WireGuard: transmits data between peers-server but can't ping/browse from peers

Hi, I'm new here, I'm coming from ddwrt, I have just set up my r7800 with OpenWrt, a long work since I have a lot of custom features from DDWRT (I've still not converted all).

Now I'm having an issue with Wireguard because I set up all the things and it works, or, the interface send and receive data but I can't browse internet nor ping devices from my iphone. I'm trying to understand what could be the issue but I'm not able, so I'm asking for a little help, here's the info:

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.4.0.1  P-t-P:10.4.0.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:52540 (51.3 KiB)  TX bytes:2736 (2.6 KiB)

root@R7800:~# wg show
interface: wg0
  public key: pkey
  private key: (hidden)
  listening port: 51820

peer: pkey
  endpoint: ip:51820
  allowed ips: 10.4.0.1/32
  latest handshake: 2 minutes, 6 seconds ago
  transfer: 83.02 KiB received, 3.73 KiB sent
  persistent keepalive: every 25 seconds

I've also created the rule to open the port 51820 from my wan to the router (wg0 is under LAN fw zone)

Incoming IPv4, protocol UDP From wan To this device port 51820

And on my iphone:

SCR-20220404-gr71170×2532 174 KB

I'm using no-ip.com and DDNS on openwrt to auto-update the router's IP when it change, 192.168.1.4 is my pihole with Unbound that works as DNS (but doesn't work also with any other DNS).

What could be the trouble? On ddwrt same setup was working fine, surely I'm doing something wrong.

The only difference here is that I still don't have created the masquerade rules to view my modem (192.168.2.1) from my LAN/router (192.168.1.2), because I'm not able to do at the moment (something is different, help also here should be very usefuel)

Thanks for the help

We need to see some config files from the router. Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; \
uci export firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

Okay, thanks for the quick reply:

root@R7800:~# uci export network; \
> 
package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:48e4:ec4a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.2/24'
	list dns '192.168.1.4'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'PPPoE'
	option proto 'pppoe'
	option device 'eth0.2'
	option username 'aliceadsl'
	option password 'aliceadsl'
	option ipv6 '0'
	option peerdns '0'
	list dns '192.168.1.4'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'GIjxR2nrHJGG….='
	option listen_port '51820'
	list addresses '10.4.0.1/24'

config wireguard_wg0
	option description '1'
	option public_key '3YUPx4IFIAEEksxo42Jww9QvDtPSVywnnSc9XwzI8yU='
	list allowed_ips '10.4.0.1/32'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

root@R7800:~# uci export firewall; \
> 
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'wan'
	list network 'wan6'
	list network 'PPPoE'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option src 'wan'
	option dest 'lan'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	list dest_ip '192.168.1.2'
	option dest_port '51820'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option src '*'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '51820'
	option name 'Allow-Wireguard-Inbound'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'
	option dest_ip '192.168.1.2'

root@R7800:~# head -n -0 /etc/firewall.user; \
> 
head: /etc/firewall.user: No such file or directory

root@R7800:~# iptables-save -c; \
> 
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

root@R7800:~# ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.2/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
20: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.4.0.1/24 brd 10.4.0.255 scope global wg0
       valid_lft forever preferred_lft forever
21: pppoe-PPPoE: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    inet 95.248.135.83 peer 192.168.100.1/32 scope global pppoe-PPPoE
       valid_lft forever preferred_lft forever
default via 192.168.100.1 dev pppoe-PPPoE 
10.4.0.0/24 dev wg0 scope link  src 10.4.0.1 
10.4.0.1 dev wg0 scope link 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.2 
192.168.100.1 dev pppoe-PPPoE scope link  src 95.248.135.83 
broadcast 10.4.0.0 dev wg0 table local scope link  src 10.4.0.1 
local 10.4.0.1 dev wg0 table local scope host  src 10.4.0.1 
broadcast 10.4.0.255 dev wg0 table local scope link  src 10.4.0.1 
local 95.248.135.83 dev pppoe-PPPoE table local scope host  src 95.248.135.83 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.2 
local 192.168.1.2 dev br-lan table local scope host  src 192.168.1.2 
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.2 
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 

One thing is that you have IP conflict. Move the iphone to .2

Enable the first rule (and delete the dest_ip option), delete the second rule and the third redirect.

Are you sure you need that? It is exposing the lan to the internet?

Uh, thank you, I had forgotten to delete some rules I created in order to make some tests. I also moved the IP of the iPhone to 10.4.0.2/32 but still I can't browse/ping from the iPhone:

wg show
interface: wg0
  public key: dhfx1vu4FmdQDHVT91i4QB/i2A92mvxJD02qg5VE2VM=
  private key: (hidden)
  listening port: 51820

peer: 3YUPx4IFIAEEksxo42Jww9QvDtPSVywnnSc9XwzI8yU=
  endpoint: 109.112.95.18:51820
  allowed ips: 10.4.0.2/32
  latest handshake: 15 seconds ago
  transfer: 3.69 KiB received, 3.51 KiB sent
  persistent keepalive: every 25 seconds

Iptables updated:

root@R7800:~# uci export firewall; \
> 
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'PPPoE'
	list network 'modem'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_port '51820'

root@R7800:~# 

Delete the redirect.

Install this rule

I think you cannot ping a hostname, so make sure the DNS 192.168.1.4 (Pihole?) is accepting queries from more than 1 hop away.

