Security with wireguard on AP

A question about security.

Internet <--> ISP router ( <--> x86 Openwrt AP ( <--> clients

The ISP router is acting like a gateway for the network.
The x86 Openwrt device is acting like an AP + DHCP and DNS, so there is no routing.
There is a NAT rule on the ISP router to redirect wireguard traffic to the OpenWrt AP.

I have tested two configurations, each one working.

  • Wireguard is on its own firewall zone. I have set traffic rules between LAN and WG zones. speed is poor, about 1 MB/s
  • Wireguard is on the LAN zone. Speed is good about 20 MB/s.

I would like to keep the 2nd config for its better performance. Is there any security issue in putting wireguard on LAN zone? I don't have enough experience on the matter.

If you’re seeing a performance degradation, especially of that magnitude, on an x86 system, something is very wrong.

What is your isp speed (both up and down)?

Let’s take a look at your configs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I guess so :wink:

Here it is.
There is no wireless.
ISP is Kiwi, a small french ISP.
On the ISP box, the NAT rule transfer incoming port 51820 to
Actually the device runs a snapshot, but the issue is the same with a stable.

        "kernel": "6.1.82",
        "hostname": "Qotom",
        "system": "Intel(R) Core(TM) i3-5005U CPU @ 2.00GHz",
        "model": "INTEL Corporation Q3XXG4-P",
        "board_name": "intel-corporation-q3xxg4-p",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r25701-5876b4afb9",
                "target": "x86/64",
                "description": "OpenWrt SNAPSHOT r25701-5876b4afb9"
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fd5a:e32d:7493::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'
	list ports 'eth2'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'
	option gateway ''

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key 'somekey'
	option listen_port '51820'
	list addresses ''
	list dns ''

config wireguard_Wireguard
	option description 'somepeer'
	option public_key 'somekey'
	option private_key 'somekey'
	list allowed_ips ''
	option persistent_keepalive '25'
config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/'
	option domain ''
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/'
	option localservice '1'
	option ednspacket_max '1232'
	list server 'someispdns'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '20'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '3,'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	list network 'lan'
	list network 'Wireguard'

config zone
	option name 'VPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'VPN'

config forwarding
	option src 'VPN'
	option dest 'lan'

Is there a reason you are using snapshot? Unless you have a specific need for snapshot, you should probably be running a stable release (23.05.3 is the latest as of right now).

I'm confused... you said:

An AP is an "Access Point" -- so wireless should e there.

As far as the firewall is concerned...

Since you are using masquerading on your lan zone, you need to have Wireguard in a different firewall zone -- remove it from the lan firewall zone and put it in the VPN zone.

If your main router supports static routes, you can avoid the masquerading. Do you know if you can add a static route to the ISP router?

This doesn't answer the question about the ISP speed itself. What is the speed you expect for upload and download based on the service tier you are paying for?

I'm running both stable and snapshot versions, in order to test for future.

wireless is removed, hence no wireless. Only eth clients. I use another AP for the wifi clients.

Hence return to inital setting: it was on a separate zone.

I can't. I have a limited control on it, basicaly only DHCP and NAT rules.
Let's suppose I remove the ISP router and put the actual OpenWrt as main router. I will now have full control: what static rule should I add?

1 Gbit/s

Goal is to link to local network for downloading or uploading some few files. Speed is not such relevant, but 1 MB/s is quite slow. 20 MB/s would be more interesting.

I'm very confused: I have restored the config files I made before testing various things today. I have now good results (about 20 MB/s) in file transfer. My guess is that I have messed up something I didn't noticed.

Thank you for your help anyway.

So it seems to me that your x86 device is really acting as a switch that happens to also run Wireguard. You're probably using way more energy than its worth for this purpose -- a basic 5 port ethernet switch often consumes way less energy than an x86 class machine, and you can do much better for routing wireguard with a pi or similar.

Exactly. It was previously a plain router.

... which I must buy. I already have the x86 router.

Thank you.