Assign a WireGuard Interface¶
Some functionality for WireGuard interfaces depends upon them being assigned as their own interfaces on the firewall. Benefits of assignment include:
Adds a firewall tab under Firewall > Rules
Allows the interface to be selected for use with NAT rules
Allows the interface to be selected throughout the GUI and packages for various purposes
Rules on assigned interface tabs get
reply-towhich ensures return routing will exit back the expected interface for inbound connections.
Assignment Procedure¶
To assign the interface:
Navigate to System > Routing
Set the Default gateway options to a specific gateway or group, as long as they are not left at Automatic (Managing the Default Gateway)
Warning
If the default gateway remains set to Automatic the firewall may end up using the WireGuard interface as the default gateway, which is unlikely to be the desired outcome.
Navigate to Interfaces > Assignments
Select the appropriate
tun_wg<number>interface in the Available network ports listThe description of the tunnel is printed next to the interface name in the list.
Click
Add to assign the interface as a new OPT interface (e.g.
OPT1)Navigate to the Interface configuration page, Interfaces > OPTx
Check Enable
Enter an appropriate Description which will become the interface name (e.g.
WG_S2S)Configure an appropriate MTU value for the WireGuard interface
The appropriate MTU varies depending on the MTU of the underlying circuit. WireGuard overhead is approximately
80Bytes for IPv6 packets and60Bytes for IPv4 packets.On WANs with
1500byte MTUs, the MTU for WireGuard interfaces should be1420for VPNs carrying IPv6 packets, or1440for VPNs which only carry IPv4 traffic.Other WAN types with smaller MTUs, such as PPPoE, should subtract the overhead from their actual WAN MTU. When in doubt, use a slightly lower value to avoid excess fragmentation.
Configure interface addresses and gateways as necessary
Click Save
Click Apply Changes