[Solved] Different firewall zones for different wireguard clients?

I want to have different firewall zones for different clients connecting to the wireguard server hosted on my OpenWRT (24.05.5 running on a GL.Inet MT-6000, using luci-proto-wireguard).

Basically some wireguard clients should only be able to access a subset of resources on the network, while others are fully trusted. The way I envision doing this is putting the clients into separate firewall zones and setting up appropriate forwarding rules between those wireguard zones and the lan zone.

Looking through Luci, it appears that the firewall zone for wireguard is set per interface. Does that mean that I need two separate wireguard interfaces and two separate wireguard devices in OpenWRT to accomplish this? Can both use the same port for the wireguard traffic, or does that also need to be separate?

Is there a way to assign this per-peer (client) instead? Or is there an entirely different, better way to accomplish this?

Note: I haven't yet tried to configure this so asking me to share my config at this point is not going to help much. I want to figure out what the right approach to this is before I start.

Yes.

I think it needs to be separate.

You could configure traffic rules instead of zones. Then you would be able to define the source IPs and limit the untrusted clients.

Ah, yes I guess traffic rules would work, since for Wireguard you configure the allowed IPs of the peer, and thus it can't be spoofed.

For my use case that would indeed be much simpler (a specific remote peer is only supposed to be able to connect to a NAS to save backups there, not access anything else on the network).

Thank you for preventing my over-engineering.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.