I have finally gotten RW clients working via Wireguard. “Allowed Subnets” is set to “0.0.0.0/0” for these clients. They can reach the local subnets, and the internet through the IPFire machine. However, this IPFire machine has an IPSec N2N tunnel established to a remote office. Everything works with the IPSec tunnel, namely local clients on green and blue can reach it, and all traffic is happily going where it ought to.
HOWEVER, the clients connected to IPFire via Wireguard cannot reach the far side of the IPSec tunnel. I am tempted to add some firewall rules to allow this traffic, but prior discussions surrounding Wireguard indicate that this should not be needed.
Any ideas of why this traffic is not being allowed?
Nevermind. I had found the correct solution before posting my question, but I had mis-typed the subnet when implementing it, and that prevented it from working.
If anyone needs Wireguard clients to be able to reach the far side of an IPSec tunnel, you need to add the Wireguard subnet (aka Client Pool) into the definition for the IPSec Tunnel on both ends. So, on the machine hosting the Wireguard clients, edit the IPSec tunnel you wish them to be able to use, and add the Wireguard subnet to the “Local Subnets” field. Separate it from the existing local subnet entry using a comma. Then, do the same on the remote end, but add it to the “Remote Subnet” field.
Save both configurations and then the traffic selectors for IPSec should be configured properly to allow the traffic to pass.