Firewall rule to only allow traffic to media server from wireguard client

I want external wireguard clients to access my media server (192.168.87.128) and only my media server.

I've setup a wireguard interface (wireguard_iface) and setup some clients on 10.17.242.1/24. I'd like to only allow access to my media server at 192.168.87.128.

On the client side, I've setup a split tunnel by setting the AllowedIPs = 192.168.87.128/24 which works to get to the server and it allows other internet traffic to go over the client's local wan. However, I can still get to all other network resources on 192.168.87.1/24 from the client. If I set AllowedIPs = 192.168.87.128/32 on the client wireguard profile it blocks all traffic except for accessing the media server, which I also don't want. So questions:

  1. Can I setup a firewall rule to only allow access to my media server from my wireguard_iface?
  2. Is there a way to configure AllowedIPs on the client config to only access my media server but allow all other traffic not over the tunnel?

Most clients have a setting to stop traffic outside the tunnel, disable that and all traffic besides 192.168.87.128 should use the default gateway and not the tunnel

Right, this is already working in my case since AllowedIPs = 192.168.87.128/24. Unfortunately that config also allows access to other resources on my network, which I don't want.

You should set allowed ips to /32.
That way there is only a /32 route to that specific address

Yes. You would remove the forward from your wireguard zone > lan zone (or if the wireguard network is currently in the lan zone, put it in a new zone and don't add any forwards). Then add a rule like this:

config rule
	option name 'WG Access Media Server'
	list proto 'all'
	option src 'wireguard'
	list dest_ip '192.168.87.128'
	option dest 'lan'
	option target 'ACCEPT'

This clearly may need to be adapted to properly reference the zones you have on your router.

If this doesn't work or you have additional questions, please post the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall