I setup Wireguard to run on a fresh install of 25.12.5. I followed the Wiki guide and used all the settings/configurations it told me to. I only used the Luci GUI. In step 6 , where it is talking about the Traffic Rules, I chose the Port Forward option. Specifically, this:
Note: If only IPv4 is being used to connect to the WireGuard server the above firewall traffic rule could be replaced with a Port Forward rule instead.
I went on to add a client, and was able to connect -- everything worked perfectly.
Then, I went back to the Port Forward rule I put in place, and I disabled it. I again went to connect to Wireguard, and it connected with no problem. That was not expected.
As a test, I put Wireguard on PiHole (different port, different IP), setup the port forwarding for that Wireguard server, and am able to connect when the Port Forwarding rule is in place, and can't connect when it is disabled. This is expected.
So now I'm kind of nervous. As in, have I messed up a firewall rule and now I'm just sitting open to the internet? Or is it possible that the Zone forwarding portion of step 6 made the Port Forwarding step unnecessary/redundant?
I am brand new to OpenWRT, am so-so at network routing, and am very comfortable with a Linux prompt.
While this is technically true, it is unclear to me as to why anyone would do it this way if the main router is also the device that has the WG interface. Best practice is to use the standard traffic rule method.
It is hard to know without seeing your configs. Let's take a look:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Do you actually have two other hosts running WireGuard in a server type configuration?
As described earlier, this should be a standard rule, not a redirect/port-forward.
I recommend removing masquerading here:
Meanwhile, aside from that, everything looks fine.
How were you testing your inbound wireguard connectivity? Were you on your own lan or were you exclusively using an external network (i.e. cellular or somewhere else remote)?
I removed masq (it was on because of the Wiki page), but it's still the same - it can connect, as if there's a hole in the firewall.
I'm using my phone to test it, using the cellular network.
With or without the redirect/port-forward, it's connecting; I can (and have) completely deleted the rule, because it doesn't seem to be doing anything. And I never did the Traffic rules setup either. But it can connect.
Is the second part of step 6 redundant, and that the Zone setup (the first part of step 6) addresses it already?
The redirect rule you're suggesting I remove is disabled. I've tested this with it completely deleted, and it doesn't matter -- I can still connect.
Again, I'm able to connect without a problem. I'm just confused as to why this is possible when I skip configuring the Traffic Rules and the Port Forwarding (second half of step 6).