Wireguard Site2Site with Roadwarrior troubleshooting

First I would like to describe why I am looking for a solution.
I have 2 family locations (site100 and site200) that are connected to the internet via the same and only possible provider (Deutsche Glasfaser = DG). Normally, the DG assigns each site a public IPv6 and a private IPv4 address. For some reason assigning the IPv6 address to site100 doesn't work reliably, but the DG is not interested in finding a solution
As a consequence, site100 cannot be reached directly from the Internet.

Since both locations can be reached via the private IPv4 addresses because they are both in the DG network, I set up a wireguard tunnel between the locations with IPv4 instead of IPv6.

It works so far. Any device in site100 can reach any device in site200 and vice versa. Accessing devices in remote VLAN's (with different subnets) works too.

In addition a roadwarrior (smartphone, LTE, ipv6) who connects to site200 via the public IPv6 address through wireguard can also access all devices in site200.

However, the roadwarrior cannot access devices in site100.
Why is that? And how do I find out which of the 3 instances involved is causing the problem.

Here is the roadwarrior.conf
As I have understood it so far, only all subnets that are to be accessed must be specified under allowed ip's.

[Interface]
Address = 172.16.0.201/32
DNS = 192.168.200.1
PrivateKey = ***

[Peer]
AllowedIPs = 192.168.200.0/24, 192.168.203.0/24, 192.168.100.0/24, 192.168.103.0/24, 192.168.106.0/24
Endpoint = site200.dynv6.net:22222
PublicKey = ***

When running tcpdump on openwrt router on site200 (dns=R2S.dry.lan ip=192.168.200.1), I can see that a ping from roadwarrior to ip 192.168.200.1 works as expected.
But ping to the openwrt router on site100 (dns=R2S.faro.xa ip=192.168.100.1) is visible on interface wg0. DNS resolution works well.
But finaly the request did not get an answer.

 root@R2S:~# tcpdump -i wg0 host 172.16.0.201                                                                                                                                                                    
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                                                                                                                       
listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes                                                                                                                                              
20:18:13.501481 IP 172.16.0.201 > R2S.dry.lan: ICMP echo request, id 59, seq 1, length 64                                                                                                                        
20:18:13.501803 IP R2S.dry.lan > 172.16.0.201: ICMP echo reply, id 59, seq 1, length 64                                                                                                                          
20:18:16.383566 IP 172.16.0.201.42376 > R2S.dry.lan.53: 18487+ AAAA? ssl.google-analytics.com. (42)                                                                                                              
20:18:16.404331 IP R2S.dry.lan.53 > 172.16.0.201.42376: 18487 NXDomain 0/0/0 (42)                                                                                                                                
...
20:18:19.974469 IP 172.16.0.201 > R2S.faro.xa: ICMP echo request, id 60, seq 1, length 64                                                                                                                        
20:18:19.974723 IP 172.16.0.201 > R2S.faro.xa: ICMP echo request, id 60, seq 1, length 64   

That leads me to assume that the configuration of the roadwarrior is correct and that the error is in site100 or site200.

root@R2S:~# cat /etc/config/network

config interface 'loopback'                                                                                                                                                                                      
        option device 'lo'                                                                                                                                                                                       
        option proto 'static'                                                                                                                                                                                    
        option ipaddr '127.0.0.1'                                                                                                                                                                                
        option netmask '255.0.0.0'                                                                                                                                                                               
                                                                                                                                                                                                                 
config globals 'globals'                                                                                                                                                                                         
        option ula_prefix 'fcc0:a8:c8::/48'                                                                                                                                                                      
                                                                                                                                                                                                                 
config device                                                                                                                                                                                                    
        option name 'br-lan'                                                                                                                                                                                     
        option type 'bridge'                                                                                                                                                                                     
        list ports 'eth1'                                                                                                                                                                                        
                                                                                                                                                                                                                 
config device                                                                                                                                                                                                    
        option name 'eth1'                                                                                                                                                                                       
        option macaddr '***'                                                                                                                                                                       
                                                                                                                                                                                                                 
