WireGuard, Firewall Configuration

arrmo · January 28, 2021, 8:27pm

Hi,

I see this in a lot of different posts, but I admit - some seem to (sort of?) work, but I'm not sure I see a real "here is how the firewall needs to be set up" . I say that because I have tried some of the "working" approaches, and in the process locked myself out of my router .

I can see that it's clear a WireGuard network interface needs to be added (, and handshaking just fine). Within that, add 0.0.0.0/0, as I want all traffic routed over the interface (). But then comes the firewall / zones. I have added a third zone (for the WireGuard interface => added to LAN and WAN), but ... how to get all traffic over that interface? Do I forward all LAN traffic to WG? And in return? And no forwarding to WAN at all? I think this is how I locked myself out of ssh, as all LAN traffic is going to WG?

Any guidance would be greatly appreciated!

psherman · January 28, 2021, 8:57pm

What is the other end of your WG connection (the remote peer). Is it a commercial VPN provider (i.e. your WG is a 'client'), a remote system that needs to be able to connect to your network (i.e. your router is a 'server'), or a site-to-site configuration?

arrmo · January 28, 2021, 9:17pm

Good question, sorry I wasn't clear! The remote end is my home "server" (pfSense box). OpenWrt is on the "client" end ... my M-i-L's remote system . It's to route traffic back to / through my local network (i.e. remote connectivity, but also security).

And I do want to make sure I have two way access - meaning ... she messes up her PC a lot (machine behind the OpenWrt router), want to be able to get to it to fix things more easily .

Thanks!

krazeh · January 28, 2021, 10:15pm

That's not necessary. Just add the WireGuard interface to the existing LAN zone.

arrmo · January 28, 2021, 10:42pm

So just bridge it to LAN? All traffic will be routed over that, not WAN?

Thanks!

krazeh · January 28, 2021, 10:52pm

Bridging usually refers to interfaces. They will all remain separate, but by putting the LAN and WG interfaces in the same firewall zone (the existing lan zone) traffic will be able to pass back and forth between the two networks. Assuming the openwrt device has 0.0.0.0/0 as the allowed IPs then all the traffic will get routed out through the WG interface.

arrmo · January 28, 2021, 11:01pm

Meaning on the WG interface, right?

Will give that a try, thanks!

krazeh · January 29, 2021, 1:05am

Yes, you want it in the wireguard peer config.

arrmo · January 29, 2021, 1:27am

I think it's working! Thanks so much. I admit, still not sure why the traffic goes over WG, vs. the WAN ... assuming that's routing table related somehow - I'm just not sure why WG takes priority (over the WAN). Sometime, if you have nothing better to do, I'd be curious why that's the case (but don't want to waste your time). I 100% know that's me just being a dough-head

Thanks so much, I owe you a beverage of your liking.

faser · January 29, 2021, 1:33am

Execute route and check the metric value that may answer your question

arrmo · January 29, 2021, 1:58am

Yep, had checked that (all metrics are 0) - but to my surprise, the Genmask for WAN is quite "restrictive" ... so not matching in general. Not sure if WG makes that happen or not.

Thanks!

faser · January 29, 2021, 2:27am

Ah my bad (haven't used WG for anything that is not site to site). So yes WG doesn't use a metric change but ip rules.

arrmo · January 29, 2021, 2:43am

Makes sense, thanks! OK, one "small" problem it seems ... wired is fine, but WiFi not going over WG (actually, no internet at all). Very odd.

vgaetera · January 29, 2021, 5:35am

Moreover, this is not correct in general case which may include routes like 0.0.0.0/1 + 128.0.0.0/1 and routing rules.
The proper method to test routing is ip route get or tools like traceroute, tracepath, mtr, etc.

This depends on the client implementation and its configuration.
WireGuard configured with netifd doesn't create any IP rules on OpenWrt by default.

arrmo · January 29, 2021, 12:54pm

Thanks for the pointers! I think my issue is DHCP related (did some more digging). I say that because I had been using traceroute (and ping, etc.) ... no issue with access from the router itself (ssh'd in), but from a WiFi connected device => no internet access. Poking around, it seems like perhaps DHCP is not setting (and sending) the gateway correctly? I need to get access to the WiFi device, but that's waiting on time zones ... LOL!

Is it normally the case that DHCP (Option 3?) needs to be set if WG is used (routing all traffic)? And I'm still a bit confused - what to set as the gateway address? The local WG IP address, or the peer (other end of the link)? Or something else?

Thanks!

vgaetera · January 29, 2021, 1:46pm

Add the client side subnet to the allowed IPs on the server.

arrmo · January 29, 2021, 1:49pm

Make sure I understand . So not related to any WG addresses, rather the IP (range) the DHCP server is providing (locally, to WiFi connected devices) ... right?

No changes needed to WG on the "client" (OpenWrt) side, given the 0.0.0.0/0 entry ... agreed?

Thanks!

arrmo · January 29, 2021, 10:14pm

FYI, this sort of works (but may be me!). Seems like devices on the OpenWrt (DHCP) subnet can get to remote machines, but not out the remote end to the internet (i.e. redirecting all traffic). Thinking on the "server" end I need to also add 0.0.0.0/0 ... would that make sense?

vgaetera · January 29, 2021, 10:21pm

No, only the peer's IP and the client side subnet.
But make sure the server has a route to the client side subnet via the peer's IP.

arrmo · January 29, 2021, 10:27pm

It does! And the client can get to machines on the server subnet - just not to the internet. Hmmm.

Thanks!

FYI, have a similar setup for another client (iPhone), and that one does get out. Not sure why the difference.