Wireguard setup issue

Hi all,

I am finally trying to update my routers VPN to Wireguard. I've tried a few times now, but can't seem to get the magic recipe correct, and I was hoping somebody could give me a hand.
The issue is that packets don't seem to be getting to the Wireguard interface (the interface shows zero packets received). If I do a "tcpdump" on port 51820, I see that the peer is trying to connect, but not getting a response. I thought maybe the firewall was dumping the packets, but in Luci, if I enable "Logging of this zone" for each zone, I don't see any UDP packets getting dumped.
I've also followed a couple of different How-To's over the course of trying to set this up, so I probably now have a hodge-podge of settings now, which is not helping.

From this page, here's the output I get. Any help is appreciated.


root@Linksys21:~# logread -e vpn; netstat -l -n -p | grep -e "^udp\s.*\s-$"
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 0.0.0.0:50152           0.0.0.0:*                           -
udp        0      0 :::51820                :::*                                -
root@Linksys21:~# # Runtime configuration
root@Linksys21:~# pgrep -f -a wg; wg show; wg showconf vpn
22626 wg-crypt-wg0
interface: wg0
  public key: Public Key goes here=
  private key: (hidden)
  listening port: 51820

peer: Peer Key goes here=
  allowed ips: 172.16.2.1/32
  persistent keepalive: every 25 seconds
Unable to access interface: No such device
root@Linksys21:~# ip address show; ip route show table all
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
    inet6 1234:5678:910a:bcd:ef01/64 scope link
       valid_lft forever preferred_lft forever
3: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
4: lan3@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
5: lan2@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
6: lan1@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 5a:ef:68:0f:61:70 brd ff:ff:ff:ff:ff:ff
    inet 87.65.43.21/23 brd 87.65.43.255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 fe80::58ef:68ff:fe0f:6170/64 scope link
       valid_lft forever preferred_lft forever
15: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 12:34:56:78:90:12 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.1/24 brd 172.16.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fd25:c11c:2ed6::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 1234:5678:910a:bcd:ef01/64 scope link
       valid_lft forever preferred_lft forever
16: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    link/[65534]
    inet 172.16.2.1/24 brd 172.16.2.255 scope global wg0
       valid_lft forever preferred_lft forever
17: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
    link/ether 58:ef:68:0f:61:72 brd ff:ff:ff:ff:ff:ff
18: wlan1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq master br-lan state DOWN qlen 1000
    link/ether 58:ef:68:0f:61:71 brd ff:ff:ff:ff:ff:ff
default via 87.65.43.1 dev wan  src 87.65.43.21
87.65.43.0/23 dev wan scope link  src 87.65.43.21
172.16.1.0/24 dev br-lan scope link  src 172.16.1.1
172.16.2.0/24 dev wg0 scope link  src 172.16.2.1
broadcast 87.65.43.0 dev wan table local scope link  src 87.65.43.21
local 87.65.43.21 dev wan table local scope host  src 87.65.43.21
broadcast 87.65.43.255 dev wan table local scope link  src 87.65.43.21
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 172.16.1.0 dev br-lan table local scope link  src 172.16.1.1
local 172.16.1.1 dev br-lan table local scope host  src 172.16.1.1
broadcast 172.16.1.255 dev br-lan table local scope link  src 172.16.1.1
broadcast 172.16.2.0 dev wg0 table local scope link  src 172.16.2.1
local 172.16.2.1 dev wg0 table local scope host  src 172.16.2.1
broadcast 172.16.2.255 dev wg0 table local scope link  src 172.16.2.1
fd25:c11c:2ed6::/64 dev br-lan  metric 1024
unreachable fd25:c11c:2ed6::/48 dev lo  metric 2147483647
fe80::/64 dev eth0  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev wan  metric 256
local ::1 dev lo table local  metric 0
anycast fd25:c11c:2ed6:: dev br-lan table local  metric 0
local fd25:c11c:2ed6::1 dev br-lan table local  metric 0
anycast fe80:: dev eth0 table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev wan table local  metric 0
local fe80::58ef:68ff:fe0f:6170 dev wan table local  metric 0
local 1234:5678:910a:bcd:ef01 dev eth0 table local  metric 0
local 1234:5678:910a:bcd:ef01 dev br-lan table local  metric 0
root@Linksys21:~# ip rule show; iptables-save -c
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
# Generated by iptables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*nat
:PREROUTING ACCEPT [7:505]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [6:362]
:POSTROUTING ACCEPT [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:postrouting_wg_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:prerouting_wg_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
:zone_wg_postrouting - [0:0]
:zone_wg_prerouting - [0:0]
[7:505] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[7:505] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[0:0] -A PREROUTING -i wan -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i wg0 -m comment --comment "!fw3" -j zone_wg_prerouting
[9:605] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[0:0] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[9:605] -A POSTROUTING -o wan -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o wg0 -m comment --comment "!fw3" -j zone_wg_postrouting
[0:0] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[7:505] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[9:605] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[9:605] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[0:0] -A zone_wg_postrouting -m comment --comment "!fw3: Custom wg postrouting rule chain" -j postrouting_wg_rule
[0:0] -A zone_wg_prerouting -m comment --comment "!fw3: Custom wg prerouting rule chain" -j prerouting_wg_rule
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
# Generated by iptables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*mangle
:PREROUTING ACCEPT [98:10034]
:INPUT ACCEPT [70:3014]
:FORWARD ACCEPT [24:6758]
:OUTPUT ACCEPT [156:24026]
:POSTROUTING ACCEPT [180:30784]
[2:104] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[1:52] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
# Generated by iptables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOGGING - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_dest_ACCEPT - [0:0]
:zone_wg_dest_REJECT - [0:0]
:zone_wg_forward - [0:0]
:zone_wg_input - [0:0]
:zone_wg_output - [0:0]
:zone_wg_src_ACCEPT - [0:0]
[8140:815315] -A INPUT -j LOGGING
[8140:815315] -A INPUT -j LOGGING
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[76:3254] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[76:3254] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg_input
[25:6798] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[22:6555] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:243] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[8794:2034530] -A OUTPUT -j LOGGING
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[167:25666] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[161:25304] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[6:362] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[3:243] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[3:243] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[0:0] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[9:605] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: wan-wg" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[6:362] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[6:362] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Custom wg forwarding rule chain" -j forwarding_wg_rule
