 10.20.30.1 
10.20.30.2 dev wg_remoteaccess proto static scope link 
100.101.64.0/18 dev eth2 proto kernel scope link src 100.101.68.19 
178.239.163.51 via 100.101.64.1 dev eth2 proto static 
185.198.191.226 via 100.101.64.1 dev eth2 proto static 
192.168.5.0/24 dev br-lan.1 proto kernel scope link src 192.168.5.1 
192.168.10.0/24 dev br-lan.100 proto kernel scope link src 192.168.10.1 
192.168.30.0/24 dev br-lan.300 proto kernel scope link src 192.168.30.1 

wg show

interface: wg_remoteaccess
  public key: <REDACTED>
  private key: (hidden)
  listening port: 51821

peer: <REDACTED>
  preshared key: (hidden)
  endpoint: <REDACTED>:64027
  allowed ips: 10.20.30.2/32, fd00:ab:cd:30::a14:1e02/128
  latest handshake: 55 seconds ago
  transfer: 1.11 MiB received, 3.47 MiB sent
  persistent keepalive: every 25 seconds

interface: WGPIA
  public key: <REDACTED>
  private key: (hidden)
  listening port: 10906

peer: <REDACTED>
  endpoint: <REDACTED>:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 50 seconds ago
  transfer: 28.79 KiB received, 49.52 KiB sent
  persistent keepalive: every 25 seconds

wg client config

[Interface]
PrivateKey = <REDACTED>
Address = 10.20.30.2/32, fd00:ab:cd:30::10.20.30.2/128
# ListenPort not defined
DNS = 192.168.5.1

[Peer]
PublicKey = <REDACTED>
PresharedKey = <REDACTED>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint =<REDACTED>:51821
PersistentKeepAlive = 25

Hi egc

Appreciate your help - all of the information should now be in the chat. If you can fix this I owe you a beer!

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Hi
You are correct that it is a fork, but I had this very same issue on my WRT32X. I can resurrect my WRT32X which is currently running 23.02 I think, but I do understand your concern

I can give some general advice

Not sure what this is doing here?
Maybe delete it:

You cannot run a WireGuard client and server at the same time without Policy Based routing.

The wg_remoteaccess interface has to be placed in the LAN firewall zone.

For IPv6 WG server setup if you want IPv6 connectivity you need to disable IPv6 source routing and selectively NAT6 the WG subnet out via the WAN.
However if you only want IPv4 connectivity (via the IPv6 endpoint) than that is not necessary

Hi

I thought wg_remoteaccess was in the lan firewall zone. I must have tweaked this. Now I have added it, I can use the internal DNS server 192.168.5.1 and I can access the web interface of the router. I also seem to be able to access the internet too. But not sure which route this is using!

However, I cannot seem to get past the gateway 192.168.5.1 to access servers on my local LAN 192.168.5.1/24.

I already have pbr in place to direct some clients and services via the WG PIA link to my surfshark subscription VPN. So, is there a way I can add a PBR rule to permit the wg_remoteaccess route, or temporarily, remove/disable/delete the WGPIA interface which goes to surfshark so that the route is no longer there whilst I test remote access?

Sounds like we are making progress so if I can get this last little bit sorted we will be good! Really appreciate you helping!

The problem could be that your local lan servers do not allow traffic from other subnets e.g. from your WG subnet.

So as a test disable the firewall of the local LAN servers and if that is the problem then tweak the firewall of the local lan servers to allow 10.20.30.0/24.

Also reboot the server to be sure everything is up and running correctly


Hi

I have no firewall policies on local servers and I couldn't ping or access any appliances either. I had it working temporarily but not sure how, but because I made so many changes last night I thought I would try to recreate the config as it should be. The Wireguard Interface for remote access is now on 192.168.40.1.

Could I ask you to recheck the following and let me know if you can see any issues. Is PBR getting in the way? Ive turned it off and disconnected the Wireshark interface. Also done a full reboot.


VLAN1 LAN 192.168.5.1/24

VLAN100 IOT 192.168.10.1/24

VLAN200 GUEST 10.1.20.1/24

VLAN300 LANVPN 192.168.30.1/24

VLAN1 wg_PIA 10.14.0.2/16

VLAN1 wg_SVR 192.168.40.1/24


#ubus call system board

{
	"kernel": "6.1.57",
	"hostname": "FriendlyWrt",
	"system": "ARMv8 Processor rev 0",
	"model": "FriendlyElec NanoPi R6S",
	"board_name": "friendlyelec,nanopi-r6s",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "rockchip/armv8",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}

#cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '<xxxREDACTEDxxx>

config device
	option name 'eth2'
	option macaddr '<xxxREDACTEDxxx>

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option ipv6 '1'
	option delegate '0'
	option ip6assign '64'

config interface 'wan6'
	option device '@wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option peerdns '0'
	list dns '2620:119:35::35'
	list dns '2620:119:53::53'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr <xxxREDACTEDxxx>

config device
	option name 'eth0'
	option macaddr <xxxREDACTEDxxx>
	option peerdns '0'
	option dns '162.252.172.57 149.154.159.92'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.5.1'
	option device 'br-lan.1'
	option ip6assign '64'
	option delegate '0'
	option ip6hint '5'
	option defaultroute '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'eth0:u*'
	list ports 'eth1:u*'

config interface 'IOT'
	option proto 'static'
	option device 'br-lan.100'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'GUEST'
	option proto 'static'
	option device 'br-lan.200'
	option ipaddr '10.1.20.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'LANVPN'
	option device 'br-lan.300'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	option defaultroute '0'
	option delegate '0'
	option ip6assign '64'
	option ip6hint '10'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'OPENVPNCLI'
	option proto 'none'
	option device 'tun0'
	option auto '0'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'eth0:t'
	list ports 'eth1:t'

config interface 'wg_PIA'
	option proto 'wireguard'
	list addresses '10.14.0.2/16'
	option defaultroute '0'
	option peerdns '0'
	list dns '162.252.172.57'
	list dns '149.154.159.92'
	option private_key <xxxREDACTEDxxx>
	option ip6assign '64'

config wireguard_wg_PIA 'wireguard_wg_PIA'
	option description 'uk-lon.prod.surfshark.com'
	option public_key <xxxREDACTEDxxx>
	option endpoint_host 'uk-lon.prod.surfshark.com'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'

config interface 'wg_SVR'
	option proto 'wireguard'
	option private_key '<xxxREDACTEDxxx>
	option listen_port '51821'
	list addresses '192.168.40.1/24'
	list addresses 'fd00:ab:cd:40::1/64'
	option mtu '1280'

config wireguard_wg_SVR
	option public_key <xxxREDACTEDxxx>
	option preshared_key <xxxREDACTEDxxx>
	option description 'jonesi-iphone'
	list allowed_ips '192.168.40.2/32'
	list allowed_ips 'fd00:ab:cd:40::192.168.40.2/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_SVR
	option public_key '<xxxREDACTEDxxx>
	option preshared_key <xxxREDACTEDxxx>
	option description 'jonesi-dragonfly'
	list allowed_ips '192.168.40.3/32'
	list allowed_ips 'fd00:ab:cd:40::192.168.40.3/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

config wireguard_wg_SVR
	option public_key <xxxREDACTEDxxx>
	option preshared_key '<xxxREDACTEDxxx>
	option description 'jonesi-macbook'
	list allowed_ips '192.168.40.4/32'
	list allowed_ips 'fd00:ab:cd:40::192.168.40.4/128'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

#cat /etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg_SVR'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'OPENVPNCLI'

config zone
	option name 'GUEST'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'GUEST'

config zone
	option name 'IOT'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'IOT'

config zone
	option name 'wg_PIA'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg_PIA'

config zone
	option name 'OPENVPNCLI'
	option output 'ACCEPT'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	list network 'OPENVPNCLI'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option dest 'wan'
	option src 'GUEST'

config forwarding
	option dest 'wan'
	option src 'IOT'

config forwarding
	option src 'lan'
	option dest 'OPENVPNCLI'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config zone
	option name 'LANVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LANVPN'

config forwarding
	option src 'lan'
	option dest 'GUEST'

config forwarding
	option src 'lan'
	option dest 'IOT'

config forwarding
	option src 'lan'
	option dest 'LANVPN'

config forwarding
	option src 'lan'
	option dest 'wg_PIA'

config forwarding
	option src 'LANVPN'
	option dest 'GUEST'

config forwarding
	option src 'LANVPN'
	option dest 'IOT'

config forwarding
	option src 'LANVPN'
	option dest 'lan'

config forwarding
	option src 'LANVPN'
	option dest 'OPENVPNCLI'

config forwarding
	option src 'LANVPN'
	option dest 'wan'

config forwarding
	option src 'LANVPN'
	option dest 'wg_PIA'

config rule
	option name 'Allow MONIT WebIF from WAN'
	option src 'wan'
	option dest_port '2812'
	option target 'ACCEPT'
	list proto 'tcp'
	option enabled '0'

config rule 'wan_https_allow'
	option name 'Allow HTTPS WebIF from WAN'
	option src 'wan'
	option proto 'tcp'
	option dest_port '443'
	option target 'ACCEPT'

config rule 'wan_ssh_allow'
	option name 'Allow SSH from WAN'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'

config rule 'wg_rule_SVR'
	option name 'Allow-WireGuard-SVR-wan'
	option src 'wan'
	option dest_port '51821'
	option proto 'udp'
	option target 'ACCEPT'

