Novice user here - I was trying to set up a separate VPN interface to restrict vpn traffic only to a couple of IP addresses on my LAN, and in the process of playing with the new zone configuration, I'm afraid I may have messed up the default zone configurations.
I have a port forwarding rule: incoming from wan [zone], port 2345 to this device, port 2345; forward to vpn [zone] ip 192.168.1.1 (i.e. the address of the router) port 2345.
i then have a traffic rule: from vpn [zone] to lan IP 192.168.1.xxx (security cam),192.168.1.yyy(other lan device)... accept forward
did I do that right and does that eliminate the need to set the output of vpn zone to accept?
So in zone vpn make output accept
Rule test2 is fine.
Both redirects are wrong, delete them and make a rule to accept source zone wan to the device (no destination zone), destination port 2345 protocol udp.
config redirect
option dest_port '2345'
option src 'wan'
option src_dport '2345'
option target 'DNAT'
list proto 'udp'
option name 'VPN-New'
ok I fixed it to the above. Just so I can learn better: why is the old way INcorrect? shouldn't I be fowarding the wan connection to the vpn zone? or by sending it to the router directly then the router figures out that the connection to port 2345 should be sent to the vpn zone?
No, delete the redirect and make a rule.
You are not redirecting anything, you open the port 2345 udp on the wan zone to accept wireguard connections.
By redirecting the traffic internally you are adding more things to do for every wireguard packet without any reason or profit.
sorry to be a pain, one last question:
i had set the source port as 2345 as shown in the config rule above... that didn't work.
i changed it to what you originally said (read it closer) and removed the incoming source port (so it's any)
and now it works...
why is that? i tell the wireguard client on my phone to connect to IPADDRESS:PORT...
and then, another question: isn't that then making my router exposed to the internet/wan overall since it's not demanding a specific incoming port? or is it still secure because the only thing port 2345 does on my router is go to the vpn zone which is configured as a wireguard peer?
The source port that the phone is using to connect can be any, especially if it is behind CG-NAT on a mobile data network.
The important here is the destination port, which is 2345 and you configure it on the OpenWrt as listening port of wireguard.
no, it doesn't matter.
it is secure because wireguard server will not respond if the client is not legitimate, that means to have the correct keys configured.