Wireguard Firewall setup?

rparge · June 24, 2025, 4:26pm

OpenWrt Newbie here.

I have successfully created a working Wireguard server for remote LAN access, (peers are working and I have DDNS setup)

But the Wireguard setup examples I have seen show two different firewall setups - but both work fine.

Both of these appear to me to be functionally the same.

Are either or both of these setups OK?

TIA
Rick

#version 1

config zone
	option name 'wg0_FW'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	list network 'lan'
	list network 'wg0'

config forwarding
	option src 'wg0_FW'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wg0_FW'

--------------------------------

#Version 2

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

diogohvo · June 24, 2025, 4:32pm

What guide did you follow?

Basically, Version 1 creates a Firewall zone identical to LAN, and creates the appropriate rules to achieve the same functionality as the LAN zone. It also integrates the LAN interface into the new firewall zone, which I find strange, but I am not a Wireguard user so take that with a grain of salt.

Version 2 does not create a new zone identical to LAN, and I would assume integrates the WireGuard firewall into the LAN firewall zone. But you would need to provide additional configs to confirm this.

egc · June 24, 2025, 4:49pm

No they are not.

Note: an interface can only be set in one firewall zone , you did not show your whole firewall but I am talking about the lan interface

See my notes how I setup a WireGuard server:

Easy method is indeed just adding the WireGuard interface to the lan firewall zone.

rparge · June 24, 2025, 8:26pm

Thank you.

These two videos:

Skip to 1:45

Skip to 4:30

rparge · June 24, 2025, 8:30pm

Great write up!

I just added the wg0 interface to the LAN zone.

Thank you!

egc · June 25, 2025, 6:02am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · July 5, 2025, 6:02am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.