Help Needed with WireGuard Full-Tunnel VPN on OPNsense

[DoubleSpeed]

Hi all,

I’m setting up a WireGuard VPN on OPNsense and aiming for full-tunnel functionality. My goal is for remote clients to:

Browse the internet using the home office public IP.
Access LAN devices (192.168.1.0/24).

Issues:
When I set 0.0.0.0/0 as the Allowed IPs for the WireGuard peer, LAN devices lose internet access entirely. Reverting to 10.0.0.2/32 restores LAN internet but prevents full-tunnel VPN functionality.
Although UDP traffic is allowed on port 51820, the WireGuard handshake still intermittently fails.

What I’ve Configured:
WireGuard Subnet: 10.0.0.0/24.

Firewall Rules:
WAN: UDP port 51820 open.
WireGuard (Group): Traffic allowed to LAN and Any (Internet).
NAT: Hybrid Outbound with NAT rule for WireGuard subnet (10.0.0.0/24 → WAN Address).
DNS: Public DNS for VPN clients (e.g., 1.1.1.1).

Questions:
Why does setting 0.0.0.0/0 for the peer’s Allowed IPs disrupt LAN internet access?
What could cause the WireGuard handshake to fail even though UDP is allowed on the WAN interface?
Any guidance or pointers would be much appreciated. Let me know if I should share specific details or logs.

Thanks in advance!

[DoubleSpeed]

This appears to be working now, I'm not sure what the issue was it started working after I applied changes so not totally sure where the issue was.

My question now is, did I need to apply the firewall rules that I added to try to get this going, or should it have worked anyway without these? Should I rewind and remove the rules, or am I OK to leave them in place? What is the best practice on this?

Firewall Rules:
WAN: UDP port 51820 open.
WireGuard (Group): Traffic allowed to LAN and Any (Internet).
NAT: Hybrid Outbound with NAT rule for WireGuard subnet (10.0.0.0/24 → WAN Address).
DNS: Public DNS for VPN clients (e.g., 1.1.1.1).