Firewall rule to only allow traffic to media server from wireguard client

I want external wireguard clients to access my media server (192.168.87.128) and only my media server.

I've setup a wireguard interface (wireguard_iface) and setup some clients on 10.17.242.1/24. I'd like to only allow access to my media server at 192.168.87.128.

On the client side, I've setup a split tunnel by setting the AllowedIPs = 192.168.87.128/24 which works to get to the server and it allows other internet traffic to go over the client's local wan. However, I can still get to all other network resources on 192.168.87.1/24 from the client. If I set AllowedIPs = 192.168.87.128/32 on the client wireguard profile it blocks all traffic except for accessing the media server, which I also don't want. So questions:

  1. Can I setup a firewall rule to only allow access to my media server from my wireguard_iface?
  2. Is there a way to configure AllowedIPs on the client config to only access my media server but allow all other traffic not over the tunnel?

Most clients have a setting to stop traffic outside the tunnel, disable that and all traffic besides 192.168.87.128 should use the default gateway and not the tunnel

Right, this is already working in my case since AllowedIPs = 192.168.87.128/24. Unfortunately that config also allows access to other resources on my network, which I don't want.

You should set allowed ips to /32.
That way there is only a /32 route to that specific address

Yes. You would remove the forward from your wireguard zone > lan zone (or if the wireguard network is currently in the lan zone, put it in a new zone and don't add any forwards). Then add a rule like this:

config rule
	option name 'WG Access Media Server'
	list proto 'all'
	option src 'wireguard'
	list dest_ip '192.168.87.128'
	option dest 'lan'
	option target 'ACCEPT'

This clearly may need to be adapted to properly reference the zones you have on your router.

If this doesn't work or you have additional questions, please post the following:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Sorry for the late reply, I was distracted and forgot to respond. I'm a bit shy using commands/configs to setup advanced routing rules; is there way to do this via luci? If we do implement via a config, will that be reflected in luci? Anyway, here it is:

# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "Intel(R) Celeron(R) N5105 @ 2.00GHz",
        "model": "Default string Default string",
        "board_name": "default-string-default-string",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "x86/64",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd93:3a24:31fb::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'eth5'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.87.1'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config device
        option name 'eth2'

config interface 'wireguard_iface'
        option proto 'wireguard'
        option private_key 'xyz'
        option listen_port '4500'
        list addresses '10.17.242.1/24'

config wireguard_wireguard_iface
        option description 'wills_iphone'
        option public_key 'xyz'
        option private_key 'xyz'
        option preshared_key 'xyz'
        list allowed_ips '10.17.242.2/32'
        option route_allowed_ips '1'

config wireguard_wireguard_iface
        option description 'barron_new'
        option public_key 'xyz'
        option private_key 'xyz'
        option preshared_key 'xyz'
        list allowed_ips '10.17.242.3/32'
        option route_allowed_ips '1'

config wireguard_wireguard_iface
        option description 'wills-chromebook'
        option public_key 'xyz'
        option private_key 'xyz'
        option preshared_key 'xyz'
        list allowed_ips '10.17.242.4/32'
        option route_allowed_ips '1'
# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'
        list network 'wireguard_iface'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'rdp workstation'
        option src 'wan'
        option src_dport '3389'
        option dest_ip '192.168.87.100'
        option dest_port '3389'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'torrenttest'
        option src 'wan'
        option src_dport '49939'
        option dest_ip '192.168.87.128'
        option dest_port '49939'
        list proto 'tcp'
        list proto 'udp'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '4500'
        option dest_ip '10.17.242.1'
        option dest_port '4500'