#ip route show

default via 100.101.64.1 dev eth2 proto static src 100.101.66.2 
10.1.20.0/24 dev br-lan.200 proto kernel scope link src 10.1.20.1 
10.14.0.0/16 dev wg_PIA proto kernel scope link src 10.14.0.2 
100.101.64.0/18 dev eth2 proto kernel scope link src 100.101.66.2 
178.238.10.1 via 100.101.64.1 dev eth2 proto static 
185.44.77.125 via 100.101.64.1 dev eth2 proto static 
192.168.5.0/24 dev br-lan.1 proto kernel scope link src 192.168.5.1 
192.168.10.0/24 dev br-lan.100 proto kernel scope link src 192.168.10.1 
192.168.30.0/24 dev br-lan.300 proto kernel scope link src 192.168.30.1 
192.168.40.0/24 dev wg_SVR proto kernel scope link src 192.168.40.1 
192.168.40.2 dev wg_SVR proto static scope link 
192.168.40.3 dev wg_SVR proto static scope link 
192.168.40.4 dev wg_SVR proto static scope link 

#wg show

interface: wg_SVR
  public key: <xxxREDACTEDxxx>
  private key: (hidden)
  listening port: 51821

peer: <xxxREDACTEDxxx>
  preshared key: (hidden)
  allowed ips: 192.168.40.2/32, fd00:ab:cd:40::c0a8:2802/128
  persistent keepalive: every 25 seconds

peer: <xxxREDACTEDxxx>
  preshared key: (hidden)
  allowed ips: 192.168.40.3/32, fd00:ab:cd:40::c0a8:2803/128
  persistent keepalive: every 25 seconds

peer: <xxxREDACTEDxxx>
  preshared key: (hidden)
  allowed ips: 192.168.40.4/32, fd00:ab:cd:40::c0a8:2804/128
  persistent keepalive: every 25 seconds

interface: wg_PIA
  public key: <xxxREDACTEDxxx>
  private key: (hidden)
  listening port: 28837

peer: <xxxREDACTEDxxx>
  endpoint: <xxxREDACTEDxxx>
  allowed ips: 0.0.0.0/0
  latest handshake: 7 seconds ago
  transfer: 552 B received, 1.84 KiB sent
  persistent keepalive: every 25 seconds

iPhone Client Config
[Interface]
PrivateKey = <xxxREDACTEDxxx>
Address = 192.168.40.2/32, fd00:ab:cd:40::192.168.40.2/128
# ListenPort not defined
DNS = 192.168.5.1

[Peer]
PublicKey = <xxxREDACTEDxxx>
PresharedKey = <xxxREDACTEDxxx>
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = <xxxREDACTEDxxx>:51821
PersistentKeepAlive = 25

For all peers this line needs correction

Reboot afterwards that is all I can think of at thismoment

Its so odd - this is the config on the peer from a GUI perspective

Looks wrong to me, have a close look, the ipv6 address alsohas the ipv4 address

yes I agree - not sure what it should be the IPv4 should be a /32 address but would that stop it working?

I'll adjust them and see if it makes a difference

Firstly, thanks for all of your help.

What I have also found is that:

a) Whilst running IPv6 with PBR active, there are constant events on the interfaces that triggers PBR to reload.

As a result the network stalls whilst the routing table and firewalls are rebuilt and this can happen many times in a row or at regular sub 1 min intervals

Example...

user.notice pbr: Reloading pbr wan interface routing due to ifup of wan6

These are triggered by /etc/hotplug.d/iface/70-pbr script. I had already put a temporary exclusion in for wan6, but these events happen on all interfaces when IPv6 is enabled.

#!/bin/sh
# shellcheck disable=SC1091,SC3060

if [ "$INTERFACE" = "wan6" ]; then
  logger "***** IGNORE pbr iFACE wan6 *****  $0: Interface: $INTERFACE, ACTION: $ACTION"
  exit 1
fi

if [ -x /etc/init.d/pbr ] && /etc/init.d/pbr enabled; then
    logger -t pbr "Reloading pbr $INTERFACE interface routing due to $ACTION of $INTERFACE ($DEVICE)"
    /etc/init.d/pbr on_interface_reload "$INTERFACE"
fi                             

I've searched for this and it doesn't seem to have been fixed and lots of people are reporting it. Though I suspect not many users are binding IPv6 yet!

I may pull the plug on the Wireguard remote access until these issues are resolved as stable internet is more important than remote access.

b) The Wireshark iOS client can say it is connected when it isn't - this may explain the intermittent nature of my issues

Do you have a view on this?