Wireguard PostUp/PostDown scripts (iptables rules)?

I have a working wireguard tunnel ( and want to NAT some of my other subnet clients (e.g. into that network. What's the best way to set appropriate iptables rules after wg0 interface comes up/down?

What exactly are you looking to do? Do you want those hosts to stupidest the tunnel (for internet access, as an example), or do you want them to be accessible from the far side peer?

The far side peers should access some services on that clients (e.g. smb/cifs). I'd prefer to nat instead of port forwarding.
I also do not want to allow a route to as that ip range is too common.

You don’t need nat - it will route automatically.

Assuming you have an independent firewall zone for the wg zone, just add a forwarding rule from your wg zone to the lan zone.

On the far side peer(s), is the allowed ips is set to it will just work.

We probably cross-posted. I've added in my last sentence that the 0.0 ip range is too common. It would kill the local subnet on the far end.
The postup/postdown options are available in wg-quick scripts but i'm not sure how this is meant to be done in openwrt.

Could you just change the network on the openwrt side to something less common? Maybe or something similarly obscure?

I do not know if the hotplug.d ifup/ifdown would be triggered on the ‘server’ side peer upon connection (it is a stateless/non-persistent connection and the interface Is probably always up regardless of peer activity or lack there-of, but I’m not sure that would help anyway since you would probably need to trigger an up/down script on the remote peer side anyway.

There might be a way you could do a 1:1 nat to another network range and then utilize that range as a pseudo-replacement. Not sure how one would do that in this situation, though.

I'm not sure if it's wq-quick specific at all but this server config looks very similar to wg showconf wireguard. Maybe the PostUp options do work already.
Not sure though where this is coming from on OpenWrt. Strace shows it pulls it from a netsocket. There is no /etc/wireguard or anything in /var/run. Using wg directly to configure might not be persistent.

I will give this a try. It should be ok if rules are applied on ifup/ifdn only.

Edit: I have a working trigger script in hotplug.d (even though ifdown triggers twice every time for unknown reason). But it might be heavy to configure all the uci/fw3/netfilter stuff properly. Or i could go for a direct iptables snat rule that won't get covered by openwrt (not that good).

On the other hand, would it be possible to do masquerading directly within LuCI by additional firewall zone (or dummy nics)?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.