Required firewall rules if "DROP" is default in zones?

I followed this tutorial : [OpenWrt Wiki] WireGuard routing all traffic;

it does the job, i can connect to internet through wireguard, but i can't connect to my router anymore (ping and ssh), what additional firewall rule should i add appart from the tutorial ?

i'm trying to do it by script for easy re-use / re-configure, here's the script :

#!/bin/sh

# parameters
wg_net="warp";
wg_zone="vpn";

wan_device="eth1";
lan_device="eth0";
lan_ipaddr="192.168.96.1";

log_tag="WARP";

#1. Config reading.

wireguard_config="$(find /etc/wireguard -mindepth 1 -type f -name "*.conf" | sort | head -n1)";
if [ -s "${wireguard_config:?}" ]; then
	echo "Reading config from ${wireguard_config:?}";
else
	echo "Could not find wireguard config in /etc/wireguard";
	exit 1;
fi;
private_key=$(cat "${wireguard_config:?}" | grep "^PrivateKey" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^PrivateKey=||g');
addresses=$(cat "${wireguard_config:?}" | grep "^Address" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^Address=||g');
dns_servers=$(cat "${wireguard_config:?}" | grep "^DNS" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^DNS=||g');
mtu=$(cat "${wireguard_config:?}" | grep "^MTU" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^MTU=||g');
# peer
public_key=$(cat "${wireguard_config:?}" | grep "^PublicKey" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^PublicKey=||g');
allowed_ips=$(cat "${wireguard_config:?}" | grep "^AllowedIPs" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^AllowedIPs=||g');
endpoint=$(cat "${wireguard_config:?}" | grep "^Endpoint" | sed 's|[[:space:]]||g' | sed 's|[[:blank:]]||g' | sed 's|^Endpoint=||g');
endpoint_host="${endpoint%\:*}";
endpoint_port="${endpoint##*\:}";
echo "";
echo "Private Key  : ${private_key:?}";
echo "Address      : ${addresses:?}";
echo "DNS          : ${dns_servers:?}";
echo "MTU          : ${mtu:?}";
echo "Public Key   : ${public_key:?}";
echo "Allowed IPs  : ${allowed_ips:?}";
echo "Endpoint     : ${endpoint:?}";
echo "";

##########################################################################
# NETWORK
##########################################################################

for old_wireguard_peer in $(uci show network | grep '=wireguard_' | cut -d'=' -f1 | sort -r); do
	echo "Delete wireguard peer [${old_wireguard_peer#*\.}]";
	echo "${log_tag}: Delete wireguard peer [${old_wireguard_peer#*\.}]">/dev/kmsg;
	uci del ${old_wireguard_peer};
	uci commit network;
done;

for old_interface in $(uci show network | grep '=interface' | cut -d'=' -f1 | sort -r); do
	echo "Delete network interface [${old_interface#*\.}]";
	echo "${log_tag}: Delete network interface [${old_interface#*\.}]">/dev/kmsg;
	uci del ${old_interface};
	uci commit network;
done;

for old_device in $(uci show network | grep '=device' | cut -d'=' -f1 | sort -r); do
	echo "Delete network device [${old_device#*\.}]";
	echo "${log_tag}: Delete network device [${old_device#*\.}]">/dev/kmsg;
	uci del ${old_device};
	uci commit network;
done;

echo "Create network device [br-lan]";
echo "${log_tag}: Create network device [br-lan]">/dev/kmsg;
uci add network device>/dev/null;
uci set network.@device[-1].name='br-lan';
uci set network.@device[-1].type='bridge';
uci add_list network.@device[-1].ports="${lan_device:?}";
uci commit network.@device[-1];

echo "Create network interface [loopback]";
echo "${log_tag}: Create network interface [loopback]">/dev/kmsg;
uci set network.loopback=interface;
uci set network.loopback.device='lo';
uci set network.loopback.proto='static';
uci set network.loopback.ipaddr='127.0.0.1';
uci set network.loopback.netmask='255.0.0.0';
uci commit network.loopback;

echo "Create network interface [lan]";
echo "${log_tag}: Create network interface [lan]">/dev/kmsg;
uci set network.lan=interface;
uci set network.lan.proto='static';
uci set network.lan.device='br-lan';
uci set network.lan.ipaddr="${lan_ipaddr:?}";
uci set network.lan.netmask='255.255.255.0';
uci set network.lan.delegate='0';
uci set network.lan.defaultroute='0';
uci commit network.lan;

echo "Create network interface [wan]";
echo "${log_tag}: Create network interface [wan]">/dev/kmsg;
uci set network.wan=interface;
uci set network.wan.proto='dhcp';
uci set network.wan.device="${wan_device:?}";
uci commit network.wan;

