There are multiple concerns with firewall rules for WireGuard.
External Traffic¶
Firewall rules must pass traffic on WAN to the WireGuard Listen Port for atunnel if remote WireGuard peers will initiate connections to this firewall. Theprotocol is always UDP, and the default port is 51820
.
Tunneled Traffic¶
Firewall rules must pass traffic on WireGuard interfaces to allow traffic insidethe VPN, assuming remote connections should be allowed to local internal hosts.Use rules on the WireGuard group tab or rule tabs for assigned interfaces.
Rules on the WireGuard group tab are considered first and can match traffic onany WireGuard interfaces whether or not they are assigned.
Assigned WireGuard interfaces get their own individual rule tabs and will onlymatch traffic on that specific tunnel interface. Rules on assigned WireGuardinterface tabs also get reply-to
which ensures that traffic entering aspecific assigned WireGuard interface exits back out the same interface. Withoutthat, return traffic will follow the default gateway.
Warning
Rules on the WireGuard group tab are matched first, so ensure rules on thegroup tab are removed, disabled, or do not match traffic which requiresreply-to
.
NAT functions on WireGuard interfaces once assigned. Outbound NAT, 1:1 NAT, andport forwards all work as expected.
Note
The firewall will automatically perform Outbound NAT on traffic exitingassigned WireGuard interfaces when using the default Automatic OutboundNAT mode (See Outbound NAT).