Question regarding firewall rules wireguard

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello Everybody,

I have a question regarding setting firewall rules in regard to the wireguard interface.
My VPN is provided by Mullvad and I installed the VPN using this tutorial: https://mullvad.net/nl/help/running-wireguard-router/
In the tutorial at a certain point they create a new firewall zone called the WGZone and route the Wireguard traffic through there.
Now I found out that adding the WGInterface to the WAN/WAN6 Firewall zone works just as well in setting up my VPN routing.
Now I was wondering what is the difference between those two, and which is the preferred method?

Greetings Jasper

2

AFAIK the separate zone is not necessary, but you could use it for more fine-grained control.

2 Likes
3

Typically it is done to avoid leakage. You allow lan_wgzone forwarding, but drop lan_wan.
If you don't mind about that, or you allow some hosts to use vpn and others the wan, then you can keep them in the same wan zone.

1 Like