Firewall Rules ovpn and wireguard

Hello guys,
I’ve just set up wireguard and open vpn on my ar750s.
I was trying to setup firewall rules for the vpn connections but every time I disconnect and reconnect the rules are erased and I have to set them back again.
In particular, whenever I reconnect to wireguard or ovpn these are the rules:

And I have to change them to these every time:

Now, my question is: is this a bug or it is supposed to work like that?
Thank you in advance!!

Yes, it is supposed to work like this!

I, like you, think your rules are more correct and secure (maybe GL can comment?)

To make changes and have them hold on reboot, edit the following:


then make your changes under

uci set firewall.wireguard.input
uci set firewall.wireguard.forward

(Edit: for ovpn it’s this file: /etc/init.d/startvpn)

1 Like

I was wondering the same actually

Thank you @Happi!! That’s exactly what I was trying to achieve. You spared me some trouble every time I have to connect to my vpn connection.
Anyway, I think that dropping inbound connections and rejecting forwarding is significantly safer than having everything on “accept”.

1 Like

Anyone from GL care to comment?

Seeing that your online @alzhao perhaps you could chime in?

Thanks. I actually waiting @luochongjun to have a look.

1 Like

Your way is right, it’s a safer way to work.
@Nimoc ,As @Happi says, you can change the default rule by modifying the /etc/init.d/wireguard file.
We will adjust the default rules in the next version of the firmware.

Thank you kindly, Sir!

While you are there, may I ask you also consider disabling masquerading on the WAN interface (when VPN active).

Also, I think it would be a lot better to change the way you set the firewall rules in your scripts, as this causes a lot of confusion if looking at these in LUCI.
For example, look at the image of my settings -

It shows a guestzone even though I never use the guest network.
It shows forwarding from LAN to WAN, even though I use always use VPN AND have the kill-switch enabled.

In my opinion, it would therefore be better to delete and insert firewall rules in their entirety instead of simple changing the setting “enabled=1 to enabled=0” in your scripts.

Thanks for you consideration.

What’s the reason for that?
If masquerading is disabled, port forwarding and VPN policy may become invalid.

Firewall rules are configured in the script to ensure that even if the firewall is modified by other programs, as long as the VPN up and down, the firewall configuration can be restored.
For most users, they don’t know how to configure the firewall.

This is recommended in many VPN provider guides. I always do it manually and have never had a problem with it.