Wireguard VPN only connects when not all traffic is routed

Hi all.
I've got a confusing problem here, and I'm wondering if any people can figure out what's gone on.
I have a OpenWRT router behind my ISP's router which connects to a self-hosted Wireguard VPN. I'm aware there is NAT involved, however both networks have static IP addresses.

If you look at the configuration below (result of executing ubus call system board; \ uci export network; uci export firewall; \ head -n -0 /etc/firewall.user; \ iptables-save -c; \ ip -4 addr ; ip -4 ro li tab all ; ip -4 ru)

There are two configured WireGuard peers. They both point towards the same server, however the one with allowed IPs of 0.0.0.0/0 never handshakes. The other one (which routes all traffic apart from 192.168.0.0/16) connects instantly, however it seems to also leak my real IP address which is unideal to say the least. The one that routed all traffic was working for the past few weeks as well, which makes it even stranger to me that it now never handshakes. I presume it's something to do with local IPs not being routed correctly, which is why the other configuration works, but I'm also unaware why my IP is being leaked.

{
        "kernel": "5.10.146",
        "hostname": "irishgreencitrus VPN",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1200AC",
        "board_name": "linksys,wrt1200ac",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.2",
                "revision": "r19803-9a599fee93",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 22.03.2 r19803-9a599fee93"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda9:5571:fe8c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.4.1'
        option broadcast '192.168.4.255'
        option delegate '0'
        option defaultroute '0'

config device
        option name 'wan'
        option macaddr '5a:ef:68:0e:f9:90'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '1024'

config device
        option name 'vpn'
        option mtu '1280'
        option ipv6 '0'
        option acceptlocal '1'

config interface 'vpn'
        option proto 'wireguard'
        option nohostroute '1'
        option private_key '[REDACTED PRIVATE KEY]'
        option listen_port '60000'
        list addresses '10.8.13.6/24'
        list dns '10.8.13.1'

config wireguard_vpn
        option description 'Don't Route Local'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/2'
        list allowed_ips '192.0.0.0/9'
        list allowed_ips '192.128.0.0/11'
        list allowed_ips '192.160.0.0/13'
        list allowed_ips '192.169.0.0/16'
        list allowed_ips '192.170.0.0/15'
        list allowed_ips '192.172.0.0/14'
        list allowed_ips '192.176.0.0/12'
        list allowed_ips '192.192.0.0/10'
        list allowed_ips '193.0.0.0/8'
        list allowed_ips '194.0.0.0/7'
        list allowed_ips '196.0.0.0/6'
        list allowed_ips '200.0.0.0/5'
        list allowed_ips '208.0.0.0/4'
        list allowed_ips '224.0.0.0/3'
        option endpoint_host '[REDACTED ENDPOINT HOST]'
        option endpoint_port '443'
        option persistent_keepalive '25'
        option public_key '[REDACTED PUBLIC KEY]'

config wireguard_vpn
        option description 'Route All'
        option public_key '[REDACTED PUBLIC KEY]'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '[REDACTED ENDPOINT HOST]'
        option endpoint_port '443'
        option persistent_keepalive '15'
        option disabled '1'

config route
        option interface 'lan'
        option target '192.168.0.0/16'
        option gateway '192.168.1.1'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-SSH-VPN'
        option src 'vpn'
        option dest_port '22'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'

config rule
        option name 'Allow-LuCi-VPN'
        list proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'
        option src 'vpn'

config rule
        option name 'Allow-WG-In'
        option src '*'
        option src_port '65000'
        option target 'ACCEPT'

head: /etc/firewall.user: No such file or directory
-ash: iptables-save: not found
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.13/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.4.1/24 brd 192.168.4.255 scope global br-lan
       valid_lft forever preferred_lft forever
20: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.8.13.6/24 brd 10.8.13.255 scope global vpn
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan  src 192.168.1.13  metric 1024
10.8.13.0/24 dev vpn scope link  src 10.8.13.6
192.168.1.0/24 dev wan scope link  metric 1024
192.168.4.0/24 dev br-lan scope link  src 192.168.4.1
broadcast 10.8.13.0 dev vpn table local scope link  src 10.8.13.6
local 10.8.13.6 dev vpn table local scope host  src 10.8.13.6
broadcast 10.8.13.255 dev vpn table local scope link  src 10.8.13.6
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev wan table local scope link  src 192.168.1.13
local 192.168.1.13 dev wan table local scope host  src 192.168.1.13
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.13

broadcast 192.168.4.0 dev br-lan table local scope link  src 192.168.4.1

local 192.168.4.1 dev br-lan table local scope host  src 192.168.4.1
broadcast 192.168.4.255 dev br-lan table local scope link  src 192.168.4.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

(PS I don't believe it to be a problem with the WireGuard server as the same config file works perfectly fine on both my iPhone and Windows laptop.)
Many thanks

OK so this basically is the WG client side which connects to a WG server.

