Hi,
I've read this page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/all-traffic-through-wireguard
The context is using wireguard as a VPN client that wants to route all internal traffic via wireguard vpn (Nord, Mullvad etc)?
I can't wrap my head around one part: apart from preventing DNS leaks what does a dedicated firewall zone achieve here in comparison to adding wireguard interface to WAN zones? In both scenarios the traffic goes through wireguard. The wg zone seems more restrictive (the forwad drop and output drop), but can a setup that goes through WAN (that has output 'ACCEPT' and input/forward 'REJECT') be somehow bypassed to reach internet without wireguard? I would be gratefull for an example scenario that does that
My main concern is that if wireguard interface is added to WAN zone - does it provide sufficient leak isolation? It's easier to turn on/off wireguard on demand this way - no need to change uci settings for firewall forwarding - just ifup/ifdown wireguard interface.