Isolate one WireGuard profile from LAN

Hi mates

I have a great friend who need a VPN connection so I’ve created a WG profile for him.

I really trust him but for security reason I would like to prevent this profile access my LAN

I’ve tried using the lucci firewall and even the IP tables rules directly with no success.

The WG IP is but we have been doing some test and he always can ping my LAN or directly open the FLint GUI.

I’ve tried
iptables -I FORWARD -i wgserver -o br-lan -s -d -j DROP

It works for some devices but (Flint IP) remains reachable

Can someone help me?

Thanks in advance

Please try with command iptables -I INPUT -i wgserver -s -d -j REJECT

1 Like

Thanks for the reply.

I will try ASAP :grinning:

Just to understand.

Why have you changed source, from10.0.0.3 to

Why have you changed the destination from to

Thanks in advance

Sorry for that.That is my subnet, please replace it with yours. iptables -I INPUT -i wgserver -s -d -j REJECT

1 Like

I’ve added a modification of your rule and my rule and works!!

iptables -I FORWARD -i wgserver -s -d -j DROP

iptables -I INPUT -i wgserver -s -d -j DROP

Now Flint (INPUT) and the LAN (FORWARD).are unreachables :grinning:


P.S: Why do you use reject instead drop?

1 Like

Both “REJECT” and “DROP” are OK.
“REJECT”: response with a icmp packet says “destination unreaschable”.
“DROP”: Drop request without any response.

1 Like

I know. I would like drop because they’re is no answer but if someone who knows a lot uses REJECT I wonder why :grinning:

DROP is used, typically, when you don’t want to notify script kiddies there’s an endpoint/server listening on the other end. It also saves a touch of CPU performance, bandwidth as it doesn’t send back the response of REJECT.

1 Like

Where exactly do you put these commands?
is it in Luci - Firewall - Custom rules …/cgi-bin/luci/admin/network/firewall/custom ?

is the client ip, which is visible only inside the VPN tunnel?


It looks like is the source IP for the WG Client connected to the upstream WG Server but my general iptable/firewall writing skills aren’t exactly good.

LuCI → Network → Firewall → Custom Rules is the optimal/proper place to put them but see this seemingly unrelated HOW-TO. There’s a rather important note about custom firewall rules:

1 Like

Do you refer to this remark?
" If you have custom firewall rules be sure to add /etc/firewall.user too."

Is this something, which has to be done if I want to backup my custom rules or it is something, which must be done in order my custom rules to work at all?

I suppose it depends if you want your custom firewall to work after restoring a backup but I also keep a log of changes to my devices so whatever works best for you.


Sorry for the delay in the resposnse, I haven’t seen it.

I’ve put the rules in LuCI → Network → Firewall → Custom Rules as bring.fringe18 said.

Thansk he answered you in time. sorry again :frowning:

1 Like