It cannot work the way you are doing it, but what exactly do you want to route via the WG server?
All traffic or are you only want to reach the server and its subnet?

Edit: what is the subnet of the WG server?

Please add missing pieces of system info.
For what its worth backup your configuration and upgrade to 23.05.4
(do not post) iptables -> nft equivalent of rule list is nft list ruleset

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

You can only enable one of these at once, as when there are multiple peers the set of each allowed_ips must not overlap any other peer.

I ask the same question what are you trying to do. If there are LANs, the more specific routes in the routing table will take precedence and traffic for locally-existing addresses will go to the LAN interface instead of wireguard.

I want to route all traffic through my WireGuard connection (0.0.0.0/0). I'm well aware that both peers cannot be enabled at once, however I just included them to demonstrate that one of them successfully handshakes, and the other (0.0.0.0/0) does not.

The subnet of the Wireguard server is 10.8.13.0/24 and doesn't conflict with anything else. As a matter of fact, if I set the interface's allowed IPs to solely that subnet it works perfectly as I would expect.

Here is the info as requested (I have also updated my router and the issue persists)
ubus call system board

{
        "kernel": "5.15.162",
        "hostname": "irishgreencitrus VPN",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT1200AC",
        "board_name": "linksys,wrt1200ac",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda9:5571:fe8c::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.4.1'
        option broadcast '192.168.4.255'
        option delegate '0'
        option defaultroute '0'

config device
        option name 'wan'
        option macaddr '5a:ef:68:0e:f9:90'
        option ipv6 '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '1024'

config device
        option name 'vpn'
        option mtu '1280'
        option ipv6 '0'
        option acceptlocal '1'

config interface 'vpn'
        option proto 'wireguard'
        option nohostroute '1'
        option private_key '[REDACTED PRIVATE KEY]'
        option listen_port '60000'
        list addresses '10.8.13.6/24'
        list dns '10.8.13.1'

config wireguard_vpn
        option description 'Imported peer configuration'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/2'
        list allowed_ips '192.0.0.0/9'
        list allowed_ips '192.128.0.0/11'
        list allowed_ips '192.160.0.0/13'
        list allowed_ips '192.169.0.0/16'
        list allowed_ips '192.170.0.0/15'
        list allowed_ips '192.172.0.0/14'
        list allowed_ips '192.176.0.0/12'
        list allowed_ips '192.192.0.0/10'
        list allowed_ips '193.0.0.0/8'
        list allowed_ips '194.0.0.0/7'
        list allowed_ips '196.0.0.0/6'
        list allowed_ips '200.0.0.0/5'
        list allowed_ips '208.0.0.0/4'
        list allowed_ips '224.0.0.0/3'
        option endpoint_host '[REDACTED ENDPOINT HOST]'
        option endpoint_port '443'
        option persistent_keepalive '25'
        option public_key '[REDACTED PUBLIC KEY]'
        option disabled '1'

config wireguard_vpn
        option description 'Route All'
        option public_key '[REDACTED PUBLIC KEY]'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host '[REDACTED ENDPOINT HOST]'
        option endpoint_port '443'
        option persistent_keepalive '15'

config route
        option interface 'lan'
        option target '192.168.0.0/16'
        option gateway '192.168.1.1'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option country 'FR'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option macaddr '58:ef:68:0e:f9:92'
        option key '[REDACTED psk]'
        option ssid 'sourVPN'
        option encryption 'psk-mixed'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'FR'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option macaddr '58:ef:68:0e:f9:91'
        option ssid 'sourVPN'
        option key '[REDACTED PSK]'
        option encryption 'psk-mixed'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '0'
        option ednspacket_max '1232'
        list server '10.8.13.1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option name 'Allow-SSH-VPN'
        option src 'vpn'
        option dest_port '22'
        option target 'ACCEPT'
        option family 'ipv4'
        list proto 'tcp'

config rule
        option name 'Allow-LuCi-VPN'
        list proto 'tcp'
        option dest_port '80'
        option target 'ACCEPT'
        option src 'vpn'

config rule
        option name 'Allow-WG-In'
        option src '*'
        option src_port '65000'
        option target 'ACCEPT'

What is strange is that when I am connected to the VPN router with 0.0.0.0/0 as the allowed routes, my devices show as connected and secured, however I cannot ping anything (IP addresses or DNS records), so nothing being routed outside the VPN tunnel is technically working. This makes me think that for some reason the handshake is also not reaching the VPN server, which is not the case with the other configuration (again only one is enabled at a time).

Remove the following:

Remove option nohostroute '1' and option listen_port '60000'

Not sure what this is for maybe delete it?:

Probably remove this:

Remove this:

I wanted to know the subnet of the router the WG server is running on

After you are done reboot the router and test again

If it does not work please show (redact keys ):

wg show
ip route show