I have got a requirement with the WireGuard setup where wg-peer1 should be able to communicate to wg-peer3 via wg-peer2, But wg-peer3 should not be able to communicate with wg-peer1 .
wg-peer1 and wg-peer3 are the OpenWRT routers.
wg-peer1 ___\ wg-peer2 ___\ wg-peer3
private_IP / public_IP / private_IP
Is it possible?
I would consider using two wireguard interfaces and put them in different firewall zones. They you allow forwarding from peer1's zone to peer3's zone.
If they use the same zone then you need to disable forwarding on that zone and add a custom rule that allow the traffic instead.
Yes, don't allow it in the firewall configuration.