Wireguard interface

Started by olest, April 23, 2021, 01:12:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 23, 2021, 01:12:41 PM
Just installed Wireguard.

I have Firewall -> Rules -> Wireguard (had to edit another rule and hit save for Wireguard to show up)

Some guides say that I have to assign wg0 to a new interface - In which use cases would I need to assign the wg0 interface?
April 23, 2021, 01:26:14 PM #1
For more complex routing scenarios.

If you are just running a road warrior setup to allow remote clients to access the LAN, or are pushing all LAN clients down the tunnel, shouldn't be needed.
April 23, 2021, 04:33:53 PM #2
Another use case are setups with multiple wg instances (wg0, wg1, .., wgN). Firewall rules applied to 'WireGuard' (which technically is an interface group) affect all wg instances. That's okay for many use cases, but if you need specific rules for individual wg instances, you have to assign the interfaces.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 23, 2021, 09:44:07 PM #3
Good point.
April 26, 2021, 07:30:03 PM #4
Ok. Thank you
April 26, 2021, 10:26:29 PM #5
Understanding help for Wireguard:

Create GW interfaces for complex scenarios if for multiple WG instances like WG0, WG1 etc.

Question:

a. Firewall rules originally in Wireguard then delete all?
b. Firewall Wireguard ruleset remains empty then?
c. Firewall rules WG0, WG1 etc. with the appropriate rule set after own requirement fill?
d. for Wireguard instances like WG0 etc. the normal rulesets apply
like e.g. 80, 443... GeoIP etc. ?

Thanks for a short answer and greetings from Germany
OPNsense 22.7.9*WG-kmod*OpenSSL*OpenVPN* AdGuardHome*i7-7700*32GB*256SSD*ix0-1, igb0-4, em0*OpenVPN+Wireguard WG0, WG1*NetGear ProSafe XS508*AP Netgear WAX610*alles echtes Blech* Sorry, my English is translated via app*
April 26, 2021, 11:28:43 PM #6
wgX interface rules are no different from other interface rules (lan, wan, optX, ...). And 'WireGuard' group rules behave the same as other interface group rules. The only difference is that the 'WireGuard' group gets created automatically and all wgX interfaces are always members of that group.

So you can have only 'WireGuard' group rules or only wgX interface rules or a combination of both. Depends on the use case.

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 26, 2021, 11:46:34 PM #7
@Maurice

So, the Wireguard group could similarly be considered Floating (like Floating Rules) which work before the rules in WG0, WG1, etc. or side by side?

Thanks
OPNsense 22.7.9*WG-kmod*OpenSSL*OpenVPN* AdGuardHome*i7-7700*32GB*256SSD*ix0-1, igb0-4, em0*OpenVPN+Wireguard WG0, WG1*NetGear ProSafe XS508*AP Netgear WAX610*alles echtes Blech* Sorry, my English is translated via app*
April 27, 2021, 12:54:04 AM #8
Interface group rules are lower priority than floating rules, but higher priority than interface rules.

Also check out the docs about interface groups and rule processing order:
https://docs.opnsense.org/manual/firewall_groups.html
https://docs.opnsense.org/manual/firewall.html#firewall-rule-processing-order

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions