Firewall and routing for the wireguard tunnel

I got a little lost in the configuration and the server is three hours away. Therefore here this question.
I also want to understand Wireguard more deeply.

First of all: the tunnel is up now. It is only about routing and firewall.


The tunnel is up.
What routing and firewall rules do I need to get from client to network to LAN of server?

Current routing on the server:
Destination Gateway Genmask Flags Metric Ref Use Iface
default UG 0 0 0 eth0.2 * U 0 0 0 eth0.2 * U 0 0 0 vpn * U 0 0 0 br-lan

Current routing on the Client:
Destination Gateway Genmask Flags Metric Ref Use Iface
default UG 0 0 0 eth0.2 UGH 0 0 0 eth0.2 * U 0 0 0 eth0.2 * U 0 0 0 vpn * U 0 0 0 br-lan

Firewall server
VPN interface in a zone with LAN
IPv4 and IPv6 from WAN to this device accept

Firewall Client
VPN interface in a zone with WAN and WAN6
no special rule for Wireguard

config route                
        option target ''
        option netmask ''
        option interface 'vpn'

For firewall: allow LAN to the Zone VPN is in. Also depends on if that zone has masquerade enabled.


Thanks for the route. When I saw it it seemed quite logical to me right away too.

I am not sure about the firewall:
Both devices server and client have masquerade enabled for LAN.

On client side I guess the masquerade has no influence since the VPN device is in the WAN zone.

On server side I am not sure. On server side the VPN device is in the LAN zone.
Do I still have to set something in the firewall?

after entering in luci the route looks like this:

config route                
   option interface 'vpn'
   option target ''
   option type 'anycast'

I think it is the same?

Routing can be also be done by using the Allowed IP's of the WireGuard peer, so that you do not need the separate routing rule.
But make sure you enable/tick Route Allowed IPs.

If you want to route everything through the tunnel then use for allowed IPS:
If you only want traffic for the server to route via the tunnel then use for Allowed IPS:
respectively the servers subnet and the WG subnet

Masquerading on the LAN interface can be useful on the server side because your clients on the LAN can have their own firewall and will not allow traffic from the WG subnet.
(Drawback you loose logging and and access control)

it still does not work:

the current status:

  • the tunnel is up
  • from Wireguard-Client no connections to the Wireguard-Server are possible
  • also from all devices behind Wireguard-Client no connection is possible

How is it with NAT? At Wireguard-Client I have added VPN interface to firewall group with WAN. WAN is masked.

Should be unicast.

Typically it is set up with symmetric routing -- no NAT. Each side configures the other side's LAN as allowed_ips from the peer, and enable route_allowed_ips. It is necessary that all the IP ranges involved do not overlap. The IP ranges proposed in the original post are OK.

The simplest firewall configuration is to place the tunnel in the lan zone on both ends. This assumes that everything in both LANs is trustworthy. Do that initially to get it working-- later if you want to block some things in the firewall you can convert to a separate zone, which also requires adding forwarding rules. The zone containing the tunnel should usually allow input so you can log into the remote router itself on its tunnel IP.