echo "Create network interface [${wg_net:?}]";
echo "${log_tag}: Create network interface [${wg_net:?}]">/dev/kmsg;
uci set network.${wg_net:?}=interface;
uci set network.${wg_net:?}.proto='wireguard';
uci set network.${wg_net:?}.private_key="${private_key:?}";
for a in ${addresses//\,/\ }; do uci add_list network.${wg_net:?}.addresses="${a}"; done;
uci commit network.${wg_net:?};

echo "Create wireguard peer [${wg_net:?}]";
echo "${log_tag}: Create wireguard peer [${wg_net:?}]">/dev/kmsg;
uci set network.wireguard_${wg_net:?}=wireguard_${wg_net:?};
uci set network.wireguard_${wg_net:?}.description="peer";
uci set network.wireguard_${wg_net:?}.public_key="${public_key:?}";
# uci set network.wireguard_${wg_net:?}.preshared_key="${preshared_key:?}";
uci set network.wireguard_${wg_net:?}.route_allowed_ips='1';
uci set network.wireguard_${wg_net:?}.endpoint_host="${endpoint_host:?}";
uci set network.wireguard_${wg_net:?}.endpoint_port="${endpoint_port:?}";
# uci set network.wireguard_${wg_net:?}.persistent_keepalive="${persistent_keepalive:?}";
for a in ${allowed_ips//\,/\ }; do uci add_list network.wireguard_${wg_net:?}.allowed_ips="${a}"; done;
uci commit network.wireguard_${wg_net:?};

##########################################################################
# DHCP
##########################################################################

#uci set dhcp.@dnsmasq[0].domainneeded='1';
#uci set dhcp.@dnsmasq[0].localise_queries='1';
#uci set dhcp.@dnsmasq[0].rebind_protection='1';
#uci set dhcp.@dnsmasq[0].rebind_localhost='1';
#uci set dhcp.@dnsmasq[0].local='/lan/';
#uci set dhcp.@dnsmasq[0].domain='lan';
#uci set dhcp.@dnsmasq[0].expandhosts='1';
#uci set dhcp.@dnsmasq[0].authoritative='1';
#uci set dhcp.@dnsmasq[0].readethers='1';
#uci set dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases';
#uci set dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto';
#uci set dhcp.@dnsmasq[0].localservice='1';
#uci set dhcp.@dnsmasq[0].ednspacket_max='1232';
#for d in ${dns//\,/\ }; do uci add_list dhcp.@dnsmasq[0].server="${d}"; done;
#uci commit dhcp.@dnsmasq[0];

##########################################################################
# FIREWALL
##########################################################################

for old_forwading in $(uci show firewall | grep '=forwarding' | cut -d'=' -f1 | sort -r); do
	echo "Delete firewall forwarding [${old_forwading#*\.}]";
	echo "${log_tag}: Delete firewall forwarding [${old_forwading#*\.}]">/dev/kmsg;
	uci del ${old_forwading};
	uci commit firewall;
done;

for old_zone in $(uci show firewall | grep '=zone' | cut -d'=' -f1 | sort -r); do
	echo "Delete firewall zone [${old_zone#*\.}]";
	echo "${log_tag}: Delete firewall zone [${old_zone#*\.}]">/dev/kmsg;
	uci del ${old_zone};
	uci commit firewall;
done;

for old_rule in $(uci show firewall | grep '=rule' | cut -d'=' -f1 | sort -r); do
	echo "Delete firewall rule [${old_rule#*\.}]";
	echo "${log_tag}: Delete firewall rule [${old_rule#*\.}]">/dev/kmsg;
	uci del ${old_rule};
	uci commit firewall;
done;


# Firewall default

echo "Adjust firewall defaults";
echo "${log_tag}: Adjust firewall defaults">/dev/kmsg;
uci set firewall.@defaults[0].synflood_protect='1';
uci set firewall.@defaults[0].drop_invalid='1';
uci set firewall.@defaults[0].input='DROP';
uci set firewall.@defaults[0].output='DROP';
uci set firewall.@defaults[0].forward='DROP';
uci -q del firewall.@defaults[0].syn_flood;
uci commit firewall.@defaults[0];

# Firewall zones

echo "Create firewall zone [lan]";
echo "${log_tag}: Create firewall zone [lan]">/dev/kmsg;
uci add firewall zone>/dev/null
uci set firewall.@zone[-1].name='lan';
uci set firewall.@zone[-1].forward='DROP';
uci set firewall.@zone[-1].input='DROP';
uci set firewall.@zone[-1].output='DROP';
uci add_list firewall.@zone[-1].network='lan';
uci commit firewall.@zone[-1];

echo "Create firewall zone [wan]";
echo "${log_tag}: Create firewall zone [wan]">/dev/kmsg;
uci add firewall zone>/dev/null
uci set firewall.@zone[-1].name='wan';
uci set firewall.@zone[-1].forward='DROP';
uci set firewall.@zone[-1].input='DROP';
uci set firewall.@zone[-1].output='DROP';
uci set firewall.@zone[-1].masq='1';
uci set firewall.@zone[-1].mtu_fix='1';
uci add_list firewall.@zone[-1].network='wan';
uci commit firewall.@zone[-1];