config interface 'lan'                                                                                                                                                                                           
        option proto 'static'                                                                                                                                                                                    
        option ip6assign '60'                                                                                                                                                                                    
        option device 'br-lan.1'                                                                                                                                                                                 
        list ipaddr '192.168.200.1/24'                                                                                                                                                                           
                                                                                                                                                                                                                 
config device                                                                                                                                                                                                    
        option name 'eth0'                                                                                                                                                                                       
        option macaddr '***'                                                                                                                                                                       
                                                                                                                                                                                                                 
config interface 'wan'                                                                                                                                                                                           
        option device 'eth0'                                                                                                                                                                                     
        option proto 'dhcp'                                                                                                                                                                                      
                                                                                                                                                                                                                 
config interface 'wan6'                                                                                                                                                                                          
        option device 'eth0'                                                                                                                                                                                     
        option proto 'dhcpv6'                                                                                                                                                                                    
                                                                                                                                                                                                                 
config bridge-vlan                                                                                                                                                                                               
        option device 'br-lan'                                                                                                                                                                                   
        option vlan '1'                                                                                                                                                                                          
        list ports 'eth1:u*'                                                                                                                                                                                     
                                                                                                                                                                                                                 
config bridge-vlan                                                                                                                                                                                               
        option device 'br-lan'                                                                                                                                                                                   
        option vlan '3'                                                                                                                                                                                          
        list ports 'eth1:t'                                                                                                                                                                                      
                                                                                                                                                                                                                 
config interface 'Jail'                                                                                                                                                                                          
        option proto 'static'                                                                                                                                                                                    
        option device 'br-lan.3'                                                                                                                                                                                 
        option ipaddr '192.168.203.1'                                                                                                                                                                            
        option netmask '255.255.255.0'                                                                                                                                                                           
        option delegate '0'                                                                                                                                                                                      
                                                                                                                                                                                                                 
config interface 'wg0'                                                                                                                                                                                           
        option proto 'wireguard'                                                                                                                                                                                 
        option listen_port '22222'                                                                                                                                                                               
        list addresses '172.16.0.200/32'                                                                                                                                                                         
        option private_key '***'
        option public_key '***'
        option peerdns '0'                                                                                                                                                                                       
        option mtu '1412'                                                                                                                                                                                        
                                                                                                                                                                                                                 
config wireguard_wg0                                                                                                                                                                                             
        option description 'site100'                                                                                                                                                                             
        option public_key '***'                                                                                                                                        
        option private_key '***'
        option route_allowed_ips '1'                                                                                                                                                                             
        option endpoint_port '22122'                                                                                                                                                                             
        option persistent_keepalive '25'                                                                                                                                                                         
        option endpoint_host 'rr21-ipv4.dynv6.net'                                                                                                                                                               
        list allowed_ips '172.16.0.100/32'                                                                                                                                                                       
        list allowed_ips '192.168.100.0/24'                                                                                                                                                                      
        list allowed_ips '192.168.103.0/24'                                                                                                                                                                      
        list allowed_ips '192.168.106.0/24'                                                                                                                                                                      
                                                                                                                                                                                                                 
config wireguard_wg0                                                                                                                                                                                             
        option description 'roadwarrior'                                                                                                                                                                             
        list allowed_ips '172.16.0.201/32'                                                                                                                                                                       
        option route_allowed_ips '1'                                                                                                                                                                             
        option private_key '***'
        option public_key '***'
		
config wireguard_wg0                                                                                                                                                                                             
        option description 'roadwarrior2'                                                                                                                                                                             
        list allowed_ips '172.16.0.101/32'                                                                                                                                                                       
        option route_allowed_ips '1'                                                                                                                                                                             
        option private_key '***'
        option public_key '***'