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3" -j zone_wg_dest_REJECT
[0:0] -A zone_wg_input -m comment --comment "!fw3: Custom wg input rule chain" -j input_wg_rule
[0:0] -A zone_wg_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_wg_input -m comment --comment "!fw3" -j zone_wg_src_ACCEPT
[0:0] -A zone_wg_output -m comment --comment "!fw3: Custom wg output rule chain" -j output_wg_rule
[0:0] -A zone_wg_output -m comment --comment "!fw3" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wg_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
root@Linksys21:~# ip -6 rule show; ip6tables-save -c
0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000007:     from all iif wan lookup unspec 12
4200000015:     from all iif br-lan lookup unspec 12
4200000016:     from all iif wg0 lookup unspec 12
# Generated by ip6tables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*mangle
:PREROUTING ACCEPT [6:482]
:INPUT ACCEPT [6:482]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:574]
:POSTROUTING ACCEPT [6:574]
[0:0] -A FORWARD -o wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[0:0] -A FORWARD -i wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Feb 20 20:48:30 2022
# Generated by ip6tables-save v1.8.7 on Sun Feb 20 20:48:30 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:forwarding_wg_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:input_wg_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:output_wg_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
:zone_wg_dest_ACCEPT - [0:0]
:zone_wg_dest_REJECT - [0:0]
:zone_wg_forward - [0:0]
:zone_wg_input - [0:0]
:zone_wg_output - [0:0]
:zone_wg_src_ACCEPT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[6:482] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[6:482] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[0:0] -A INPUT -i wan -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i wg0 -m comment --comment "!fw3" -j zone_wg_input
[0:0] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i wan -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i wg0 -m comment --comment "!fw3" -j zone_wg_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[6:574] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[6:574] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o wan -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o wg0 -m comment --comment "!fw3" -j zone_wg_output
[0:0] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[0:0] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp6-port-unreachable
[0:0] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:482] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[6:482] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[0:0] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[0:0] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[6:482] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_ACCEPT -o wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[0:0] -A zone_wan_dest_ACCEPT -o wan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Forward" -j ACCEPT
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3: Zone wan to wg forwarding policy" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[0:0] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -s fc00::/6 -d fc00::/6 -p udp -m udp --dport 546 -m comment --comment "!fw3: Allow-DHCPv6" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -s fe80::/10 -p ipv6-icmp -m icmp6 --icmpv6-type 143/0 -m comment --comment "!fw3: Allow-MLD" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 129 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 2 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 3 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/0 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 4/1 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 133 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 135 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 134 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p ipv6-icmp -m icmp6 --icmpv6-type 136 -m limit --limit 1000/sec -m comment --comment "!fw3: Allow-ICMPv6-Input" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 51820 -m comment --comment "!fw3: wan-wg" -j ACCEPT
[0:0] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[0:0] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[0:0] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wan_src_REJECT -i wan -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_dest_ACCEPT -o wg0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wg_dest_REJECT -o wg0 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Custom wg forwarding rule chain" -j forwarding_wg_rule
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to lan forwarding policy" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3: Zone wg to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_wg_forward -m comment --comment "!fw3" -j zone_wg_dest_REJECT
[0:0] -A zone_wg_input -m comment --comment "!fw3: Custom wg input rule chain" -j input_wg_rule
[0:0] -A zone_wg_input -m comment --comment "!fw3" -j zone_wg_src_ACCEPT
[0:0] -A zone_wg_output -m comment --comment "!fw3: Custom wg output rule chain" -j output_wg_rule
[0:0] -A zone_wg_output -m comment --comment "!fw3" -j zone_wg_dest_ACCEPT
[0:0] -A zone_wg_src_ACCEPT -i wg0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
COMMIT
root@Linksys21:~# # Persistent configuration
root@Linksys21:~# uci show network; uci show firewall; crontab -l
network.loopback=interface
network.loopback.device='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd25:c11c:2ed6::/48'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.lan=interface
network.lan.device='br-lan'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan.ipaddr='172.16.1.1'
network.@device[1]=device
network.@device[1].name='wan'
network.@device[1].macaddr='5a:ef:68:0f:61:70'
network.wan=interface
network.wan.device='wan'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.device='wan'
network.wan6.proto='dhcpv6'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key='Private key goes here'
network.wg0.listen_port='51820'
network.wg0.addresses='172.16.2.1/24'
network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='Pixel6'
network.@wireguard_wg0[0].public_key='Another Key='
network.@wireguard_wg0[0].allowed_ips='172.16.2.1'
network.@wireguard_wg0[0].endpoint_port='51820'
network.@wireguard_wg0[0].persistent_keepalive='25'
firewall.@defaults[0]=defaults
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.network='lan'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='JumpBox'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].src_dport='2200'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].dest_ip='172.16.1.222'
firewall.@redirect[0].dest_port='22'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.wg.dest_port='51820'
firewall.wg.family='ipv4'
firewall.wg.enabled='0'
firewall.@zone[2]=zone
firewall.@zone[2].name='wg'
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].forward='REJECT'
firewall.@zone[2].network='wg0'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].src='wg'
firewall.@forwarding[1].dest='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].src='wg'
firewall.@forwarding[2].dest='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].src='lan'
firewall.@forwarding[3].dest='wg'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].src='wan'
firewall.@forwarding[4].dest='wg'
firewall.@rule[11]=rule
firewall.@rule[11].name='wan-wg'
firewall.@rule[11].proto='udp'
firewall.@rule[11].src='wan'
firewall.@rule[11].dest_port='51820'
firewall.@rule[11].target='ACCEPT'
root@Linksys21:~#

