Firewall setting for wireguard client and server at the same interface

Hello fellas,

Based on the openwrt official guide:,, I should add wireguard to the wan zone when configuring a client, and add it to the lan zone when configuring a server, but as far as I know, there should not be the concept of server or client for wireguard, everything should be considered a peer, right?

Can someone please explain what is the best practice firewall setting for a wireguard peer?

I intend to add peers from 3 other different locations (and do the same for them as well, everyone has a public IPv4 address and an openwrt router as gateway), making a huge intranet for my larger family who lives at different places.

Cheers! Any help is appreciated!

The recommendations given are based on the relative security of the peer you'll be connecting to. For a site to site VPN between trusted LANs, which seems to be what you're suggesting you'll be doing, then you can add the interface to the LAN zone.

If on the other hand you were connecting to a commercial endpoint to route your own internet traffic then you should use the WAN zone so traffic passes through the firewall like any other internet sourced traffic.


The P2P model is typically problematic to implement due to lack of public IPs resulting in limited connectivity, so in most cases it is degraded to client-server model.


Thank you for the swift and clear answer! It works!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.