root@R2S:~# route

Kernel IP routing table                                                                                                                                                                                          
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface                                                                                                                                    
default         100.113.0.1     0.0.0.0         UG    0      0        0 eth0                                                                                                                                     
100.73.73.102   100.113.0.1     255.255.255.255 UGH   0      0        0 eth0                                                                                                                                     
100.113.0.0     *               255.255.0.0     U     0      0        0 eth0                                                                                                                                     
100.114.141.10  100.113.0.1     255.255.255.255 UGH   0      0        0 eth0                                                                                                                                     
172.16.0.100    *               255.255.255.255 UH    0      0        0 wg0                                                                                                                                      
172.16.0.101    *               255.255.255.255 UH    0      0        0 wg0                                                                                                                                      
172.16.0.201    *               255.255.255.255 UH    0      0        0 wg0                                                                                                                                      
192.168.100.0   *               255.255.255.0   U     0      0        0 wg0                                                                                                                                      
192.168.103.0   *               255.255.255.0   U     0      0        0 wg0                                                                                                                                      
192.168.106.0   *               255.255.255.0   U     0      0        0 wg0                                                                                                                                      
192.168.200.0   *               255.255.255.0   U     0      0        0 br-lan.1                                                                                                                                 
192.168.203.0   *               255.255.255.0   U     0      0        0 br-lan.3  

How to go on to find the config error ?

Henning

So you want to use site200 as the intermediary (i.e. phone > site200 > site100), right?
Let's see the firewall configuration for site200.

Sorry my english is not the best .... But you are right.

Here is the firewall config. /etc/firewall.user is empty.
root@R2S:~# cat /etc/config/firewall

config defaults                                                                                                                                                                                                  
        option input 'ACCEPT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'REJECT'                                                                                                                                                                                  
        option synflood_protect '1'                                                                                                                                                                              
        option flow_offloading '1'                                                                                                                                                                               
        option flow_offloading_hw '1'                                                                                                                                                                            

config zone                                                                                                                                                                                                      
        option name 'lan'                                                                                                                                                                                        
        list network 'lan'                                                                                                                                                                                       
        list network 'wg0'                                                                                                                                                                                       
        option input 'ACCEPT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'ACCEPT'                                                                                                                                                                                  

config zone                                                                                                                                                                                                      
        option name 'wan'                                                                                                                                                                                        
        option input 'REJECT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'REJECT'                                                                                                                                                                                  
        option masq '1'                                                                                                                                                                                          
        option mtu_fix '1'                                                                                                                                                                                       
        option network 'wan wan6 LTE'                                                                                                                                                                            

config forwarding                                                                                                                                                                                                
        option src 'lan'                                                                                                                                                                                         
        option dest 'wan'                                                                                                                                                                                        

config rule                                                                                                                                                                                                      
        option name 'Allow-DHCP-Renew'                                                                                                                                                                           
        option src 'wan'                                                                                                                                                                                         
        option proto 'udp'                                                                                                                                                                                       
        option dest_port '68'                                                                                                                                                                                    
        option target 'ACCEPT'                                                                                                                                                                                   
        option family 'ipv4'                                                                                                                                                                                     