Thanks for looking!

this should be something else in that subnet... such as 172.16.2.2/32.

Then remove the endpoint port below.

and remove this:

and finally, remove this

Restart the wg interface and the firewall (or restart the entire router), and try again.

1 Like

I appreciate the feedback! Thank you!

I changed the uci network to change the "allowed_ips" as follows:

network.@wireguard_wg0[0]=wireguard_wg0
network.@wireguard_wg0[0].description='Pixel6'
network.@wireguard_wg0[0].public_key='blah blah blah='
network.@wireguard_wg0[0].persistent_keepalive='25'
network.@wireguard_wg0[0].allowed_ips='172.16.2.2/32'

Removed firewall rule [4].

And removed the "Allow-WireGuard" rule.

Restarted the firewall, and the WG interface.

Sady, my peer see's no response. On the router the wg interface shows 0 bytes in/out, and the WG Status Peer shows as never connected.

Any more ideas?

Thanks!

Let's see updated config files as well as your other peer's config (your Pixel 6).

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

Just a remark that nothing reached the firewall, so you may want to check first that you are using the correct destination IP and nothing else is blocking you to reach OpenWrt.

@psherman Here's the info you asked for.

root@Linksys21:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd25:c11c:2ed6::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '172.16.1.1'

config device
        option name 'wan'
        option macaddr '12:23:56:78:90:12'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'Private Key Goes Here='
        option listen_port '51820'
        list addresses '172.16.2.1/24'

config wireguard_wg0
        option description 'Pixel6'
        option public_key 'Public Key Goes Here='
        option persistent_keepalive '25'
        list allowed_ips '172.16.2.2/32'

root@Linksys21:~#
root@Linksys21:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wg'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wg0'

config forwarding
        option src 'wg'
        option dest 'lan'

config forwarding
        option src 'wg'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg'

config rule
        option name 'wan-wg'
        list proto 'udp'
        option src 'wan'
        option dest_port '51820'
        option target 'ACCEPT'

root@Linksys21:~#

Pixel side (Wireguard for Android):

[Interface]
Address = 172.16.2.2/32
PrivateKey = Private_Key_Goes_here=

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = MyURL.org:51820
PublicKey = Public_Key_Goes_here=

Thanks!

Mostly looks good on your configs.

You need to add the route_allowed_ips option to the OpenWrt peer config stanza as follows:

config wireguard_wg0
        option description 'Pixel6'
        option public_key 'Public Key Goes Here='
        option persistent_keepalive '25'
        list allowed_ips '172.16.2.2/32'
        option route_allowed_ips '1'

On your Pixel 6, remove the IPv6 from the allowed IPs (since IPv6 is not setup on the router):

AllowedIPs = 0.0.0.0/0

Next, verify that you have a proper public IP on your router's WAN.
Look at the IPv4 upstream (or the WAN address in the interfaces) and make note of that IP (you can post the first 2 octets in bold: aaa.bbb.ccc.ddd). Compare that against the IP address you see if you google "what's my IP" If those match, the next thing to check is that your domain/url resolves to the correct IP (nslookup MyURL.org).

If everything there is good, the last thing to check will be your keys. It is common for those to get messed up.
Each device should have its own private key. The public key is derived from the private key. The public key that is derived from the private key on the router needs to be transferred to the Pixel's WG config where it will be placed in the peer's public key field. And the same thing in reverse.