I have used OpenWRT a long time ago but as I got Broadcom routers (R7000) I switched to DDWRT.
Now I am setting up a new R7800 with OpenWRT again.
I compiled my own build with WireGaurd and have set it up successfully as a client to my Oracle cloud VPS.
But regarding setting up WireGuard client I have the following questions:
First question:
Most setup instructions will tell you to create a new Firewall zone, at the Firewall menu.
But why not assign the WG Interface to the WAN zone?
This also protects you from unwanted incoming traffic and does Masquerade the traffic.
Second question:
Most WG clients let you set a DNS server to use when the tunnel is up (and route this DNS server via the tunnel ), I could not find this in the OpenWRT WireGuard interface.
I know how and where I can change the DNS, but I am looking for the functionality where a DNS server can be set on the WG client which is used when the tunnel is up.
Am I missing something or is this not possible in OpenWRT?
Will WAN have the same security implications on your VPS's network?
This depends on routing, policies and the DST IP of the DNS server. You seem to be referencing mobile VPN apps and other clients that change DNS. OpenWrt is a router.
Usually WAN DNS is used. Optionally:
You can change set alternative DNS for clients via DHCP
You can change routing to have the WAN DNS make requests over the tunnel (this means you need to set the peer with an IP instead of hostname)
Technically I do not need Masquerade but my question was more in general for when setting up a WG client to a commercial provider in that case you do need Masquerade and you want to have a firewall which blocks incoming traffic which as far as I can tell is the same as when you assign the WG interface to the WAN zone.
So it seems easier to assign the WG interface to the WAN zone as that can be done from the WG interface itself and there is no need to do something extra in the Firewall settings, or am I missing something?
I am not only referring to mobile apps, other third party firmwares like DDWRT, AsusWRT Merlin, FT have this functionality also, you add a DNS server to the WG client and this DNS server is used exclusively and is always routed via the tunnel all to prevent DNS leaks.
The DNS server is of course only used after the tunnel is up otherwise you cannot resolve a domain name as endpoint.
I was looking for this easy functionality but from your answer I gather we have to setup this manually, no problem, I can do that
