OPNsense Forum

English Forums => Virtual private networks => Topic started by: olest on April 23, 2021, 01:12:41 pm

Title: Wireguard interface
Post by: olest on April 23, 2021, 01:12:41 pm

Just installed Wireguard.

I have Firewall -> Rules -> Wireguard (had to edit another rule and hit save for Wireguard to show up)

Some guides say that I have to assign wg0 to a new interface - In which use cases would I need to assign the wg0 interface?

Title: Re: Wireguard interface
Post by: Greelan on April 23, 2021, 01:26:14 pm

For more complex routing scenarios.

If you are just running a road warrior setup to allow remote clients to access the LAN, or are pushing all LAN clients down the tunnel, shouldn’t be needed.

Title: Re: Wireguard interface
Post by: Maurice on April 23, 2021, 04:33:53 pm

Another use case are setups with multiple wg instances (wg0, wg1, .., wgN). Firewall rules applied to 'WireGuard' (which technically is an interface group) affect all wg instances. That's okay for many use cases, but if you need specific rules for individual wg instances, you have to assign the interfaces.

Cheers

Maurice

Title: Re: Wireguard interface
Post by: Greelan on April 23, 2021, 09:44:07 pm

Good point.

Title: Re: Wireguard interface
Post by: olest on April 26, 2021, 07:30:03 pm

Ok. Thank you

Title: Re: Wireguard interface
Post by: Mondmann on April 26, 2021, 10:26:29 pm

Understanding help for Wireguard:

Create GW interfaces for complex scenarios if for multiple WG instances like WG0, WG1 etc.

Question:

a. Firewall rules originally in Wireguard then delete all?
b. Firewall Wireguard ruleset remains empty then?
c. Firewall rules WG0, WG1 etc. with the appropriate rule set after own requirement fill?
d. for Wireguard instances like WG0 etc. the normal rulesets apply
like e.g. 80, 443... GeoIP etc. ?

Thanks for a short answer and greetings from Germany

Title: Re: Wireguard interface
Post by: Maurice on April 26, 2021, 11:28:43 pm

wgX interface rules are no different from other interface rules (lan, wan, optX, ...). And 'WireGuard' group rules behave the same as other interface group rules. The only difference is that the 'WireGuard' group gets created automatically and all wgX interfaces are always members of that group.

So you can have only 'WireGuard' group rules or only wgX interface rules or a combination of both. Depends on the use case.

Cheers

Maurice

Title: Re: Wireguard interface
Post by: Mondmann on April 26, 2021, 11:46:34 pm

@Maurice

So, the Wireguard group could similarly be considered Floating (like Floating Rules) which work before the rules in WG0, WG1, etc. or side by side?

Thanks

Title: Re: Wireguard interface
Post by: Maurice on April 27, 2021, 12:54:04 am

Interface group rules are lower priority than floating rules, but higher priority than interface rules.

Also check out the docs about interface groups and rule processing order:
https://docs.opnsense.org/manual/firewall_groups.html
https://docs.opnsense.org/manual/firewall.html#firewall-rule-processing-order

Cheers

Maurice