Wireguard blocks Canon document scanner on macOS Mojave

[Robert Federle <wg@nrg-systems.de>]

We recently changed the VPN on a Mac computer running the latest 
10.14.6 macOS Mojave from OpenVPN to WireGuard and now we have to 
deal with a weird problem. We use a Canon MB5350 multifunction 
printer with integrated scanner unit in our office that is connected 
via Ethernet to our local network.

After the switch to WireGuard, we still can print but we cannot scan 
documents anymore, neither when initiated from the scanner 
application on the computer nor directly with the scan button on the 
Canon device. When the scan process is started, the Canon LJ Scan 
Utility2 on the Mac starts up and searches for a network scanner, but 
fails to succeed. It then shows an error message after a while saying 
besides several other options, the reason for the failure might be a 
blocked network connection. This is kind of confirmed by the console 
application on the Mac:

[00000494]  Processing: Bonjour Devices:(1) && Local Devices:(1)
[00000597]  (connectConnection) New Connection For Canon MB5300 series
[00001257]  Request Close Session On: Canon MB5300 series
[00000664]  Canon MB5300 series - Scanner Close Session (ICACommand)
[00000431]  Fatal - Command received was never executed
[00000494]  Processing: Bonjour Devices:(1) && Local Devices:(1)
[00000319]  Canon MB5300 series - Scanner Close Session (propertyUpdate)

As soon as we deactivate the VPN connection, the scanner starts working again.

There's no other firewall active nor any other software that could 
interfere with this connection. It never was an issue with OpenVPN 
and printing works fine with the active WireGuard VPN connection. The 
local network access to the printer and other local computers is 
enabled with the "Exclude private IPs" option set. Here's the client 
configuration:

[Interface]
PrivateKey = <PrivateKey>
Address = 10.0.0.2/16, fc00::2/96
DNS = 10.0.0.1, fc00::1

[Peer]
PublicKey = <PublicKey>
AllowedIPs = ::/0, 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 
16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 
168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 
172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 
192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 
192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 
194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 10.0.0.2/32, fc00::1/128
Endpoint = <Global IP Address>:<Port>

According to wireguard.com, the latest WireGuard version on the App 
Store is 0.0.20200127-17, but the version we are using on Mojave is 
0.0.20191105 (16) with Go backend version 0.0.20191013. The App Store 
does not offer us an update to the newest version. Is that one for 
Catalina (10.15) only? The Canon software is up-to-date.

So, in my conclusion, WireGuard somehow blocks the incoming network 
connection from the Canon device while the VPN connection is active, 
but not competely as the scanner application on the Mac starts when I 
hit the scan button and printing over network is always possible.

Has anyone an idea why WireGuard blocks some local network traffic 
and how to fix this?

Robert Federle