config rule                                                                                                                                                                                                      
        option name 'Allow-Ping'                                                                                                                                                                                 
        option src 'wan'                                                                                                                                                                                         
        option proto 'icmp'                                                                                                                                                                                      
        option icmp_type 'echo-request'                                                                                                                                                                          
        option family 'ipv4'                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option name 'Allow-IGMP'                                                                                                                                                                                 
        option src 'wan'                                                                                                                                                                                         
        option proto 'igmp'                                                                                                                                                                                      
        option family 'ipv4'                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option name 'Allow-DHCPv6'                                                                                                                                                                               
        option src 'wan'                                                                                                                                                                                         
        option proto 'udp'                                                                                                                                                                                       
        option src_ip 'fc00::/6'                                                                                                                                                                                 
        option dest_ip 'fc00::/6'                                                                                                                                                                                
        option dest_port '546'                                                                                                                                                                                   
        option family 'ipv6'                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option name 'Allow-MLD'                                                                                                                                                                                  
        option src 'wan'                                                                                                                                                                                         
        option proto 'icmp'                                                                                                                                                                                      
        option src_ip 'fe80::/10'                                                                                                                                                                                
        list icmp_type '130/0'                                                                                                                                                                                   
        list icmp_type '131/0'                                                                                                                                                                                   
        list icmp_type '132/0'                                                                                                                                                                                   
        list icmp_type '143/0'                                                                                                                                                                                   
        option family 'ipv6'                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option name 'Allow-ICMPv6-Input'                                                                                                                                                                         
        option src 'wan'                                                                                                                                                                                         
        option proto 'icmp'                                                                                                                                                                                      
        list icmp_type 'echo-request'                                                                                                                                                                            
        list icmp_type 'echo-reply'                                                                                                                                                                              
        list icmp_type 'destination-unreachable'                                                                                                                                                                 
        list icmp_type 'packet-too-big'                                                                                                                                                                          
        list icmp_type 'time-exceeded'                                                                                                                                                                           
        list icmp_type 'bad-header'                                                                                                                                                                              
        list icmp_type 'unknown-header-type'                                                                                                                                                                     
        list icmp_type 'router-solicitation'                                                                                                                                                                     
        list icmp_type 'neighbour-solicitation'                                                                                                                                                                  
        list icmp_type 'router-advertisement'                                                                                                                                                                    
        list icmp_type 'neighbour-advertisement'                                                                                                                                                                 
        option limit '1000/sec'                                                                                                                                                                                  
        option family 'ipv6'                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option name 'Allow-ICMPv6-Forward'                                                                                                                                                                       
        option src 'wan'                                                                                                                                                                                         
        option dest '*'                                                                                                                                                                                          
        option proto 'icmp'                                                                                                                                                                                      
        list icmp_type 'echo-request'                                                                                                                                                                            
        list icmp_type 'echo-reply'                                                                                                                                                                              
        list icmp_type 'destination-unreachable'                                                                                                                                                                 
        list icmp_type 'packet-too-big'                                                                                                                                                                          
        list icmp_type 'time-exceeded'                                                                                                                                                                           
        list icmp_type 'bad-header'                                                                                                                                                                              
        list icmp_type 'unknown-header-type'                                                                                                                                                                     
        option limit '1000/sec'                                                                                                                                                                                  
        option family 'ipv6'                                                                                                                                                                                     
        option target 'ACCEPT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option name 'Support-UDP-Traceroute'                                                                                                                                                                     
        option src 'wan'                                                                                                                                                                                         
        option dest_port '33434:33689'                                                                                                                                                                           
        option proto 'udp'                                                                                                                                                                                       
        option family 'ipv4'                                                                                                                                                                                     
        option target 'REJECT'                                                                                                                                                                                   
        option enabled '0'                                                                                                                                                                                       

config rule                                                                                                                                                                                                      
        option name 'Allow-Wireguard-Input'                                                                                                                                                                      
        list proto 'udp'                                                                                                                                                                                         
        option src 'wan'                                                                                                                                                                                         
        option dest_port '22222'                                                                                                                                                                                 
        option target 'ACCEPT'                                                                                                                                                                                   

config include                                                                                                                                                                                                   
        option path '/etc/firewall.user'                                                                                                                                                                         

config zone                                                                                                                                                                                                      
        option name 'Jail'                                                                                                                                                                                       
        option input 'ACCEPT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'REJECT'                                                                                                                                                                                  
        list network 'Jail'                                                                                                                                                                                      

config forwarding                                                                                                                                                                                                
        option src 'lan'                                                                                                                                                                                         
        option dest 'Jail'                                                                                                                                                                                       

config rule                                                                                                                                                                                                      
        option name 'Reject NTP to WAN'                                                                                                                                                                          
        option src 'lan'                                                                                                                                                                                         
        option dest 'wan'                                                                                                                                                                                        
        option dest_port '123'                                                                                                                                                                                   
        option target 'REJECT'                                                                                                                                                                                   

config rule                                                                                                                                                                                                      
        option src 'Jail'                                                                                                                                                                                        
        option dest 'wan'                                                                                                                                                                                        
        option target 'ACCEPT'                                                                                                                                                                                   
        option name 'Allow-Poco-F2-HR'                                                                                                                                                                           
        list src_ip '192.168.203.224'                                                                                                                                                                            
        list src_ip '192.168.203.191'                                                                                                                                                                            

