@Ethan-TP 

Here you go:

As for the question - correct. Once connected, local devices can be pinged, RDP'd or SSH'd to. Can't say the same about the WAN.

Also, if I connect (say SSH) into a server that's reachable and try to reach WAN that way, it also doesn't work.

  @Ethan-TP 

Here's a screencap from phone's WG app.

Going from the top:
Name / Pubkey / Address / DNS servers / MTU

//

Pubkey / Allowed IPs / Endpoint / Connection keepalive

As for the LAN devices, I'm not sure what kind of information would you like to get. Overall most things are present in 192.168.1.0/24 subnet, have 24 mask set, use default gateway & two local DNS servers. Nothing fancy. Unless this is about something else, then please clarify, so I may provide the information you need.

  @Ethan-TP 

I'm afraid that the DNS settings don't really matter. Whether I set the local DNS server, some widely available one, like 8.8.8.8 or anything similar or just leave the entry empty, it doesn't work. It's not a DNS problem in itself, as I can query different servers about a particular domain (e.g.: nslookup somedomain[dot]com 8.8.8.8). It's that the ping doesn't work and, as a whole, if I try to open a website in browser, I get timeout - both locally and on the jumphosts. And if I try to connect to some site via IP, I don't get the usual "cert problem" (because I've used IP instead of domain name) - I get a timeout. Once I drop out from the VPN, everything goes back to normal.

The subnet that the WG is assigned to has nothing to do with the subnet pools that I use on my network.

I've tested that on both an Android-based device as well as a laptop (Windows-based). Same result.

  @Ethan-TP 

Indeed, I can confirm that setting it up that way makes things work. Thank you for your help.

Now, thing is, I'd like to understand *why* it has to be configured that way?

If I put 0.0.0.0/0 then I can reach everything on the LAN but no WAN.

If I put only the client IP (here: 10.17.0.2), I can reach both LAN and WAN.

So what does that option actually do, I wonder? If nothing would work with the first pool and then everything would with just the IP, I'd guess there's some reverse logic applied, but that's clearly not the case here. The configuration on the client seems to be irrelevant (or at least should be, somewhat), because having some kind of limited access to e.g. LAN should not be circumvented if I set up 0.0.0.0/0 on the client.

What if:

A) I wanted to set up it that way, so a client could use just WAN that way but have no way of reaching the devices on the LAN?

B) I needed to give access to WAN and 2 subnets (say: 10.0.45.0/24 & 192.168.72.0/24)?

C) I had to set up a specific range of external IPs (connect to a location and then be able to reach certain, known IPs from there but nothing else)?

D) I wished for the client to use the local DNS (e.g. 10.0.0.30) and have access to the WAN but nothing else?

And how does the client configuration (that's clearly not hardcoded and can be changed at any point in time) affect what I can actually get access to?

Does the option to "exclude private IPs" block LAN access? If so, shouldn't that be done server-side, so that client couldn't reach local devices if we don't want that to happen?

I'm showering you with questions here, but I'd really like to understand how this works.