Defender Firewall Settings to allow remote WireGuard VPN users to access SMB share on Windows host

Upfront note: our current "server" is Windows 10 but it will be replaced with a Windows 11 Pro machine in a few weeks. I'm hoping there aren't many (if any) differences in Firewall between 10 and 11, but if there are I'd like to know what I may need to do differently on 11.

We have an office LAN on subnet 192.168.7.0/24. We have a Windows 10 box acting as a "file server" with some shares defined. This is peer-to-peer, there is no local Active Directory domain or Entra. The server is not running any 3rd-party security software, just the basic Windows Defender suite, including Windows Defender Firewall.

This server has File and Printer Sharing enabled, which (as I understand it) creates or modifies some incoming rules in Firewall.

On their LAN computers at the office, staff run a Windows CMD script with the active ingredient something like this:

net use j: \\ServerName\ShareName /persistent:y

That works great.

We just replaced the office's ISP-supplied border router with a Ubiquiti UniFi Express 7 (UX7). On it we configured a WireGuard server and (so far) one client for test purposes. Each client, when connected, is assigned a unique IP on 192.168.2.0/24. The VPN works as expected.

However, when at a remote location and connected via WireGuard, connecting to LAN server SMB shares no longer works (by default).

The LAN server has its firewall enabled on all 3 profiles: Domain, Private and Public. Only the Private profile is active. If we temporarily disable the firewall on its Private profile, remote users can connect to the shares (using the code above).

So, something in the Private firewall profile on the LAN server is blocking SMB traffic from remote locations via a WireGuard VPN connection, but allows the same traffic from the office LAN.

Thanks for your attention - any ideas appreciated!