Set Wireguard Interface Firewall Missing?

Configuration path: interfaces wireguard wg0 [firewall] is not valid
Set failed

This is on 1.2.0-rc10

Hi @trystan,

yes, that functinalityhasn’t been implemented yet. Can you please open a feature request in phabricator, So far most ppl only used it to secure there routing protocols such as BGP which they don’t want to have any fw rules applied. That’s why it slipped under the radar.

It appears that not only is there no firewall option for wireguard interfaces, but local firewalls on host interfaces are not applied to traffic exiting the wireguard interface.

For example, eth0 local firewall default drop with no other rules allows traffic traversing a wireguard interface to access it.


monitor traffic interface eth0 shows no traffic from wireguard interfaces (icmp/ssh/etc)

Seems pretty serious.

Can you please clarify? Why would you expect ssh traffic on eth0 if you send it via wg?

Given a vyos instance with 2 interfaces: wg0 and eth0, ssh listening on eth0, there’s no way to prevent traffic routing over the wg0 interface from being able to access

I had assumed adding a local firewall default action drop on eth0 would prevent it.

Firewall settings are possible in rolling releases as well as in the crux based images.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.