Wireguard S2S -one way ping

Hi,

I want to make a network like this:
OpenWRT (Server) - Site A

site A Firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network ''

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config zone
	option name 'wguard'
	option network 'wireguard'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'wguard'
	option dest 'lan'

config forwarding
	option src 'wguard'
	option dest 'wan'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option proto 'udp'
	option target 'ACCEPT'
	option dest_port '56789'

config forwarding
	option src 'lan'
	option dest 'wguard'

config nat
	option name 'sitebWgLan'
	list proto 'all'
	option src '*'
	option dest_ip '192.168.84.0/24'
	option target 'SNAT'
	option snat_ip '192.168.20.1'
	option enabled '0'

config nat
	option name 'wguard'
	option src '*'
	option src_ip '192.168.20.0/24'
	option target 'SNAT'
	option snat_ip '192.168.1.1'
	list proto 'all'
	option dest_ip '192.168.1.0/24'

config nat
	option src_ip '192.168.1.0/24'
	option dest_ip '192.168.84.0/24'
	option target 'SNAT'
	option snat_ip '192.168.20.1'
	option name 'wgLanAccess'
	list proto 'all'
	option src '*'
site A Network
config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.1.1'
	option device 'br-lan'

config interface 'wireguard'
	option proto 'wireguard'
	option private_key 'pkey'
	option listen_port '56789'
	list addresses '192.168.20.1/24'

config wireguard_wireguard
	option description 'xxx'
	option public_key 'yyy'
	option route_allowed_ips '1'
	list allowed_ips '192.168.84.0/24'
	list allowed_ips '192.168.85.0/24'
	list allowed_ips '192.168.20.6/32'

OpenWRT (Client) - Site B

site B Firewall
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config zone
	option name 'wguard'
	option output 'ACCEPT'
	list network 'wguardClient'
	option input 'REJECT'
	option forward 'REJECT'
	option mtu_fix '1'
	option masq '1'

config zone
	option name 'lanIptv'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lanIptv'

config forwarding
	option src 'lanIptv'
	option dest 'wguard'

config forwarding
	option src 'wguard'
	option dest 'lan'

config forwarding
	option src 'wguard'
	option dest 'wan'

config rule
	option name 'Allow-WireGuard-56789'
	option dest_port '56789'
	option target 'ACCEPT'
	option src 'wan'

config forwarding
	option src 'lan'
	option dest 'wguard'

config nat
	option name 'Inbound from wireguard to LAN'
	option dest_ip '192.168.84.0/24'
	list proto 'all'
	option src 'wguard'
	option target 'SNAT'
	option snat_ip '192.168.84.1'
	option enabled '0'

config forwarding
	option src 'wguard'
	option dest 'lanIptv'

site B network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fde3:c989:c686::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.84.1'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

config interface 'wguardClient'
	option proto 'wireguard'
	option private_key 'kkkk'
	list addresses '192.168.20.6/32'

config wireguard_wguardClient
	option description 'wguard'
	option public_key 'kkkk'
	option endpoint_host 'aa.bb'
	option endpoint_port '56789'
	option route_allowed_ips '1'
	list allowed_ips '192.168.1.0/24'
	list allowed_ips '192.168.20.6/32'
	list allowed_ips '0.0.0.0/1'

config device
	option name 'lan2'

config device
	option type 'bridge'
	option name 'brHome'
	list ports 'lan1'

config device
	option name 'lan1'

config interface 'lanHome'
	option proto 'static'
	option device 'brHome'
	option ipaddr '192.168.85.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '192.168.84.1'

Android Phone - Road warrior - Site C
The idea is that Site B is a remote site where I want to manage some OpenHAB devices through the main site A and sometimes through site C

My problem is that I can ping site A from site B, but cannot ping site B from site A - here as some routes from sites A and B:

site A route
root@siteA:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         46-10-48-1.ip.b 0.0.0.0         UG    0      0        0 eth0.2
46.xx.xx.xx      *               255.255.240.0   U     0      0        0 eth0.2
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.20.0    *               255.255.255.0   U     0      0        0 wireguard
192.168.20.2    *               255.255.255.255 UH    0      0        0 wireguard
192.168.20.3    *               255.255.255.255 UH    0      0        0 wireguard
192.168.20.4    *               255.255.255.255 UH    0      0        0 wireguard
192.168.20.5    *               255.255.255.255 UH    0      0        0 wireguard
192.168.20.6    *               255.255.255.255 UH    0      0        0 wireguard
192.168.84.0    *               255.255.255.0   U     0      0        0 wireguard
192.168.85.0    *               255.255.255.0   U     0      0        0 wireguard

site B route
root@siteB:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         *               128.0.0.0       U     0      0        0 wguardClient
46.10.xx.xx    192.168.43.1    255.255.255.255 UGH   0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     0      0        0 wguardClient
192.168.20.6    *               255.255.255.255 UH    0      0        0 wguardClient
192.168.43.0    *               255.255.255.0   U     0      0        0 wlan0
192.168.84.0    *               255.255.255.0   U     0      0        0 br-lan
192.168.85.0    *               255.255.255.0   U     0      0        0 brHome

Any ideas and rules are appreciated! Thanks

How come your Site A doesn't have a Wireguard interface?
Which source address are you using on Site B?
Check with TCPDUMP if the ICMP package goes into the wireguard interface on Site B

Turn off masquerading on site B’s wguard firewall zone.