Help with the firewall setup for WireGuard (LuCI)

Dear community,

First of all, I'm no expert in networking. That being said, a while ago I setup WireGuard with it's firewall rules for the office network in order to access the IP cameras (it's working fine). Now, I did the same for my home network but, since I didn't remember what tutorial I followed before, I just copied the same configuration from my office router. The thing is that I don't know if these firewall rules are okay to manage the VPN traffic. I suspect there's something wrong, although I can connect just fine, but I'm concerned about security. Is it possible that you could lend me a hand?

Here's my current setup:

I have no port forwarding rules.

Any help will be appreciated! Thanks :smiley:

See this tutorial on setting up WireGuard in OpenWrt using LuCI -

Thanks for your reply! Well, I'm not using a VPN provider, I just want to acces the IP cameras at the office. I just can't figure out the firewall part. I mean, I can copy the same configuration, but can someone please explain to me the details about it? Also, would a site-to-site VPN be more beneficial for my case?

Since I don't read 3rd links, and you asked about firewalling...

You have the zone setup...

First of allow the VPN to connect to your network...and route to the Internet. This doesn't match with your statement:

  • In this configuration, your office can reach you and [maybe] use your Internet connection.
  • Also, you allow your ISP connection to forward to your office WG VPN!?!?

Since there are manuals on the firewall, zones, etc. and your config doesn't match...maybe you should describe what you desire?

I hope that helps secure your WG zone.

  • Edit the WG zone and remove forwarding TO LAN and WAN (the requests from LAN will establish an allowed connection)
    • Also edit WAN and remove forward from WG
  • Change input and forward to DROP

maybe you should describe what you desire?

I want to access the IP cameras from different devices. I also find convenient to access the router web interface (LuCI), but I don't want to expose the whole connection, if that make sense.

Thanks for your help!

1 Like

I would probably set up a separate Guest/IoT network for the cameras, and limit access by client MAC address.

I did this but now I can't see the IP cameras feed or access the router's web interface. I can't even connect to the internet.

Do you request footage from a client, or do your cameras push footage to a server?

I request footage from the cameras. They're not connected to an NVR.

  • Show the updated config, plz
  • And your request footage from clients in LAN, correct?
    • and the cams are in wg?

By clients you mean the cameras?

The cameras are in the office network, so I'd say in the LAN zone, just like the other devices.

I'll post the config tomorrow because I'm at home and can't acces the office router :sweat_smile:
But the setup is the same as the guide provided by IVPN.


I'm not sure which is correct - I wanted to verify the configs I gave you were applied I noted in the writing.


Sorry, I did what you said before and couldn't connect to the office network. Then I used the guide from IVPN to check if that could work, but nothing. So right now the wg zone ia the same as the wan zone, and the lan zone forwards the destination packets to the wg zone. I also created a traffic rule (which is in the OpenWRT guide) like but I don't really know if that's necessary?

Okay here it is:

I'm trying to understand this but my knowledge about networking is very limited.

What are the SRC and DST you have network conflicts in the addresses?

The zone config looks OK.

(Perhaps, we can also try - setting it so it works, then reviewing that config?)