Thanks again, done it, but still nothing... the phone is connected, still can't browse. (The pihole accepts request from more than 1 hop, but also if I change the DNS to every other DNS is the same)

Firewall rules (changed only the last one):

root@R7800:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'PPPoE'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

wg shows that is connected to my peer (iphone)

root@R7800:~# wg show
interface: wg0
  public key: dhfx1vu4FmdQDHVT91i4QB/i2A92mvxJD02qg5VE2VM=
  private key: (hidden)
  listening port: 51820

peer: 3YUPx4IFIAEEksxo42Jww9QvDtPSVywnnSc9XwzI8yU=
  endpoint: 109.118.180.42:51820
  allowed ips: 10.4.0.2/32
  latest handshake: 41 seconds ago
  transfer: 604 B received, 596 B sent

And also the log from the WireGuard iOS app looks fine

022-04-04 17:13:28.791
[APP] Status update notification timeout for tunnel '1'. Tunnel status is now 'connected'.
2022-04-04 17:13:35.080
[NET] peer(dhfx…E2VM) - Receiving keepalive packet

About the ping I meant that the weird thing (I think), is that if I try to ping the iPhone from the router I'm receiving nothing, no errors, no timeout, no bad host, nothing, the prompt freezes in this state:

root@R7800:~# ping 10.4.0.2
PING 10.4.0.2 (10.4.0.2): 56 data bytes

How is this device connected to the network? Is there another router in the system? Or is that DSL connection active on this unit?

Modem with internet connection and ip 192.168.2.1 ---> WAN ---> R7800(router openwrt) with PPPoE and ip 192.168.1.2 -------> my network

Same network-config on the same router on ddwrt (I only changed the OS on the router to test openwrt and it's beautiful) was working fine, for that is weird.

I'm spending two days on this thing, I don't know where to look also, I'm not an expert user, and it's my first attempt with openwrt.

Only thing different from ddwrt setup is that now I can't browse my modem on another subnet because the same iptables script doesn't work here

Run at startup:
ifconfig nvram get wan_ifname:0 192.168.2.2 netmask 255.255.255.0

Firewall rule:
iptables -t nat -I POSTROUTING -o nvram get wan_ifname -j MASQUERADE

(if someone can give me a little help also on this, it would be appreciate, maybe is this the trouble but I don't think and I don't want to ask too many things)

Is your modem running as a modem only, or is it a modem+router?

EDIT: a quick thing to check -- take a look at the network configuration from one of your client devices (i.e. a phone or computer) -- what does it see as the gateway/router address?

Is a modem + router (the ISP modem) but is running as modem only.

EDIT: a quick thing to check -- take a look at the network configuration from one of your client devices (i.e. a phone or computer) -- what does it see as the gateway/router address?

Router on my other computer is set to router ip: 192.168.1.2, other config from my macos

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether f8:ff:c2:4c:5a:46 
	inet6 fe80::1463:1ce1:b68d:604b%en1 prefixlen 64 secured scopeid 0x6 
	inet 192.168.1.102 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: active

great. All is good there.

Can you post the latest network and firewall files (since you made some changes to them since the last time they were posted)?

The netmask on the tunnel interfaces needs to be large enough to have both ends (the R7800 and the phone) in the same network. Setting it to /32 on the phone is wrong(*). Usually a /24 is used allowing you to eventually have up to 250 or so Wireguard clients.

On the server, allowed_ips from the phone will be /32 since you're only expecting traffic from the phone's IP.

• that will cause the phone's routing table to not include 10.4.0.1, so traffic intended for the wireguard gateway will go over the regular ISP instead and be lost.

@mk24 I just set /32 reading your reply but is the same: connected, transfer few kb but can't navigate/ping. I hope is correct the 10.0.4.1/32 for the wg0 interface, you mean this?

@psherman Sure, I attach the latest config, and thanks for the help and very fast replies:

root@R7800:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd09:48e4:ec4a::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.2/24'
	list dns '192.168.1.4'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '5 0t'

config interface 'PPPoE'
	option proto 'pppoe'
	option device 'eth0.2'
	option username 'aliceadsl'
	option password 'aliceadsl'
	option ipv6 '0'
	option peerdns '0'
	list dns '192.168.1.4'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'GIj....'
	option listen_port '51820'
	list addresses '10.4.0.1/32'

config wireguard_wg0
	option public_key '3YUPx4IFIAEEksxo42Jww9QvDtPSVywnnSc9XwzI8yU='
	list allowed_ips '10.4.0.2/32'
	option description 'iPhone'
	option route_allowed_ips '1'
	option endpoint_port '51820'

root@R7800:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option masq '1'
	list network 'PPPoE'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

This network definition should be larger -- recommend a /24 network

Remove the endpoint port from the peer.

This should not be /32. Set it to /24. Same on the phone in the top section.

I personally prefer to put WG in its own zone, although it is not strictly necessary. If you wanted to do that, it would look like this:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wg0'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'wg'
	option dest 'lan'

Sorry I've made a bit of confusion, also the port on the peer, I was testing... now I cleaned all and set up as both you say (still not works)

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'GIj...'
	option listen_port '51820'
	list addresses '10.0.4.1/24'

config wireguard_wg0
	option public_key '3YUPx4IFIAEEksxo42Jww9QvDtPSVywnnSc9XwzI8yU='
	list allowed_ips '10.4.0.2/32'
	option description 'iPhone'
	option route_allowed_ips '1'

About the firwall zone, first I want to make it works, then I'll try to change the zone, if it's not strictly necessary

looks like you've transposed a 0 and 4 in your addresses....

I think you want the main interface to be 10.4.0.1/24 (you currently have 10.0.4.1/24)

That is not right. Either 10.4.0 or 10.0.4 but must be consistent everywhere.