Wireguard - Firewall concern

I setup Wireguard to run on a fresh install of 25.12.5. I followed the Wiki guide and used all the settings/configurations it told me to. I only used the Luci GUI. In step 6 , where it is talking about the Traffic Rules, I chose the Port Forward option. Specifically, this:

Note: If only IPv4 is being used to connect to the WireGuard server the above firewall traffic rule could be replaced with a Port Forward rule instead.

I went on to add a client, and was able to connect -- everything worked perfectly.

Then, I went back to the Port Forward rule I put in place, and I disabled it. I again went to connect to Wireguard, and it connected with no problem. That was not expected.

As a test, I put Wireguard on PiHole (different port, different IP), setup the port forwarding for that Wireguard server, and am able to connect when the Port Forwarding rule is in place, and can't connect when it is disabled. This is expected.

So now I'm kind of nervous. As in, have I messed up a firewall rule and now I'm just sitting open to the internet? Or is it possible that the Zone forwarding portion of step 6 made the Port Forwarding step unnecessary/redundant?

I am brand new to OpenWRT, am so-so at network routing, and am very comfortable with a Linux prompt.

Wiki Link: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server?s[]=open&s[]=file

(I also found this document, a few differences, but basically the same)

While this is technically true, it is unclear to me as to why anyone would do it this way if the main router is also the device that has the WG interface. Best practice is to use the standard traffic rule method.

It is hard to know without seeing your configs. Let's take a look:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Screenshot 2025-10-20 at 8.14.14 PM

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

See below. Thank you!

ubus call system board

{
	"kernel": "6.12.94",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys MX8500",
	"board_name": "linksys,mx8500",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.5",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r33051-f5dae5ece4",
		"target": "qualcommax/ipq807x",
		"description": "OpenWrt 25.12.5 r33051-f5dae5ece4",
		"builddate": "1782737960"
	}
}

cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid 'xxxxxxxxxxxxxxxxxxxxxxxx'
	option ula_prefix 'fd88:52ac:fcff::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.50.1/24'
	option multipath 'off'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option multipath 'off'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxx'
	option multipath 'off'
	option listen_port '51820'
	list addresses '10.0.0.1/24'

config wireguard_wg0
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxx'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxx'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	option description 'PhoneFull'
	list allowed_ips '10.0.0.10/32'
	option route_allowed_ips '1'

cat /etc/config/firewall
(Note: It has an ipv6 rule, but ipv6 is disabled, so I just assume it does nothing.)

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '1'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '1'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '1'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard'
	option family 'ipv4'
	list proto 'udp'
	option src 'wan'
	option src_dport '51880'
	option dest_ip '192.168.50.50'
	option dest_port '51880'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Wireguard5'
	list proto 'udp'
	option src 'wan'
	option src_dport '55555'
	option dest_ip '192.168.50.55'
	option dest_port '55555'
	option family 'ipv4'
	option enabled '0'

config zone
	option name 'WireguardVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	option masq '1'
	list network 'wg0'

config forwarding
	option src 'WireguardVPN'
	option dest 'lan'

config forwarding
	option src 'WireguardVPN'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'WireguardVPN'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WireguardDDWRT'
	list proto 'udp'
	option src 'wan'
	option src_dport '51820'
	option dest_ip '10.0.0.1'
	option dest_port '51820'
	option enabled '0'

(I'm noticing I called it WireguardDDWRT; I run dd-wrt on the others, naming habit, OpenWRT is all new to me.)

Do you actually have two other hosts running WireGuard in a server type configuration?

As described earlier, this should be a standard rule, not a redirect/port-forward.

I recommend removing masquerading here:

Meanwhile, aside from that, everything looks fine.

How were you testing your inbound wireguard connectivity? Were you on your own lan or were you exclusively using an external network (i.e. cellular or somewhere else remote)?

You can remove masquerading and mtu_fix

You can remove this rule:

Everything else looks fine

I removed masq (it was on because of the Wiki page), but it's still the same - it can connect, as if there's a hole in the firewall.

I'm using my phone to test it, using the cellular network.

With or without the redirect/port-forward, it's connecting; I can (and have) completely deleted the rule, because it doesn't seem to be doing anything. And I never did the Traffic rules setup either. But it can connect.

Is the second part of step 6 redundant, and that the Zone setup (the first part of step 6) addresses it already?

If I remove wg0, it can't connect at all.

The redirect rule you're suggesting I remove is disabled. I've tested this with it completely deleted, and it doesn't matter -- I can still connect.

Again, I'm able to connect without a problem. I'm just confused as to why this is possible when I skip configuring the Traffic Rules and the Port Forwarding (second half of step 6).