Wireguard postup by script in OpenWrt

I seem to have found a good post on a firewall scheme to grant Internet only, LAN only, or Internet plus LAN access to different Wireguard peers (devices) coming to a peer acting as server:

One feature of the scheme is that PostUp and PostDown are not embedded in wg0.conf but stand separate in scripts /etc/wireguard/postup.sh and /etc/wireguard/postdown.sh.

Is there any reason such scripts may not work in an OpenWrt router?

1 Like

Using raw iptables commands on OpenWrt is strongly discouraged.
You can filter forwarding with trivial traffic rules:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#rules

3 Likes

Thank you. Would it then be a matter of my understanding what the (github post's) postup and postdown scripts do and translating them into OpenWrt (fw3) equivalents? (For me that won't be trivial, but a highly interesting project.)

I suppose one difference will be that the fw3 rules are constantly on while Wireguard postup rules go into effect only when Wireguard is started. Is this right? (I seem to have read that if the firewall is restarted, then Wireguard's postup rules are not restarted therewith but become ineffective.)

Why is direct manipulation of iptables discouraged for OpenWrt?

1 Like

Yes, you need to convert iptables commands to traffic rules.
It should not be too difficult since you have already reached this point.

PostUp scripts is a workaround for systems without a proper firewall.
Trying to apply those to OpenWrt only adds more problems:

  • It goes against zone-based firewall model and leads to potential race conditions.
  • It increases the level of complexity for configuration and troubleshooting.
3 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.