It probably isn't. Can you copy the output of the following commands on Site A and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
uci export network; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; wg
I get both the 'server' and 'client' working but not at the same time. With the configuration below is the 'client' (wgbahnhof) working but not the 'server' (wgserver). When trying to remotely connect to the server, using my phone, does it seem like the server can receive the connection data but not respond - so I assume it's some sort of routing problem.
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdd6:2214:2ebc::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
option ipaddr '192.168.0.1'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
config interface 'wgbahnhof'
option proto 'wireguard'
option private_key 'SECRET'
option force_link '1'
list addresses 'wg_bahnhof_ip'
config wireguard_wgbahnhof
option public_key 'SECRET'
option persistent_keepalive '25'
option endpoint_port '48574'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host 'SECRET_ENDPOINT_IP'
config interface 'wgserver'
option proto 'wireguard'
option private_key 'SECRET'
option listen_port '1234'
list addresses '10.14.0.1/24'
config wireguard_wgserver
option public_key 'SECRET'
option description 'wg user 1'
list allowed_ips '10.14.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'wgbahnhof'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
option network 'wgbahnhof'
config forwarding
option dest 'wgbahnhof'
option src 'lan'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'wgserver'
option network 'wgserver'
option input 'ACCEPT'
option forward 'REJECT'
option masq '1'
option output 'ACCEPT'
config forwarding
option src 'wgserver'
option dest 'wan'
config forwarding
option src 'wgserver'
option dest 'lan'
config forwarding
option src 'wgserver'
option dest 'wgbahnhof'
config rule
option name 'Allow-WG-Inbound'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '1234'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet SECRET_WAN_EXTERNAL_IP/24 brd xxx.xxx.xxx.xxx scope global eth1
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 192.168.0.1/24 brd 192.168.0.255 scope global br-lan
valid_lft forever preferred_lft forever
7: wgserver: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet 10.14.0.1/24 brd 10.14.0.255 scope global wgserver
valid_lft forever preferred_lft forever
9: wgbahnhof: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
inet wg_bahnhof_ip/32 brd 255.255.255.255 scope global wgbahnhof
valid_lft forever preferred_lft forever
default via xxx.xxx.xxx.xxx dev eth1 table 201
10.14.0.0/24 dev wgserver table 201 proto kernel scope link src 10.14.0.1
10.14.0.2 dev wgserver table 201 proto static scope link
default via wg_bahnhof_ip dev wgbahnhof table 202
10.14.0.0/24 dev wgserver table 202 proto kernel scope link src 10.14.0.1
10.14.0.2 dev wgserver table 202 proto static scope link
default dev wgbahnhof proto static scope link
10.14.0.0/24 dev wgserver proto kernel scope link src 10.14.0.1
10.14.0.2 dev wgserver proto static scope link
SECRET_ENDPOINT_IP via xxx.xxx.xxx.xxx dev eth1 proto static
xxx.xxx.xxx.xxx/24 dev eth1 proto kernel scope link src SECRET_WAN_EXTERNAL_IP
192.168.0.0/24 dev br-lan proto kernel scope link src 192.168.0.1
local wg_bahnhof_ip dev wgbahnhof table local proto kernel scope host src wg_bahnhof_ip
broadcast 10.14.0.0 dev wgserver table local proto kernel scope link src 10.14.0.1
local 10.14.0.1 dev wgserver table local proto kernel scope host src 10.14.0.1
broadcast 10.14.0.255 dev wgserver table local proto kernel scope link src 10.14.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast xxx.xxx.xxx.xxx dev eth1 table local proto kernel scope link src SECRET_WAN_EXTERNAL_IP
local SECRET_WAN_EXTERNAL_IP dev eth1 table local proto kernel scope host src SECRET_WAN_EXTERNAL_IP
broadcast xxx.xxx.xxx.xxx dev eth1 table local proto kernel scope link src SECRET_WAN_EXTERNAL_IP
broadcast 192.168.0.0 dev br-lan table local proto kernel scope link src 192.168.0.1
local 192.168.0.1 dev br-lan table local proto kernel scope host src 192.168.0.1
broadcast 192.168.0.255 dev br-lan table local proto kernel scope link src 192.168.0.1
0: from all lookup local
32760: from all fwmark 0x20000/0xff0000 lookup 202
32761: from all fwmark 0x10000/0xff0000 lookup 201
32766: from all lookup main
32767: from all lookup default
interface: wgserver
public key: SECRET
private key: (hidden)
listening port: 1234
peer: SECRET
endpoint: 192.168.0.99:40058
allowed ips: 10.14.0.2/32
transfer: 148 B received, 832 B sent
persistent keepalive: every 25 seconds
interface: wgbahnhof
public key: SECRET
private key: (hidden)
listening port: 54844
peer: SECRET
endpoint: SECRET_ENDPOINT_IP:48574
allowed ips: 0.0.0.0/0
latest handshake: 36 seconds ago
transfer: 2.17 MiB received, 366.61 KiB sent
persistent keepalive: every 25 seconds
the discussion is not about wireguard itself, setting-up is indeed simple.
Challenge is to have simultenously local wireguard + public wireguard not contradicting one-each-other.
In a nutshell public wireguard will act as a black-hole for local wireguard no matter what sophisticated authorized ips list you would set-up (namely to substract any local ips + wireguard tunnel ips from public tunnel).
I am not competent but I presume this is the way wireguard is implemented in openwrt (+linux?) which creates static routes when started while local wireguard routes are then ingored.
Anyway, I managed to make it works and can now tunnel remotely to my lan, while keeping my public wireguard vpn up.
Quite tricky for a rooky like me many trials and tests (I have to learn how to track network packets...).
Note that I also could give away extra firewall zones "wgserver" and for "wgclient" despite recommandation, and manage to keep it very simple with existing zones lan and wan: wgserver interface sitting "lan" zone and wgpublic interface in "wan" zone (though having to forward wgserver port...).
the discussion is not about wireguard itself, setting-up is indeed simple.