Working config for Local Wireguard Server + Wireguard Client

I've been trying to get OpenWRT working for a few days now with a Wireguard client and server using "vpn-policy-routing".

Can someone post the whole relevant config for a basic "Local Wireguard Server + Wireguard Client" as seen in the documentation: https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md#local-openvpn-server--openvpn-client-scenario-1

No matter what I do I don't get it to work and I guess it's easier to post an existing working example than me posting all my non-working ones.

It probably isn't. Can you copy the output of the following commands on Site A and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg

I get both the 'server' and 'client' working but not at the same time. With the configuration below is the 'client' (wgbahnhof) working but not the 'server' (wgserver). When trying to remotely connect to the server, using my phone, does it seem like the server can receive the connection data but not respond - so I assume it's some sort of routing problem.

package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdd6:2214:2ebc::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'eth0'
        option ipaddr '192.168.0.1'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wgbahnhof'
        option proto 'wireguard'
        option private_key 'SECRET'
        option force_link '1'
        list addresses 'wg_bahnhof_ip'

config wireguard_wgbahnhof
        option public_key 'SECRET'
        option persistent_keepalive '25'
        option endpoint_port '48574'
        list allowed_ips '0.0.0.0/0'
        option route_allowed_ips '1'
        option endpoint_host 'SECRET_ENDPOINT_IP'

config interface 'wgserver'
        option proto 'wireguard'
        option private_key 'SECRET'
        option listen_port '1234'
        list addresses '10.14.0.1/24'

config wireguard_wgserver
        option public_key 'SECRET'
        option description 'wg user 1'
        list allowed_ips '10.14.0.2/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wgbahnhof'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'
        option network 'wgbahnhof'

config forwarding
        option dest 'wgbahnhof'
        option src 'lan'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option name 'wgserver'
        option network 'wgserver'
        option input 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option output 'ACCEPT'

config forwarding
        option src 'wgserver'
        option dest 'wan'

config forwarding
        option src 'wgserver'
        option dest 'lan'

config forwarding
        option src 'wgserver'
        option dest 'wgbahnhof'

config rule
        option name 'Allow-WG-Inbound'
        option target 'ACCEPT'
        option src '*'
        option proto 'udp'
        option dest_port '1234'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    inet SECRET_WAN_EXTERNAL_IP/24 brd xxx.xxx.xxx.xxx scope global eth1
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
7: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 10.14.0.1/24 brd 10.14.0.255 scope global wgserver
       valid_lft forever preferred_lft forever
9: wgbahnhof: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    inet wg_bahnhof_ip/32 brd 255.255.255.255 scope global wgbahnhof
       valid_lft forever preferred_lft forever
default via xxx.xxx.xxx.xxx dev eth1 table 201
10.14.0.0/24 dev wgserver table 201 proto kernel scope link src 10.14.0.1
10.14.0.2 dev wgserver table 201 proto static scope link
default via wg_bahnhof_ip dev wgbahnhof table 202
10.14.0.0/24 dev wgserver table 202 proto kernel scope link src 10.14.0.1
10.14.0.2 dev wgserver table 202 proto static scope link
default dev wgbahnhof proto static scope link
10.14.0.0/24 dev wgserver proto kernel scope link src 10.14.0.1
10.14.0.2 dev wgserver proto static scope link
SECRET_ENDPOINT_IP via xxx.xxx.xxx.xxx dev eth1 proto static
xxx.xxx.xxx.xxx/24 dev eth1 proto kernel scope link src SECRET_WAN_EXTERNAL_IP
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
local wg_bahnhof_ip dev wgbahnhof table local proto kernel scope host src wg_bahnhof_ip
broadcast 10.14.0.0 dev wgserver table local proto kernel scope link src 10.14.0.1
local 10.14.0.1 dev wgserver table local proto kernel scope host src 10.14.0.1
broadcast 10.14.0.255 dev wgserver table local proto kernel scope link src 10.14.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast xxx.xxx.xxx.xxx dev eth1 table local proto kernel scope link src SECRET_WAN_EXTERNAL_IP
local SECRET_WAN_EXTERNAL_IP dev eth1 table local proto kernel scope host src SECRET_WAN_EXTERNAL_IP
broadcast xxx.xxx.xxx.xxx dev eth1 table local proto kernel scope link src SECRET_WAN_EXTERNAL_IP
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
0:      from all lookup local
32760:  from all fwmark 0x20000/0xff0000 lookup 202
32761:  from all fwmark 0x10000/0xff0000 lookup 201
32766:  from all lookup main
32767:  from all lookup default
interface: wgserver
  public key: SECRET
  private key: (hidden)
  listening port: 1234

peer: SECRET
  endpoint: 192.168.0.99:40058
  allowed ips: 10.14.0.2/32
  transfer: 148 B received, 832 B sent
  persistent keepalive: every 25 seconds

interface: wgbahnhof
  public key: SECRET
  private key: (hidden)
  listening port: 54844

peer: SECRET
  endpoint: SECRET_ENDPOINT_IP:48574
  allowed ips: 0.0.0.0/0
  latest handshake: 36 seconds ago
  transfer: 2.17 MiB received, 366.61 KiB sent
  persistent keepalive: every 25 seconds

Any progress on this question?
I couldn't find any solution either.

I suggest making a new thread. Wireguard is quite simple to setup...and this thread is 2 years old.

No, I never got it working and switched to OPNsense where I got it working.

:slightly_smiling_face: the discussion is not about wireguard itself, setting-up is indeed simple.

Challenge is to have simultenously local wireguard + public wireguard not contradicting one-each-other.
In a nutshell public wireguard will act as a black-hole for local wireguard no matter what sophisticated authorized ips list you would set-up (namely to substract any local ips + wireguard tunnel ips from public tunnel).
I am not competent but I presume this is the way wireguard is implemented in openwrt (+linux?) which creates static routes when started while local wireguard routes are then ingored.

Anyway, I managed to make it works and can now tunnel remotely to my lan, while keeping my public wireguard vpn up.
Quite tricky for a rooky like me many trials and tests (I have to learn how to track network packets...).

Note that I also could give away extra firewall zones "wgserver" and for "wgclient" despite recommandation, and manage to keep it very simple with existing zones lan and wan: wgserver interface sitting "lan" zone and wgpublic interface in "wan" zone (though having to forward wgserver port...).

That's simple as well. We would need to see configs.

Theres no difference between a "public" and "private".