Wireguard → Make local IPs visible for the vpn

To whom it may regard,
I setup a wireguard server on my openwrt router. In the wireguard interface I have 10.0.9.1/24 & XXXX:XXXX:XXXX:XXXX:::0001/60 ip addresses while on my local lan interface I have 10.0.0.1/24 & XXXX:XXXX:XXXX:XXXX:aaaa::0001/60 ip addresses.
How can I access a specific 10.0.0.1-10.0.0.255 ip or all of them from a wireguard client while I am on the wireguard vpn?

These two overlap, which will cause problems.

Why do you have such a large subnet on your lan?

Sorry, on my local lan interface I have 10.0.0.1/24.
I miswrote

let's see your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg show

And also please show us the config from the remote peer.

root@OpenWrt:~# ubus call system board
config/network
cat /etc/config/firewall
wg show{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "rockchip/armv8",
                "description": "AO Build@2024.03.27"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr 'MAC_ADDR'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '112'
        list ip6class 'local'

config device
        option name 'eth0'
        option macaddr 'MAC_ADDR'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key  'NOPE'
        option listen_port '51820'
        list addresses '10.0.9.1/24'
        list addresses 'FIXX:FIXX:FIXX:FIXX:ffff::0001/112'

config wireguard_vpn
        option description 'A'
        option public_key 'NOPE'
        option private_key 'NOPE'
        option preshared_key 'NOPE'
        option route_allowed_ips '1'
        option endpoint_port '51820'
        list allowed_ips '10.0.9.97/32'
        list allowed_ips 'FIXX:FIXX:FIXX:FIXX:ffff::0097/128'

config wireguard_vpn
        option description 'B'
        option public_key  'NOPE'
        option private_key  'NOPE'
        option preshared_key  'NOPE'
        option route_allowed_ips '1'
        list allowed_ips '10.0.9.98/32'
        list allowed_ips 'FIXX:FIXX:FIXX:FIXX:ffff::0098/64'
        option endpoint_port '51820'

config wireguard_vpn
        option public_key  'NOPE'
        option private_key  'NOPE'
        option description 'C'
        option preshared_key 'NOPE'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        list allowed_ips 'FIXX:FIXX:FIXX:FIXX:ffff::99/120'
        list allowed_ips '10.0.9.11/32'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config rule
        option name 'Allow-NFS-RPC'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '111'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '2049'
        option target 'ACCEPT'

config rule
        option name 'Allow-NFS-Lock'
        option src 'lan'
        option proto 'tcp udp'
        option dest_port '32777:32780'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '51820'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WireGuard Port'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.0.9.1'
        option dest_port '51820'

root@OpenWrt:~# wg show
interface: vpn
  public key: NOPE
  private key: (hidden)
  listening port: 51820

peer: AAA
  preshared key: (hidden)
  endpoint: WAN:WAN:WAN:WAN:4064
  allowed ips: 10.0.9.97/32, FIXX:FIXX:FIXX:FIXX:ffff::97/128
  latest handshake: 1 minute, 40 seconds ago
  transfer: 256.36 KiB received, 1.66 MiB sent

peer: BBB
  preshared key: (hidden)
  allowed ips: 10.0.9.98/32, FIXX:FIXX:FIXX:FIXX::/64

peer: CCC
  preshared key: (hidden)
  allowed ips: FIXX:FIXX:FIXX:FIXX:ffff::/120, 10.0.9.11/32

You inspired me to do some minor changes here and there, I think the ipv6 addresses ranges were overlapping and now it's a bit better.
Still, for some reason I struggle to reach 10.0.0.173, a jellyfin server. I can't tell why

This is not from the official OpenWrt project. Did this come from FriendlyElec?

I am quite confident I got it the openwrt website, then you never know, I might have selected the wrong file while flashing. Looking at my settings probably doesn't inspire a lot of trust, I am still figuring out things.

It is most certainly not from here. I'd recommend using the genuine build here:

https://firmware-selector.openwrt.org/?version=23.05.3&target=rockchip%2Farmv8&id=friendlyarm_nanopi-r4s

Will I need to re-install everything? By the way, I might have made a custom build by adding packages before downloading it

yes. And you should plan to reconfigure everything, too... don't keep settings because it's not clear if there could be incompatibilities between what you have installed and the real deal.

That said, you can pre-install relevant packages via the image builder within the firmware selector page.

I suppose I can at least export and re-import the settings for the wireguard interface. I will double check those later anyway, but there are a lot of keys there.
how do I do export and re-import the settings for an interface?

Yes, you can copy and paste those into place...

make a backup of your current config. Then you can open the files and copy/paste the wiregaurd stuff from the backup to the new working file.