Wireguard route all traffic usecase

Hi,

I've read this page: https://openwrt.org/docs/guide-user/services/vpn/wireguard/all-traffic-through-wireguard

The context is using wireguard as a VPN client that wants to route all internal traffic via wireguard vpn (Nord, Mullvad etc)?

I can't wrap my head around one part: apart from preventing DNS leaks what does a dedicated firewall zone achieve here in comparison to adding wireguard interface to WAN zones? In both scenarios the traffic goes through wireguard. The wg zone seems more restrictive (the forwad drop and output drop), but can a setup that goes through WAN (that has output 'ACCEPT' and input/forward 'REJECT') be somehow bypassed to reach internet without wireguard? I would be gratefull for an example scenario that does that :slight_smile:

My main concern is that if wireguard interface is added to WAN zone - does it provide sufficient leak isolation? It's easier to turn on/off wireguard on demand this way - no need to change uci settings for firewall forwarding - just ifup/ifdown wireguard interface.

Just create a new firewall, just like wan call it protonWan or NordvpnWan. Take the default wan out of lan access and put the new Wan firewall to lan. All the documentation that proton, nord, about asigning to wan is incorrect it is wrong! They want you downloading their app for every single thing.
Assign your DNS (10.2.0.1 Proton) (103.86.96.100 103.86.99.100 NordVpn) in your default Wan section check dns section (Use DNS servers advertised by peer advanced) Uncheck that box. Make sure you check MSS and mascurade clamping when creating firewall and Reject Accept Reject. in the advanced of firewall set for ipv4 only if using Openvpn.
You can set up the tunnel properly with all this stuff if you initaly havent turned the tun0 on. That has to be done first, look up openvpn luci, the documentation is there.