Hi, I set up a wireguard connection using this script:
Everything works, from what I have seen it creates a new interface but not a new firewall zone.
How can I make it so that when I connect remotely to the WireGuard server, the client doesn't use the server's internet connection but takes advantage of that network where the client is?
If I remember correctly, before with OpenVPN I had a dedicated zone in the firewall section that served only the OpenVPN device.
I did some tests but couldn't solve the issue, every time I connect on the internet I am seen cno the server ip.
cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd7f:0a3b:bd52::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '10.0.0.1'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan'
option device 'eth0.2'
option proto 'pppoe'
option username '***'
option password '***'
option ipv6 'auto'
option mtu '1492'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
config interface 'wg_lan'
option proto 'wireguard'
option private_key '***'
option listen_port '56789'
list addresses '10.8.0.1/24'
option mtu '1420'
config wireguard_wg_lan
option public_key '***'
option preshared_key '***'
option description '1_lan_PC_1'
list allowed_ips '10.8.0.2/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key '***'
option preshared_key '***'
option description '2_lan_PC_2'
list allowed_ips '10.8.0.3/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
config wireguard_wg_lan
option public_key '***'
option preshared_key '***'
option description '3_lan_Phone_1'
list allowed_ips '10.8.0.4/32'
option route_allowed_ips '1'
option persistent_keepalive '25'
cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg_lan'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config rule 'wg'
option name 'Allow-WireGuard-lan'
option src 'wan'
option dest_port '56789'
option proto 'udp'
option target 'ACCEPT'
Client configuration
[Interface]
PrivateKey = ***
Address = 10.8.0.2/32
DNS = 10.8.0.1
[Peer]
PublicKey = ***
PresharedKey = ***
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ***:56789
PersistentKeepalive = 25
Any help even in finding the right direction is welcome
J