WireGuard and Rules / NAT¶
There are multiple concerns with firewall rules for WireGuard.
Firewall rules must pass traffic on WAN to the WireGuard Listen Port for a
tunnel if remote WireGuard peers will initiate connections to this firewall. The
protocol is always UDP, and the default port is
Firewall rules must pass traffic on WireGuard interfaces to allow traffic inside the VPN, assuming remote connections should be allowed to local internal hosts. Use rules on the WireGuard group tab or rule tabs for assigned interfaces.
Rules on the WireGuard group tab are considered first and can match traffic on any WireGuard interfaces whether or not they are assigned.
Assigned WireGuard interfaces get their own individual rule tabs and will only
match traffic on that specific tunnel interface. Rules on assigned WireGuard
interface tabs also get
reply-to which ensures that traffic entering a
specific assigned WireGuard interface exits back out the same interface. Without
that, return traffic will follow the default gateway.
Rules on the WireGuard group tab are matched first, so ensure rules on the
group tab are removed, disabled, or do not match traffic which requires
NAT functions on WireGuard interfaces once assigned. Outbound NAT, 1:1 NAT, and port forwards all work as expected.
The firewall will automatically perform Outbound NAT on traffic exiting assigned WireGuard interfaces when using the default Automatic Outbound NAT mode (See Outbound NAT).