Isolated wireguard instance requires creative firewall forwarding rules?

Installing and Using OpenWrt
1

Has anyone setup isolated wireguard instances on OpenWRT? ie traffic sent from a node inside the wireguard network can only go to other nodes in the wireguard network, nothing can be routed/forwarded in or out to other zones like LAN or WAN. I have a working config but the firewall rule requirements have been a bit surprising.

Imagine the following setup:

  • Main router (OpenWRT)
    • Inside wireguard: 10.0.0.1
    • Wireguard listens to port X on WAN interface (public IP), all other peers connect here.
    • Responsible to route packets between all remote devices
  • Remote device A
    • Inside wireguard: 10.0.0.10
    • Behind a NAT (anywhere in the world)
    • Connects to main router
  • Remote device B
    • Inside wireguard: 10.0.0.11
    • Behind a NAT (anywhere in the world)
    • Connects to main router
  • Remote device C
    • … etc …

I created a new firewall zone just for this wireguard interface:

config zone
        option name 'MyIsolatedFirewallZone'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT'
        list network 'MyWireguardInterface'

This does NOT work. None of the peers can route to each other.

Instead I have to do EITHER one of the following:

config zone
        option name 'MyIsolatedFirewallZone'
        option input 'ACCEPT'   # <-----------------------
        option output 'ACCEPT'  # <-----------------------
        option forward 'ACCEPT'
        list network 'MyWireguardInterface'

OR

config zone
        option name 'MyIsolatedFirewallZone'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT'
        list network 'MyWireguardInterface'

config rule
        option src 'MyIsolatedFirewallZone'
        option dest 'MyIsolatedFirewallZone'
        option name 'Route vpn->vpn'
        list proto 'all' 
        option target 'ACCEPT'
        
config rule
        option src 'MyIsolatedFirewallZone'
        option name 'Route vpn->self'
        list proto 'all'
        option target 'ACCEPT'
        
config rule
        option dest 'MyIsolatedFirewallZone'
        option name 'Route self->vpn'
        list proto 'all'
        option target 'ACCEPT'

Question 1: I assume that both of these configs are NOT identical, the former config potentially allowing packets to enter/exit the zone from other zones?

Question 2: Why do I have to do this at all? Are the packets from (eg) node A → node B having to be decrypted, exit the wireguard interface, be routed back into the wireguard interface, and then re-encrypted again?

Question 3: Is there a tidier way of configuring this? Or perhaps I’m thinking about this wrong?

Question 4: EDIT: Isn’t the “intra-zone forward” setting supposed to help me here? Or is it a no-op setting on Wireguard interfaces? ie this line:

config zone
        option name 'MyIsolatedFirewallZone'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'ACCEPT' # <--------------------------
        list network 'MyWireguardInterface'
2

No not really, inter zone forwarding is not allowed by default.

So you can set the server side for WireGuard at ACCEPT for all, OUTPUT is always necessary, FORWARD is necessary to allow traffic between your WireGuard peers, INPUT can be restricted

In which case the wireguard peers can only connect to each other and not to your lan and will not have internet access via the wireguard server

My notes about setting up a WireGuard server: WireGuard Server Setup Guide

1 Like