Hello,
I try to configure access ssh on router inside the VPN LAN without success.
My configuration
VPN server (WireGuard) running on remote VPS machine
OpenWRT it's set a client (I've create the specific firewall zone for this)
Forward vpn to router IP -A zone_wg0_prerouting -p tcp -m tcp --dport XXXX -m comment --comment "!fw3: SSH Router IntraVPN" -j DNAT --to-destination 192.168.2.1:22
192.168.2.1 it's a router IP
If I try connect from other vpn client to ssh on openwrt router the connection it's rejected but if try to connect other machine behind the router with creation similar firewall rule the connection works wonderfully.
Make sure the VPN server has the route to your router and its LAN.
There's no need to forward ports between hosts connected to the VPN.
Both VPN and LAN should be mutually reachable with plain routing.
Just harden the server security, and the VPN can be considered trusted.
If you are feeling paranoid, then configure firewall rules to filter traffic.
You have a few unnecessary rules currently since the wireguard and lan interfaces are both part of the lan zone. But let's try changing a few things here:
remove wg0 from your lan zone.
create a new wg zone and assign wg0 to the wg zone.
set the wg zone with input = accept, output = accept, forward = drop
remove the forwarding rule from lan > wg0 (this rule doesn't make sense since it is mixing a zone and an interface)
remove the redirect rule "SSH Router IntraVPN" since it doesn't do anything (based on the fact that both the source and dest are in the same zone).
optionally add forwarding from wg > lan (this is desired if you want to be able to connect to the rest of your LAN remotely via the wg connection, this does not apply to the router itself)
optionally add forwarding from lan > wg (if you want to be able to send traffic from your LAN out to/through the wg tunnel; again, this doesn't apply to the router itself).
--to-destionation 10.66.66.9:22
If you need to access 192.168.2.0/24, then server needs to know about it, either from routing the allowed IPs in wireguard configuration or by a static route. In any case it must be added in allowed IPs in server.