Hi, I've being struggling with the very limited wireguard implementation.

I can set up a wireguard client to my home network no problem. It connects. But it disregards the AllowedIPs and no device is pingable from the other end of the vpn. Is there a way to solve this or the "client" is only thought for commercial vpn's and there is no way to expose devices?

On the other end, I tried to set up a wireguard "server". Even though there is no client or servers in the wireguard protocol, only peers, I guess naming them like this makes it easier for the end user. Problem is, there is no way to set up an endpoint when you configure a server. Since my setup is running in a starlink connection, I'm behind cg-nat. There is no way I can set up a wireguard server if I can't specify an endpoint to connect because I can't forward any ports.

Why this was not thought out when integrating wireguard into the router is really surprising. Making a tunnel into a network with a public ip is like the second most popular usage of vpns. Not to mention that the usage the "server" was designed to do is limited to only users that have access to a public ip. 

To top it up, what actually mad me angry was I had to do all this testing from the deco app. The "client" doesn't create public or private keys, so I had to make a choice between typing those huge cryptographic keys, or exposing them through email to my cellphone which I wouldn't call it a secure method. I picked the latter. The app "froze" several times. The "" are cause it didn't actually freeze. But several times every option or modification I tried to do failed and the only way to have the app working again was force closing and opening it again.

It's a shame because the deco has a great hardware, but if you need to actually do some networking, the software is a nightmare.

Is there any solution to get a wireguard "server" working behind cg-nat?