I'm in the process of setting up a Wireguard stand alone server, however, everything I'm finding when adding OpenWRT to the search is directing me to install wireguard tools on my OpenWRT router.
I don't want to install Wireguard on the router, which appears to be what the tools installs are doing.
Do I need to install Wireguard tools or just configure port forwarding in my router to the wg server, and then configure wg?
You don't need to install anything on your main router (including wireguard-tools) if the WG endpoint sits behind that device. However, if that is the case, you will need to add port forwarding from the main router > wg endpoint assuming that this endpoint is listening for inbound connections.
WG is being installed on a old linux desktop pc that used to be my Windows Media Center pvr box before microsoft ko'd MC. Yeah, that was a while ago... since then, its just been sitting around with various flavors of Linux installed now and again.
Will likely be container (proxmox or Docker) server for pihole, wireguard and NAS media server. Maybe MythTV, haven't fully decided as my tuner card may be obsolete.
How can I test that my port is actually open and forwarding appropriately?
Zone Settings have been left alone as i'm finding no source that says to modify the lan or wan zone settings.
Firewall config for the redirect
config redirect
option dest 'lan'
option target 'DNAT'
option name 'guard'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.10.30'
option dest_port '51820'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
I tried to test with an "Open Port Check Tool" website but comes back as failed. Wireguard peer never receives a handshake ack.
I don't know if my ISP is blocking (even though the website says no or if my firewall configs are incorrect.
You can remove proto TCP since Wireguard is UDP only.
That is 100% expected. Wireguard does not reply to port probes under any circumstances. The WireGuard protocol is not chatty -- it does not respond at all unless the connection is coming from a remote peer that has all the correct crypotographic keys.
That's a bit harder to determine, but we should make sure you have a proper public IP address. Show us the first to octets of your IP address (in bold: aaa.bbb.ccc.ddd):
Enabled logging and not seeing anything in the wan or firewall logs, but not seeing anything for the forwarded address being rejected.
Ok, on a whim I forwarded port 22 to my OpenWRT IP. Open when enabled, Closed when disabled, so forwarding is open and working. So, looks like my issue is between the WG server and WG peer/client.
Ok... so fixing your WG issues would be out of scope here since it's between two non-OpenWrt devices. However, I will offer this pro-tip:
With your phone connected to wifi on the 192.168.10.0/24 network, configure the peer endpoint address (on the phone's config) as 192.168.10.30. This will allow you to test the ability to establish the tunnel and handshake without any complications potentially introduced by your ISP.