Trying to setup WG on router just as I did with OVPN
Wireguard is set through interface WG and works
ping -I WG 8.8.8.8
--- 8.8.8.8 ping statistics ---
113 packets transmitted, 113 packets received, 0% packet loss
round-trip min/avg/max = 4.718/10.370/90.257 ms
/etc/network/config
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd57:e6d0:1a07::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
option mtu '1492'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username 'redacted'
option password 'redacted'
option ipv6 'auto'
option peerdns '0'
list dns '45.90.28.39'
list dns '45.90.30.39'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2a07:a8c0::9c:99bc'
list dns '2a07:a8c1::9c:99bc'
config device
option type 'bridge'
option name 'br-guest'
option bridge_empty '1'
option mtu '1492'
config interface 'guest'
option proto 'static'
option device 'br-guest'
list ipaddr '192.168.2.1/24'
config interface 'OVPN'
option proto 'none'
option device 'tun0'
config device
option type 'bridge'
option name 'br-vpn'
option bridge_empty '1'
option mtu '1492'
list ports 'tun0'
config interface 'ovpnbridgeif'
option proto 'static'
list ipaddr '192.168.3.1/24'
option device 'br-vpn'
config interface 'WG'
option proto 'wireguard'
option private_key 'keyhere'
list addresses '10.2.0.2/32'
list dns '1.1.1.1'
config wireguard_WG
option description 'Imported peer configuration'
option public_key 'keyhere'
option endpoint_host '149.102.251.97'
option endpoint_port '51820'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
config device
option name 'WG'
config interface 'iwg'
option proto 'static'
option device 'br-wg'
list ipaddr '192.168.4.0/24'
config device
option type 'bridge'
option name 'br-wg'
list ports 'WG'
option bridge_empty '1'
option mtu '1492'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
list server '45.90.28.0'
list server '45.90.30.0'
list server '2a07:a8c0::'
list server '2a07:a8c1::'
option dnssec '1'
option sequential_ip '1'
list interface 'guest'
list interface 'iwg'
list interface 'lan'
list interface 'OVPN'
list interface 'ovpnbridgeif'
list interface 'wan'
list interface 'wan_6'
list interface 'wan6'
list interface 'WG'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'ovpnbridgeif'
option interface 'ovpnbridgeif'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.1.1'
config dhcp 'WG'
option interface 'WG'
option ignore '1'
config dhcp 'iwg'
option interface 'iwg'
option start '100'
option limit '150'
option leasetime '12h'
list dhcp_option '6,192.168.1.1'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'OVPN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'allow-dhcp-dns-guest'
option src 'guest'
option dest_port '53 67-68 5353 5453 546-547'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'qbit'
option src 'wan'
option src_dport '47625'
option dest_ip '192.168.1.138'
option dest_port '47625'
config zone
option name 'wgzone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'WG'
list network 'iwg'
option masq '1'
config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config zone
option name 'ovpn_net'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'ovpnbridgeif'
config forwarding
option src 'ovpn_net'
option dest 'wan'
config rule
option src 'ovpn_net'
option dest_port '67-68 5353 5453 546-547'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wgzone'
config rule
option src 'wgzone'
option dest_port '53 67-68 5353 5453 546-547 51820'
option target 'ACCEPT'
config rule
option name 'allow wg'
option src '*'
option dest_port '51820'
option target 'ACCEPT'
option dest '*'
config rule
option name 'allow wg2'
option src '*'
option dest_port '55359'
option target 'ACCEPT'
option dest '*'
config forwarding
option src 'wgzone'
option dest 'wan'
/etc/config/pbr
config pbr 'config'
option enabled '1'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
list resolver_instance '*'
option ipv6_enabled '1'
option boot_timeout '30'
option rule_create_option 'add'
option procd_boot_delay '1'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
option nft_rule_counter '0'
option nft_set_auto_merge '1'
option nft_set_counter '0'
option nft_set_flags_interval '1'
option nft_set_flags_timeout '0'
option nft_set_policy 'performance'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
config policy
option name 'bypass to wan'
option src_addr '192.168.1.0/24'
option interface 'wan'
config policy
option name 'subnet to vpn'
option src_addr '192.168.3.0/24'
option interface 'OVPN'
config policy
option name 'subnet to wg'
option src_addr '192.168.4.0/24'
option interface 'WG'
config dns_policy
option name 'vpn-dns'
option src_addr '192.168.3.0/24'
option dest_dns 'wan'
config dns_policy
option name 'normal-dns'
option src_addr '192.168.1.0/24'
option dest_dns 'wan'
option enabled '0'
config dns_policy
option name 'guest-dns'
option src_addr '192.168.2.0/24'
option dest_dns 'wan'
config policy
option name 'bypass to wan'
option src_addr '192.168.2.0/24'
option interface 'wan'
config dns_policy
option name 'wg-dns'
option src_addr '192.168.4.0/24'
option dest_dns 'wan'
netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5453 0.0.0.0:* LISTEN 9509/stubby
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1947/uhttpd
tcp 0 0 0.0.0.0:36762 0.0.0.0:* LISTEN 1296/dropbear
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1947/uhttpd
tcp 0 0 :::443 :::* LISTEN 1947/uhttpd
tcp 0 0 ::1:5453 :::* LISTEN 9509/stubby
tcp 0 0 :::36762 :::* LISTEN 1296/dropbear
tcp 0 0 :::80 :::* LISTEN 1947/uhttpd
tcp 0 0 :::53 :::* LISTEN 1523/nextdns
udp 0 0 0.0.0.0:67 0.0.0.0:* 17100/dnsmasq
udp 0 0 127.0.0.1:5453 0.0.0.0:* 9509/stubby
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1523/nextdns
udp 0 0 0.0.0.0:53757 0.0.0.0:* -
udp 0 0 :::546 :::* 5462/odhcp6c
udp 0 0 :::546 :::* 5115/odhcp6c
udp 0 0 :::547 :::* 1817/odhcpd
udp 0 0 :::53 :::* 1523/nextdns
udp 0 0 ::1:5453 :::* 9509/stubby
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::5353 :::* 1523/nextdns
udp 0 0 :::53757 :::* -
bridge seems fine
brctl show
bridge name bridge id STP enabled interfaces
br-vpn 7fff.000000000000 no
br-wg 7fff.76fece8d8cfd no phy1-ap1
br-guest 7fff.76fece8d8cfe no phy0-ap1
br-lan 7fff.74fece8d8cfe no lan4
lan2
phy0-ap0
lan3
phy1-ap0
lan1
Finally, LuCI shows WG as IPv4 upstream without any gateway - is this right ?
IPv4 Upstream
Protocol: WireGuard VPN
Address: 10.2.0.2/32
Gateway: 0.0.0.0
DNS 1: 1.1.1.1
Connected: 0h 27m 17s