[egc]

About the keys that is right there are no private keys involved, you exchanges the public keys.

I read that the client router has 192.168.5.1 and no wireless, but how can you test with your phone connected to that router as it has no wireless?

If wireless is enabled on this router and you have internet on your phone connected to that router but when enabling WireGuard on that phone you get a destination unreachable than something is blocking WireGuard.

Is the primary router to which the client router connects a normal SoHo router or is it a corporate system which blocks VPN?

Can the ISP block WireGuard?

[hafren]

[egc]

When setting up you need the private key (whether you get it in a conf file or generate one)

The private key is used to calculate the public key and this public key is the one which is exchanged.

You mention VPN unlimited, the client must no be on VPN unlimited otherwise you are running a tunnel in a tunnel which could be problematic

[hafren]

[hafren]

@egc I finally have the client & server communicating. I'm not sure reset to default then rebuild the client wireguard settings was the issue but suspect some remnant of the iphone trial as the wgserver client config file was populated and wrong.

Moving forward, I have still not succeeded in getting wan out from the wgserver via the client i.e Google doesn't open on the client and ping 8.8.8.8 is destination unreachable.? WGserver has "Allow clients WAN access" checked but I'm thinking there is a dns issue preventing the client access.

[egc]

Glad that part is solved

From the client side you can do from the the WG client routers command line:
traceroute 8.8.8.8

This will show the route the packets take it should go into the WG tunnel to your WG server and from there on to the internet you can see where it is stuck

From a Windows PC attached to the WG client router you do from cmd (the DOS prompt):
tracert 8.8.8.8

[hafren]

This is what I get. 10.4.0.1 is the wgserver

Tracing route to dns.google [8.8.8.8] over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms vpnclient [192.168.5.1]
2 64 ms * * 10.4.0.1
3 10.4.0.1 reports: Destination host unreachable.

Trace complete.

[egc]

Does the Client still have "NAT via Tunnel" enabled on the WG tunnel?

If not you have to add on the server side a rule to MASQUERADE the clients subnet out on the WAN:
iptables -t nat -I POSTROUTING -s 192.168.5.0/24 -o $(get_wanface) -j MASQUERADE

The GUI setting on the WG server "Allow Clients WAN Access" only NAT's the WG subnet (10.4.0.0/24) out on the WAN.

Furthermore if you do not have NAT enabled be sure to have the 192.168.5.0/24 subnet in the Allowed IP's on the server to allow the clients subnet.

[hafren]

[egc]

The WG server does not need to enable NAT via tunnel (just follow the Server Setup guide in this).

On the Client side you can enable it for troubleshooting like we are doing.

Can you show screesnhots of the WireGuard page for Server and client.

For the server please show output of (via the command line e.g telnet/putty):
wg
wg showconf oet1
ip route show
iptables -vnL FORWARD | grep oet
iptables -vnL INPUT
iptables -vnL -t nat
iptables -vnL -t raw
grep -E -i 'oet|wireguard' /var/log/messages

[hafren]

@egc Resurrecting this thread. I was unable to get client and server communicating in time to deploy the server in the UK last April. I have now managed to successfully get client and server communicating. Browsing 'my IP address' on the client now reports the server wan ip. I'd like to finalize the set up of the WG client and WG server so I have a few questions which I hope you can answer:

On the client - should I now turn off NAT via tunnel?
On the server should I change the NTP server time zone to UK when I install?
I read of ipv6 leak concerns in the wg server set up guide v49. How how can I mitigate?