WireGuard Gateway with killswitch and port forwards on WAN


I would like to use OpenWrt as a VPN gateway for a client that needs port forwards to be reachable on the real WAN. There are reasons why I can't run the VPN on the device itself. Sounds a little complicated, so here's my idea (IP addresses are examples):

Main network -

  • Inside main Network:
    -- OpenWrt as VPN Gateway (WAN
    ---- Inside OpenWrt: Device with
    -- Other devices

What I want to do:

  • Set up OpenWrt so it only allows internet traffic to go via the VPN interface (VPN is an own firewall zone)
  • If the VPN interface goes down, the device shall not be allowed to communicate to the outside world
  • I want ports reachable from So I want to set up port forwarding, that I could access which would forward to

I'm pretty well versed in networking I'd say, but I'm really stumbling here. So far I have set up the WireGuard tunnel within OpenWrt and traffic routes over the VPN correctly. Is there a plugin or something that I could use, or am I just missing a route and a firewall rule?


A plugin for what?

If the issue is that the port forwarding from the WAN isn't working properly, you will probably need VPN Policy Based Routing

This is easy... just make sure that the firewall zone associated with the network (likely 'lan') has forwarding enabled to the wireguard zone, but not to the wan zone. This will act as a kill switch for that network.


Well, that was exactly it. I used mwan3 to accomplish basically the same thing. Set up a policy that traffic from that source IP should only be routed using the VPN adapter and if that's not available, default to unreachable. Set up the proper firewall rules for my port forwarding and I'm golden. Thanks!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.