Ubiquiti Router with Wireguard VPN. VPN clients unable to access hosts wired to router

So as the title implies I have a router. UDM SE. Setup with a number of wired hosts. I also have the wireguard VPN setup on the router. Router subnet is 192.168.1.0/24 Vpn subnet is 192.168.5.0/24. Dynamic DNS is setup and vpn clients can connect to the vpn. The problem is that clients on the vpn can’t talk to clients on the router. After much googling I’ve seen lots of people with this problem 3-4 years in the past but no solutions. So I figure I would ask here to see if anyone has had any luck with what I thought was going to be a rather basic setup.

There are no custom traffic rules configured, there is no port forwarding configured. There are no custom traffic routing, or static routes configured.

The router firewall is configured with the default rules:

Accept All Internet In “Allow Established/Related Traffic”

Drop All Internet In “Drop Invalid Traffic”

Drop All Internet In “Drop All Other Traffic”

Accept All Internet Local “Allow Established/Related Traffic”

Drop All Internet Local “Drop Invalid Traffic”

Accept UDP Internet Local “Allow Wireguard”

Drop All Internet Local “Drop All Other Traffic”

Accept All LAN In “Accounting Defined Network 192.168.1.0/24”

Accept All LAN Out “Accounting Defined Network 192.168.1.0/24”

Accept All Internet v6 In “Allow Established/Related Traffic”

Drop All Internet v6 In “Drop Invalid Traffic”

Drop All Internet v6 In “Drop All Other Traffic”

Accept All Internet v6 Local “Allow Established/Related Traffic”

Drop All Internet v6 Local “Drop Invalid Traffic”

Accept IPv6-ICMP Internet v6 Local “Allow Neighbor Solicitation”

Accept IPv6-ICMP Internet v6 Local “Allow Neighbor Advertisements”

Drop All Internet v6 Local “Drop All Other Traffic”

Accept All LAN v6 Out “Allow Packets To Corporate Networks”

I feel like I’m missing something really simple that I just didn’t do or didn’t remember to make this work and I can’t for the life of me think of what it might be. Any help would be vastly appreciated.

Any subnet or device the client wants to reach must be in the „allowed IPs“ line of the clients config.

So in which way are you trying to talk? Host names or IP addresses?

If it’s hostnames. Try hostname.localdomain and see if that works.

If you followed ubiquiti’s setup process it should work most of the time. One thing to check maybe … what is the subnet of the network you are vpn’ing in from? It can’t overlap with the host network.

I had a similar issue and created an IP group for my WireGuard network, in my case 192.168.3.0/24 and then added firewall rules for the networks I wanted it to access. Worked well for me, your mileage may vary.

Hello! Thanks for posting on r/Ubiquiti!

This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.

Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.

If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

How are you trying to access the machines? I’ve found that when using wire guard, I can use Remote Desktop over a wire guard tunnel with no problems, but cannot access files shared via smb by the ip address. The fix is actually the windows firewall that is blocking the connections. Disable it and retest. F the issue is resolved, there is a subnet setting in the windows firewall to change to allow connections from any subnet and not just the local subnet.

I also uncheck the kill switch option in WireGuard when setting it home just an fyi.

If you have explicit rules to allow access to the accounting network (192.168.0.1), then you need explicit rules for the vpn subnet as well. If you allow all source traffic bound for 192.168.0.1 into the LAN, and all source traffic bound for 192.168.0.1 out of the LAN, then traffic sourced from 192.168.0.1 bound for the vpn subnet also needs to be allowed, both IN and OUT of the LAN.