config rule                                                                                                                                                                                                      
        option name 'Drop Jail 2 WAN'                                                                                                                                                                            
        option src 'Jail'                                                                                                                                                                                        
        option dest 'wan'                                                                                                                                                                                        
        option target 'DROP'                                                                                                                                                                                     

config redirect                                                                                                                                                                                                  
        option target 'DNAT'                                                                                                                                                                                     
        option name 'Redirect NTP 2 LAN'                                                                                                                                                                         
        list proto 'udp'                                                                                                                                                                                         
        option src 'lan'                                                                                                                                                                                         
        option src_dport '123'                                                                                                                                                                                   
        option dest 'lan'                                                                                                                                                                                        
        option dest_port '123'  

I'm not positive if this will work, but try the following:

remove wg0 from the lan zone

config zone                                                                                                                                                                                                      
        option name 'lan'                                                                                                                                                                                        
        list network 'lan'                                                                                                                                                                                       
        option input 'ACCEPT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'ACCEPT'

create a new zone for wireguard (with masquerading enabled)

config zone                                                                                                                                                                                                      
        option name 'wireguard'                                                                                                                                                                                        
        list network 'wg0'                                                                                                                                                                                       
        option input 'ACCEPT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'ACCEPT' 
        option masq '1'

and then add wg > lan forwarding

config forwarding                                                                                                                                                                                                
        option src 'wireguard'                                                                                                                                                                                         
        option dest 'lan'                                                                                                                                                                                        

Thank you for your quick response.
I have changed firewall config as suggested.
I did also restart the firewall.
But nothing changed ...

What happens if you run a traceroute from the phone to an ip in site100?

with traceroute 192.168.100.1 I get this response on the phone

1. 172.16.0.200 87ms
2. 172.16.0.200 92ms

traceroute complete

172.16.0.200 is the ip of the wg0 interface on site200
Ping or http requests are failing. But i have the feeling more quickly then with the original firewall config.

ups. After restarting the wg interface on site200 I can't access devices in site100 from devices in site200.
site100 is only accessible from the openwrt device itself

K. Turn off masquerading on the wireguard zone and restart the firewall.

Thank you again for your assistance.

Sadly that did not help at all.
So I changed firewall entry's again.

config zone                                                                                                                                                                                                      
        option name 'wireguard'                                                                                                                                                                                  
        option input 'ACCEPT'                                                                                                                                                                                    
        option output 'ACCEPT'                                                                                                                                                                                   
        option forward 'ACCEPT'                                                                                                                                                                                  
        list network 'wg0'                                                                                                                                                                                       
        option masq '1'                                                                                                                                                                                          
                                                                                                                                                                                                                 
config forwarding                                                                                                                                                                                                
        option src 'wireguard'                                                                                                                                                                                   
        option dest 'lan'                                                                                                                                                                                        
                                                                                                                                                                                                                 
config forwarding                                                                                                                                                                                                
        option src 'lan'                                                                                                                                                                                         
        option dest 'wireguard' 

At first glance it seems to be working. But I'm too tired to veryfy that completely now. Going to sleep ...

sounds good. we'll continue this when you get to try/verify. night!

I would suspect the issue you're facing probably had less to do with the firewall setup and more to do with the tunnel between the two sites not having the IPs for the 'road warrior' devices in their allowed_ips.

What's the wireguard setup on site100?

Hi,
sorry for the late reply. Got my brandnew EcoFlow Delta 2 Powerstation at Tuesday. I had to try

Here is network and firewall config of site100.
As you see it's very similar to first version of site200.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fcc0:a8:32::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr '###'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option device 'br-lan.1'
        option ipaddr '192.168.100.1'
        option delegate '0'

config device
        option name 'eth0'
        option macaddr '###'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option reqprefix 'auto'
        option delegate '0'
        option reqaddress 'try'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth1:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'eth1:t'

config interface 'Jail'
        option proto 'static'
        option device 'br-lan.3'
        option ipaddr '192.168.103.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '6'
        list ports 'eth1:t'

config interface 'GP'
        option proto 'static'
        option ipaddr '192.168.106.1'
        option netmask '255.255.255.0'
        option device 'br-lan.6'

