Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
Firewall/Rules: What is interface WireGuard(Group)
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall/Rules: What is interface WireGuard(Group) (Read 4633 times)
ckishappy
Newbie
Posts: 34
Karma: 2
Firewall/Rules: What is interface WireGuard(Group)
«
on:
March 06, 2022, 01:50:49 pm »
Hi, In the firewall service (under rules) in the UI there is under Firewall/Rules an interface called WireGuard(Group), see also attachment. Under Firewall/Groups, I have not created any interface group. Why is it there and how (if at all) can I remove this WireGuard(Group) entry?
Logged
utkonos
Newbie
Posts: 32
Karma: 3
Re: Firewall/Rules: What is interface WireGuard(Group)
«
Reply #1 on:
May 13, 2022, 01:14:19 am »
This interface is created automatically by OPNsense when you install the os-wireguard plugin. The purpose of this interface group is so that you can reference all WireGuard interfaces together as one when writing firewall rules. When using this interface in a particular firewall rule, that rule will apply to any WireGuard interface you create (you can have many WireGuard interfaces). If you want to reference specific WireGuard interfaces in a rule, you need to create those interfaces according to the documentation. The interface group is an integral part of WireGuard. You don't want to remove it. And I'm not sure it is removable unless you uninstall the WireGuard plugin.
The purpose of the interface group is mentioned here in the documentation:
"Finally, it allows separation of the firewall rules of each WireGuard instance (each wgX device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates."
https://docs.opnsense.org/manual/how-tos/wireguard-client.html#step-5-assignments-and-routing
This is where the interface group is created in the plugin source code:
https://github.com/opnsense/plugins/blob/3bcfab38f6ea265bf23b5b01eccc4e82f75fbb4e/net/wireguard/src/etc/inc/plugins.inc.d/wireguard.inc#L56-L70
And here is where it is referenced (perhaps in other places as well):
https://github.com/opnsense/plugins/blob/16f3522d08d30919b17e66bdec38352ef4c75208/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard#L14-L19
Logged
tiermutter
Hero Member
Posts: 1098
Karma: 61
Re: Firewall/Rules: What is interface WireGuard(Group)
«
Reply #2 on:
May 13, 2022, 07:13:33 am »
Here is an example of my WG-rules, using both the WG_group and the WG_interfaces:
In WG_group there are rules applying to all WG interfaces...
In WG0 and WG1 there are rules for each interface, where WG1 is not allowed to access the LAN interface.
All this can also be done in WG_group when e.g. the sources are specified, as I have done for the last WG0 rules because those were "migrated" from WG_group to interface rules. With interfaces created, it is possible to use "WGx net" as I have done in WG1 interface.
The use of interfaces simply makes things clearer, but at least you need something to create some rules for the VPN. OpenVPN works the same way, a group is also automatically created here.
Logged
i am not an expert... just trying to help...
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
Firewall/Rules: What is interface WireGuard(Group)