@cpunk as mentioned above I tried many combinations. Everytime I set allowed ips on the sever to something from the LAN side, and turn on the create routes checkbox, I end up with the address range being inaccessible from the router, which also meant I locked myself out a few times.
On the client it seems, I need to set 0.0.0.0 for tunsafe to create a route that will be used. Which is not really what I want but workable. I could still correct it manually with a script.
@lleachii i tried with and without masquerading on the Wireguard interface. Did not make difference as far as I could tell.
You shouldn't need the LAN address range in allowedIPs on the server. Not unless you need hosts on intranet to access LAN hosts via the tunnel (making VPN client a router). On the server the only thing you should have in allowedIPs for a peer is that peer's tunnel IP address with a /32 mask, to tell wg to send only traffic to that one host down the tunnel.
On the client side you need what you said you were using in your initial post (I think you set it then on the server though, which is not correct) - both the full tunnel IP range and the intranet IP range in allowedIPs. You say you'e using all zeroes currently, and that should work, as long as you only want the VPN client to communicate with tunnel and intranet hosts while connected. If it needs to communicate with the Internet while connected then you should use only the required two network addresses in allowedIPs. This will ensure the client can still use it's default route to talk to real IPs on the Internet.
Saying that you tried lots of things is not so helpful. If you want to troubleshoot further it would be helpful if you pasted the current WG config from each side in a reply, along with the wg show output from the router after a connection attempt, along with a specific explanation of what test you did and the result. For example: While this configuration was active I pinged from VPN client 10.0.4.2 to intranet host 192.168.100.x and got 0 replies, but ping from that same host to the intranet-side interface of the VPN router 192.168.100.1 was successful. Or something like that. And then pull the iptables -L -v output, after the test was done.
Fully understood, but I only have access and limited time on the weekends to the box. So I can not post things right now and when I can, the turnaround times via the forum are usually too long. So this is the best I can do right now.
To my understanding the router is not correctly forwarding the packets from the wg interface to the intranet or back from the intranet. I tried all so far described combinations of allowed ips including the one you mentioned should be correct.
I can try to figure out what is going on again maybe on Saturday evening CET.
Thanks again for the help! It is very much appreciated.