config interface 'LTE'
        option proto 'dhcp'
        option device 'eth2'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '22122'
        list addresses '172.16.0.100/32'
        option private_key '####'
		option public_key '####'
        option peerdns '0'
        option force_link '1'

config wireguard_wg0
        option description 'site200'
        option public_key '####'
        option private_key '####'
        option route_allowed_ips '1'
        option endpoint_port '22222'
        option persistent_keepalive '25'
        option endpoint_host 'rr-ipv4.dynv6.net'
        list allowed_ips '172.16.0.200/32'
        list allowed_ips '172.16.0.200/29'
        list allowed_ips '192.168.200.0/24'
        list allowed_ips '192.168.203.0/24'

config wireguard_wg0
        option description 'Roadwarrior-1'
        option route_allowed_ips '1'
        option public_key '####'
        list allowed_ips '172.16.0.201/32'

config wireguard_wg0
        option description 'RoadWarrior-2'
        option route_allowed_ips '1'
        option public_key '####'
        list allowed_ips '172.16.0.101/32'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg0'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'LTE'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config zone
        option name 'Jail'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Jail'

config forwarding
        option src 'lan'
        option dest 'Jail'

config zone
        option name 'GP'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'GP'

config rule
        option name 'Reject NTP to WAN'
        option src 'lan'
        option dest 'wan'
        option dest_port '123'
        option target 'REJECT'

config rule
        option name 'Drop Jail 2 WAN'
        option src 'Jail'
        option dest 'wan'
        option target 'DROP'

config rule
        option name 'Allow-Wireguard-Input'
        list proto 'udp'
        option src 'wan'
        option dest_port '22122'
        option target 'ACCEPT'

config forwarding
        option src 'GP'
        option dest 'wan'

config rule
        option src 'GP'
        option dest 'lan'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'icmp'
        option name 'Allow Ping Lexmark'
        list dest_ip '192.168.100.120'

config redirect
        option target 'DNAT'
        option name 'Redirect NTP 2 LAN'
        list proto 'udp'
        option src 'lan'
        option src_dport '123'
        option dest 'lan'
        option dest_port '123'

Packets from the road warrior originate from 172.16.0.201, so that needs to be in site 100 allowed IPs. Suggest opening up the whole /24 rather than trying to get cute with small subnets. I don't know if .200/29 is valid. That definitely would block .200 itself since the first and last IPs in any subnet block (e.g. the .0 and .255 in a /24) are reserved.

Defining the wg0 root interface itself as a /24 instead of /32 is recommended as that automatically installs a route to the whole tunnel subnet and makes it possible to ping from one site to another on the tunnel IPs for testing.

If symmetric routing is installed everywhere then this will work without NAT. Another approach would be to have a second instance of Wireguard at site 200 for road warrior(s)-- with a different subnet, then NAT them into the whole site200-site100 network.

Also the road warrior config seems to have left out route allowed IPs, though often on a road warrior allowed IPs is 0.0.0.0/0 which includes the whole IPv4 Internet it would also include any private remote LANs.

I'm assuming from your previous posts that the 'road warrior' devices will only ever connect to Site200? If that is the case then remove the two roadwarrior peer configs from Site100.

As @mk24 has noted you could assign a /24 to the WG interface (rather than a /32) which would add automatically add a route for the whole subnet; however, as you're are using additional subnets at either end you'll need to use route_allowed_ips '1' anyway (I assume you don't want to manually set routes) so you'll not really gain any benefit from making that change.

What you should change is list allowed_ips '172.16.0.200/32' and list allowed_ips '172.16.0.200/29' to combine into one range. As @mk24 has said it'd be better to just have list allowed_ips '172.16.0.0/24'

In case of matching, it is a valid representation and includes from 200 to 207.
However the problem I see here is the double definition of .201 roadwarrior both in peer site200 and Roadwarrior-1. As the site100 cannot get the connection from the roadwarrior directly, it is pointless to have this peer. Also, site100 prefers to send the packets to .201 via the roadwarrior-1 peer, due to closest match .201/32 , rather than via site200 with the longer match .200/29.