The only change I made on the AR750S was to set uci set firewall.wireguard.masq=‘0’ in /etc/init.d/wireguard.
There are two key steps to make it work:
- The client and server LAN IP subnet addresses must be disjoint.
- The server’s allowed IPs must list the client’s LAN IP subnet. This adds an entry to the server-side routing table to forward packets back to the client.
In my case the client is an AR750S and the server is a Ubiquiti EdgeRouter. You should be able to get an OpenWRT server to work, too. The client LAN IP subnet has to be different than the server LAN subnet. E.g., 192.168.2.0/24 for the client and 192.168.1.0/24 for the server. On the server, add 192.168.2.0/24 to allowed IPs in the peer wireguard configuration.
On the server side you could check the following:
- That the client LAN subnet (e.g. 192.168.2.0/24) is listed in the routing table with the next hop being the wg interface.
- Use tcpdump on the server-side wg interface to see what IPs are coming from the client and whether responses are going back. Note that when masq is 1 you will see only the private IP of the client’s wg interface. When masq is 0 you will see client-side LAN IPs. (This is all IPv4.)
Obviously, there are more things you have to get right on the server side when masq is 0. That’s why you are probably better off leaving the default at 1 but making it an option in the wireguard configuration.