Question regarding firewall rules wireguard

Hello Everybody,

I have a question regarding setting firewall rules in regard to the wireguard interface.
My VPN is provided by Mullvad and I installed the VPN using this tutorial:
In the tutorial at a certain point they create a new firewall zone called the WGZone and route the Wireguard traffic through there.
Now I found out that adding the WGInterface to the WAN/WAN6 Firewall zone works just as well in setting up my VPN routing.
Now I was wondering what is the difference between those two, and which is the preferred method?

Greetings Jasper

AFAIK the separate zone is not necessary, but you could use it for more fine-grained control.


Typically it is done to avoid leakage. You allow lan_wgzone forwarding, but drop lan_wan.
If you don't mind about that, or you allow some hosts to use vpn and others the wan, then you can keep them in the same wan zone.

1 Like