[Solved] Wireguard - Help with Firewall Rules

I have managed to get a split tunnel wireguard vpn working on my road warrior android devices, but I am not sure if I did it properly.

In my current setup, I created a wireguard zone, and added the following rules:

Allow-Wireguard-Incoming:
UDP From any host in wan To any router IP at port 12345 on this device = accept input

Then created rules to allow traffic between the interfaces:
Any traffic From any host in wireguard To any host in Lan = accept forward
Any traffic From any host in Lan To any host in wireguard = accept forward
Any traffic From any host in wireguard To any host in wan = accept forward
Any traffic From any host in wan To any host in wireguard = accept forward

But this feels quite exposed.
Any suggestions as to how I can improve this setup?

Replace those rules with forwardings.
You can also consider assigning WG-interface to LAN-zone to simplify firewall configuration.

Most likely you don't need that.

I'll try that when I get home. I don't want to lock myself out of the VPN if I mess anything up.

I would like to keep the wg interface as it's own zone. Just makes more sense in my brain.

To clarify, I should just forward incoming wan connections on port 12345 to the wg interface in the wireguard zone

No, You need an allow rule on the wan port to allow connections to the port wireguard is running on. You then want forwarding rules between zones depending on what traffic you want flowing where - remembering that the forwarding controls the initial direction of connections.

So for instance, I have a single forwarding rule, running from my wireguard zone to my lan, like so:

config forwarding
    option src 'wg'
    option dest 'lan'

As all I want to do is to be able to connect to machines on my LAN - and I have no need to use my home connection as a VPN, if you want to do the latter, then you simply add another forwarding rule with a src that is your wireguard zone and a dest of wan.

I did things a little different, but it seems to be working. It even solved another problem I was having resolving local DNS names.

I deleted all the original rules I had in the op, then I created a port forward:
IPv4-udp From any host in wan
Via any router IP at port 12345
Forward to
IP of wireguard interface, port 12345 in wireguard zone

And then like you said made a wireguard zone to Lan zone forward, and everything seems to be working well.

I was also unable to resolve names for the Lan hosts over the VPN in the original setup, but this seems to have rectified that issue at the same time.

This is an unwise solution.
You shouldn't use NAT, unless it's really necessary.
And port opening definitely doesn't require NAT.

ok, I have done it as you explained.
I removed the port forward rule

Allow Wireguard Firewall rule:
Any udp From any host in wan
To any router IP at port 12345 on this device = accept

and forward wireguard zone to lan zone (input, output, forward=accept)

Seems to be working just as well in this configuration, but I think I see the difference. I thought wireguard would only listen on the wg0 interface, and thus was under the impression that I had to get the packets from wan to that IP, but in this setup, it seems that wireguard is listening on the wan interface as well, so we've just allowed incoming connections on the wan interface on port 12345...

Please correct me if i'm misinterpreting this. I'm just trying to understand how the overall system works, and Identify the differences between these methods. I had finally got my wireguard setup and running using a command line guide from another linux distro, and the author apparently has a different paradigm for how the service should be accesible. I completely appreciate all the help.

This is exactly what is expected.
WAN-clients connect to WG-service from WAN-zone.
LAN-clients are routed to WG-network from LAN-zone.

The wg0 interface is the wireguard tunnel endpoint, that's separate from the port over which the tunnel runs (which is port 12345 in your example).

I have the wireguard interface set to 10.1.2.1, and the Lan interface set as a different subnet 10.1.1.1 and I understand that the zone Forward I created sends wireguard packets to Lan, but what I dont see is how opening the port on the wan ip gets packets from the wan interface to the wireguard interface in the first place. I'm assuming that wireguard is listening on both 10.1.2.1 as well as wan ip? Or is it some sort of internal magic happening that I'm not aware of? If it's the first option, do I even need to have wireguard and it's clients on a different subnet?

(my original issue is indeed solved, but I'm just trying to understand the details)

The wireguard interface is a virtual endpoint that sits on the end of the wireguard tunnel between your openwrt device and your android devices.

The wireguard 'server' (running inside the kernel on your openwrt device) is listening on a particular port and can be reached externally via the wan IP, essentially once you have achieved a connection you have a virtual endpoint inside each device that create a point to point connection to each other sitting inside the tunnel created by wireguard itself. This diagram is for openvpn but the concept is similar:

As to whether it's better to have the clients on a separate subnet - you probably don't want to be in the same broadcast domain as all your devices at home, or all broadcast traffic will be tunnelled to your enddevice also.

awesome. that's exactly what i needed to know. Thanks a ton for your help!

With openvpn you have the option to use bridged (tap) or routed (tun) mode, but with wireguard you don't have that choice. Wireguard can't transport layer 2 (Ethernet) packets, which is the case with openvpn in bridged mode. A wireguard tunnel can transport IPv4 and IPv6 packets (same as openvpn in routed mode). Each IP address can be associated with at most one peer (using AllowedIPs) which means you can't send broadcast or multicast traffic to multiple peers. (BTW you can't use the same subnet on multiple interfaces, such as a wireguard interface and another LAN interface.)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.