Assign a WireGuard Interface

Some functionality for WireGuard interfaces depends upon them being assigned as their own interfaces on the firewall. Benefits of assignment include:

  • Adds a firewall tab under Firewall > Rules

  • Allows the interface to be selected for use with NAT rules

  • Allows the interface to be selected throughout the GUI and packages for various purposes

  • Adds an automatic dynamic gateway for use with routing, policy routing, gateway groups, etc.

  • Rules on assigned interface tabs get reply-to which ensures return routing will exit back the expected interface for inbound connections.

Automatic WireGuard Gateway Behavior

By default the automatic gateway for an assigned WireGuard interface uses the address of the WireGuard interface itself to nudge traffic into the tunnel. If the Peer WireGuard Address value is defined on a peer, and it lies within the WireGuard Address subnet, that value will be used for the gateway instead.

In the case of single peer tunnels, using the peer address for the gateway makes more sense as it enables monitoring end-to-end connectivity of the tunnel. It does not make as much sense for tunnels with multiple peers as no one single peer will reflect the connectivity of the tunnel as a whole.

Note

Manual gateways can be defined as needed in addition to the automatic gateway.

Assignment Procedure

To assign the interface:

  • Navigate to Interfaces > Assignments

  • Select the appropriate wg<number> interface in the Available network ports list

    The description of the tunnel is printed next to the interface name in the list.

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. WG_S2S)

  • Click Save

  • Click Apply Changes