Hi,
I see on many vpn providers two kinds of firewall setting about wireguard.
On OpenWrt wiki, for client, we can read that;
# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci del_list firewall.wan.network="${WG_IF}"
uci add_list firewall.wan.network="${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart
But as I said, on providers, they configure firewall from network - firewall settingand a bit more complex, I thought. Which one I should follow?
Here an exemple from vpn provider:
Add a Firewall zone
Navigate to Network - Firewall
Click the Add button and enter the following configuration:
Name - Give it any name, e.g. ivpn_fw
Input - Reject
Output - Accept
Forward - Reject
Masquerading - Checked
MSS clamping - Checked
Covered networks - select the previously created VPN tunnel interface, e.g. ivpnAustria
Allow forward to destination zones - Unspecified
Allow forward from source zones - lan
And here mine ;
root@OpenWrt:/etc/config# cat firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'Torguard.vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule 'wg'
option name 'Allow-WireGuard'
option src 'wan'
option dest_port '51820'
option proto 'udp'
option target 'ACCEPT'
config redirect 'dns_int'
option name 'Intercept-DNS'
option src 'lan'
option src_dport '53'
option proto 'tcp udp'
option target 'DNAT'
root@OpenWrt:/etc/config#