echo "Create firewall zone [${wg_zone:?}]";
echo "${log_tag}: Create firewall zone [${wg_zone:?}]">/dev/kmsg;
uci add firewall zone>/dev/null
uci set firewall.@zone[-1].name="${wg_zone:?}";
uci set firewall.@zone[-1].forward='DROP';
uci set firewall.@zone[-1].input='DROP';
uci set firewall.@zone[-1].output='DROP';
uci set firewall.@zone[-1].masq='1';
uci add_list firewall.@zone[-1].network="${wg_net:?}";
uci commit firewall.@zone[-1];

# Firewall forwarding

echo "Create firewall forwarding [lan > ${wg_zone:?}]";
echo "${log_tag}: Create firewall forwarding [lan > ${wg_zone:?}]">/dev/kmsg;
uci add firewall forwarding>/dev/null
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest="${wg_zone:?}";
uci commit firewall.@forwarding[-1];

# Firewall rules

echo "Create firewall rule [Allow-DHCP-Renew]";
echo "${log_tag}: Create firewall rule [Allow-DHCP-Renew]">/dev/kmsg;
uci add firewall rule>/dev/null
uci set firewall.@rule[-1].name='Allow-DHCP-Renew';
uci set firewall.@rule[-1].src='wan';
uci set firewall.@rule[-1].dest_port='68';
uci set firewall.@rule[-1].target='ACCEPT';
uci set firewall.@rule[-1].family='ipv4';
uci add_list firewall.@rule[-1].proto='udp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-IGMP]";
echo "${log_tag}: Create firewall rule [Allow-IGMP]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-IGMP';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].src='wan';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='igmp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-DNS-In]";
echo "${log_tag}: Create firewall rule [Allow-DNS-In]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-DNS-In';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].src='lan';
uci set firewall.@rule[-1].dest_port='53';
uci set firewall.@rule[-1].target='ACCEPT';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-SSH-Out]";
echo "${log_tag}: Create firewall rule [Allow-SSH-Out]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-SSH-Out';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].dest='lan';
uci set firewall.@rule[-1].dest_port='22';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='tcp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-WG-Out]";
echo "${log_tag}: Create firewall rule [Allow-WG-Out]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-WG-Out';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].dest='wan';
uci set firewall.@rule[-1].dest_port="${endpoint_port:?}";
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='udp';
uci add_list firewall.@rule[-1].dest_ip="${endpoint_host:?}";
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-DHCP-In]";
echo "${log_tag}: Create firewall rule [Allow-DHCP-In]">/dev/kmsg;
uci add firewall rule>/dev/null
uci set firewall.@rule[-1].name='Allow-DHCP-In';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].src='lan';
uci set firewall.@rule[-1].dest_port='67';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='udp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-DHCP-Out]";
echo "${log_tag}: Create firewall rule [Allow-DHCP-Out]">/dev/kmsg;
uci add firewall rule>/dev/null
uci set firewall.@rule[-1].name='Allow-DHCP-Out';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].dest='lan';
uci set firewall.@rule[-1].dest_port='68';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='udp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-DNS-Out]";
echo "${log_tag}: Create firewall rule [Allow-DNS-Out]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-DNS-Out';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].dest="${wg_zone:?}";
uci set firewall.@rule[-1].dest_port='53';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='tcp';
uci add_list firewall.@rule[-1].proto='udp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-HTTPs-Out]";
echo "${log_tag}: Create firewall rule [Allow-HTTPs-Out]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-HTTPs-Out';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].dest="${wg_zone:?}";
uci set firewall.@rule[-1].dest_port='80 443';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='tcp';
uci commit firewall.@rule[-1];

echo "Create firewall rule [Allow-NTP-Out]";
echo "${log_tag}: Create firewall rule [Allow-NTP-Out]">/dev/kmsg;
uci add firewall rule>/dev/null;
uci set firewall.@rule[-1].name='Allow-NTP-Out';
uci set firewall.@rule[-1].family='ipv4';
uci set firewall.@rule[-1].dest="${wg_zone:?}";
uci set firewall.@rule[-1].dest_port='123';
uci set firewall.@rule[-1].target='ACCEPT';
uci add_list firewall.@rule[-1].proto='udp';
uci commit firewall.@rule[-1];

/etc/init.d/firewall restart;
/etc/init.d/network restart;
echo "Finished";
echo "${log_tag}: Finished">/dev/kmsg;

What do you want to happen, and what does your config look like currently?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

i have rebooted the router and lost ssh connection to the router, i can't even ping from lan, but i can still connect to internet.
i will reflash it first.