I have a Pfsense-box as the main Internet-facing router in my network, with an OpenWRT-router providing a WiFi access-point and other services. Since Pfsense doesn't do Wireguard, I planned to use the OpenWRT-box for it.
I basically followed the instructions for "Wireguard basic" in the OpenWRT-docs to set up a Wireguard-instance, with a Ubuntu Linux - machine connecting to it. Ubuntu can access LAN and I can access Ubuntu from LAN, but Ubuntu cannot access Internet.
How does one setup a Wireguard-server on OpenWRT so that connecting peers can access Internet as well, when the OpenWRT-box isn't the Internet-facing router?
You would set it up as normal - in addition to the of a firewall input rule on the OpenWrt, you also port forwarding the Wireguard UDP port from the PfSence' border, to the OpenWrt. Simple.
I would simply setup the WG interface to the LAN Firewall zone, and it should go via Internet on the PfSence like traffic would on OpenWrt's LAN.
Sorry, I didn't realize you wanted us to help you configure the Ubuntu machine too, my apologies.
I hope you added the route to the Ubuntu, and not the OpenWrt. Otherwise, I don't see how it's related. If you don't understand how to setup the Ubuntu, I advise testing a peer with the Wireguard Smartphone app first. All the client routing is done for you and you can eliminate the Ubuntu as the issue.
In the network config the wan interface has IP 192.168.3.1/24 but no gateway. lan has IP, mask, gateway and dns to 192.168.1.1 which I suppose is the pfsense.
So the lan is actually also wan, but you don't masquerade the lan zone in the firewall, which means that the pfsense must have a static route for 192.168.1.0/24 via 192.168.1.7 to work.
I don't understand that logic. The Pfsense-box is the one handling the LAN-network, ie. 192.168.1.0/24. You're saying the OpenWRT-box needs have the Pfsense-box as its gateway for the LAN-network and the Pfsense-box needs to have the OpenWRT-box as its gateway for the same network? That seems rather...circular.
For a VPN client to reach the Internet, the OpenWrt VPN server needs to route them from the 192.168.9 VPN tunnel network to the Internet.
You have the OpenWrt router / VPN server configured as a LAN device on the 192.168.1.0 network of your main router. Basically its WAN network 192.168.3 isn't doing anything, nor does it need to. You can just remove that network.
If you're only interested in VPN clients reaching the Internet, the simplest way would be a forward between two firewall zones with masquerade (NAT) enabled on the destination zone. When running the VPN server in the main router the WAN network is already masquerading, to do it through the LAN network as on a LAN device requires adding that to the firewall configuration.
No its not circular...but I personally thought the route needs to exist for 192.168.9.0/24 via 192.168.1.7. This is because you are forwarding traffic to the PfSence over LAN that is not masqueraded.
Or you can just setup the OpenWrt as normal (connecting to WAN) and it should work as-is.