WireGuard, Firewall Configuration


I see this in a lot of different posts, but I admit - some seem to (sort of?) work, but I'm not sure I see a real "here is how the firewall needs to be set up" :smiley:. I say that because I have tried some of the "working" approaches, and in the process locked myself out of my router :disappointed:.

I can see that it's clear a WireGuard network interface needs to be added (:white_check_mark:, and handshaking just fine). Within that, add, as I want all traffic routed over the interface (:white_check_mark:). But then comes the firewall / zones. I have added a third zone (for the WireGuard interface => added to LAN and WAN), but ... how to get all traffic over that interface? Do I forward all LAN traffic to WG? And in return? And no forwarding to WAN at all? I think this is how I locked myself out of ssh, as all LAN traffic is going to WG?

Any guidance would be greatly appreciated!

What is the other end of your WG connection (the remote peer). Is it a commercial VPN provider (i.e. your WG is a 'client'), a remote system that needs to be able to connect to your network (i.e. your router is a 'server'), or a site-to-site configuration?


Good question, sorry I wasn't clear! The remote end is my home "server" (pfSense box). OpenWrt is on the "client" end ... my M-i-L's remote system :smiley:. It's to route traffic back to / through my local network (i.e. remote connectivity, but also security).

And I do want to make sure I have two way access - meaning ... she messes up her PC a lot (machine behind the OpenWrt router), want to be able to get to it to fix things more easily :laughing:.


That's not necessary. Just add the WireGuard interface to the existing LAN zone.

1 Like

So just bridge it to LAN? All traffic will be routed over that, not WAN?


Bridging usually refers to interfaces. They will all remain separate, but by putting the LAN and WG interfaces in the same firewall zone (the existing lan zone) traffic will be able to pass back and forth between the two networks. Assuming the openwrt device has as the allowed IPs then all the traffic will get routed out through the WG interface.

1 Like

Meaning on the WG interface, right?

Will give that a try, thanks!

Yes, you want it in the wireguard peer config.


I think it's working! Thanks so much. I admit, still not sure why the traffic goes over WG, vs. the WAN ... assuming that's routing table related somehow - I'm just not sure why WG takes priority (over the WAN). Sometime, if you have nothing better to do, I'd be curious why that's the case (but don't want to waste your time). I 100% know that's me just being a dough-head :stuck_out_tongue_winking_eye:

Thanks so much, I owe you a beverage of your liking.

Execute route and check the metric value that may answer your question

Yep, had checked that (all metrics are 0) - but to my surprise, the Genmask for WAN is quite "restrictive" ... so not matching in general. Not sure if WG makes that happen or not.


Ah my bad (haven't used WG for anything that is not site to site). So yes WG doesn't use a metric change but ip rules.


Makes sense, thanks! OK, one "small" problem it seems ... wired is fine, but WiFi not going over WG (actually, no internet at all). Very odd.

Moreover, this is not correct in general case which may include routes like + and routing rules.
The proper method to test routing is ip route get or tools like traceroute, tracepath, mtr, etc.

This depends on the client implementation and its configuration.
WireGuard configured with netifd doesn't create any IP rules on OpenWrt by default.


Thanks for the pointers! I think my issue is DHCP related (did some more digging). I say that because I had been using traceroute (and ping, etc.) ... no issue with access from the router itself (ssh'd in), but from a WiFi connected device => no internet access. Poking around, it seems like perhaps DHCP is not setting (and sending) the gateway correctly? I need to get access to the WiFi device, but that's waiting on time zones ... LOL!

Is it normally the case that DHCP (Option 3?) needs to be set if WG is used (routing all traffic)? And I'm still a bit confused - what to set as the gateway address? The local WG IP address, or the peer (other end of the link)? Or something else?


Add the client side subnet to the allowed IPs on the server.

Make sure I understand :laughing:. So not related to any WG addresses, rather the IP (range) the DHCP server is providing (locally, to WiFi connected devices) ... right?

No changes needed to WG on the "client" (OpenWrt) side, given the entry ... agreed?


1 Like

FYI, this sort of works (but may be me!). Seems like devices on the OpenWrt (DHCP) subnet can get to remote machines, but not out the remote end to the internet (i.e. redirecting all traffic). Thinking on the "server" end I need to also add ... would that make sense?

No, only the peer's IP and the client side subnet.
But make sure the server has a route to the client side subnet via the peer's IP.

It does! And the client can get to machines on the server subnet - just not to the internet. Hmmm.


FYI, have a similar setup for another client (iPhone), and that one does get out. Not sure why the difference.

1 Like