Yes, it is supposed to work like this!

I, like you, think your rules are more correct and secure (maybe GL can comment?)

To make changes and have them hold on reboot, edit the following:

/etc/init.d/wireguard

then make your changes under

wireguard_add_firewall()
{
#zone
uci set firewall.wireguard.input
uci set firewall.wireguard.forward

(Edit: for ovpn it’s this file: /etc/init.d/startvpn)

1 Like