But the client is running a config made from my server setup i.e it should be configured for the server it is connecting to.
This is unrelated on my side but some of my week was poking around her ISP router/modem because it should have a user facing controls but it doesn't. Given some online privacy concerns have arisen for my Grand Daughter I had recommended my Daughter pick up an openwrt compat router but it sounds like this is off the table for now and at best in a week or two she will swap the modem/router she has for another ISP provided model that...again...should have user facing controls so you can set DNS, time limits and so on.
A site to site setup would be a nice inbetween for this...however I suspect there is something small, stupid, easy to miss going on in the interim that can be fixed. I just haven't been able to crack it despite all my reading and flinging poo at the wall because she powers down, machine goes to sleep, house is chaos... bla bla blibedy bla.
Incoming traffic from wireguard is already coming in. If you mean for web traffic that's exactly what shouldn't be happening. The WG clients are not sending web traffic to the WG server. This should be local resources ONLY. i.e. when they send web requests it goes out her local subnet to her ISP router/modem to her ISP DNS which should give her the IP for the domain. The fact her web is fine, she can access my NFS/Samaba shares etc everything is working as expected except the fact as far as I've seen ONLY my domains fail while wireguard is enabled. Disable WG on the client the sites work fine, reenable WG on the client sites no longer load. So there has to be something screwy with the WG client/server.
I had wondered if this is some whack quirk with the WG end point being the same as the domain but this doesn't hold water due to the ports...also she can connect to my non-web based (but require DNS / SRV) services while connected to the WG server...
Sure because you are masquerading which is necessary because your basic setup is wrong and no allowing traffic to come into the WireGuard interface does only allow traffic from the server side but in this case all traffic so also from your PC if you are not Masquerading.
I had hoped to bang my head on this in order to conclude with a solution for someone who might have this issue to reference but this is not the outcome.
Despite all the "this is wrong" comments everything is working now. The problem is "how."
My daughters WG conf had several iterations where in I eventually had two allowed-ips lines. One for full tunneling, one for local resources only. One was commented while the other was active. This was just a cheese way to toggle for testing.
Once the machine was powered back on I installed wireshart and started testing. Everything I previously found was holding water, traffic was sent outside the WG interface, DNS was resolved correctly. However OpenWRT was the one sending the "nope" that was killing things. Digging into the OpenWRT logs may have shown me more of what was going on but things never got to that point.
When I saw openwrt was killing the connection I switched her config to a full tunnel to see what it would do. It again failed just the same so I switched it back and retested again trying to see if wireshark showed any difference outside the DNS and domain IP changing...this time however it worked. All that was done was comment one line in the wg.conf and uncomment the other as had been done many times over the week followed by restarting the interfaces. What changed? who knows!
Given nothing changed on the openwrt end and everything worked on the client end (she could load the sites) with the WG client disabled, I can only guess the WG client was causing something packet wise to trip the openwrt firewall or routing. So if you do have an issue with your WG + Owncloud or Home assit etc the WG client might be the culprate. If you're on Arch maybe try a downgrade and see if it behaves.
I'm glad it's working but "magic fixes" are still frustrating.
I actually had but it reminded me of Haguichi or higotchi lol whatever it was like 20 years ago heh. I had also looked at iirc netbird? I didn't want to use third party services though.
Comically some time has passed and I have had the displeasure of seeing the "it doesn't work" behavior on a few other devices (Android and Linux). By "It doesn't work" I don't mean the endpoint failing for web requests but just it says it's sending and receiving but nothing works. Delete the config, re-import, doesn't work, delete the config, re-import works!? So I'm guessing the wireguard client is flakey in general given nothing changed on the openwrt end or WG server side and the configs imported were the same over and over.
