Wireguard Server- Restricting Remote Access to LAN

Seeking Guidance.
preface - I am old, retired and self-taught re: the wonders of networking. (surely not unique).

Network Setup
A Motorola Cable Modem configured as a bridge connected to a TP-Link ER605 router. The router is running the default OpenVPN config provided by vendor to access home LAN remotely. In recent months I acquired a GL-MT3000 and a GL-AR300M16 for home and travel use. I have been successfully using Wireguard client on both devices using VPN provider Mullvad. This past week I set up WG server on the MT3000 and have been sucessfully using WG to connect to home LAN rather than OpenVPN on the TP-Link router. I kept the initial config simple (default) so as to minimize the number of variables with which I might have to contend. The connection is noticeably faster when using WG.

I am ready for the next step. My goal is to restrict remote WG traffic to my home LAN.

Based on what I researched. It appears that in order to do this I must configure the firewall. It is not a function of the WG server config or WG client.

Is this a correct assessment on my part on how to proceed?

This is the current Firewall config per lucie.

Thank you in advance for a kick in the right direction.

Dear @naive,

Fascinating question.
Do you kindly seek to remove remote LAN access to all devices, including the MT3000, or are you targeting a specific device through the firewall configuration via LuCi?

Your clarification will aid us in navigating this matter with precision.
Thank you for posting :wave:

I desire full access to all devices on LAN when accessing LAN via GL.iNet Router Wireguard server.

I do not want access beyond the LAN back to the Internet via GL.iNet Router running Wireguard Server

Remote Client > Internet > GL.iNet Router running Wireguard Server > All devices on LAN >|< NO> outbound access via GL.iNet Router Wireguard WG/LAN back to Internet.

Make sense?

Do you mean that the request to actively access the device under the LAN network is transmitted through the VPN, but the response of the LAN network device to this request is never transmitted through the VPN?

Or, the response to the access request is also transmitted through the VPN, but the device under the LAN network cannot actively access the Internet through the VPN?

Hopefully this Network Map will help clarify my question and goal. Traffic to and from LAN devices to remote laptop via WG is working as I had hoped. My next goal is to prevent access by remote WG client beyond the LAN and out to the Internet at large via the WG connection. I want remote access to LAN but not beyond it when connected to home LAN WG server.
for what it may be worth: The gl-inet router is presently connected to the TP-Link Router as a virtual server. I am think configuring the firewall on the gl-inet router is the way to go versus configuring the TP-Link firewall and routes. Green Arrows signify traffic as routers are presentlyconfigured.

For your goal, I think preventing the data forwarding from WG server to WAN zone is a feasible method. I have made some attempts and it should achieve the effect you want.

As shown below. On the luci page, I disabled the forwarding from zone wgserver to zone WAN. So that the data from wgserver cannot be forwarded to the Internet.

  • Remember to save&apply after the operation

Thank You. This helps.
I had not tried modifying the lucie firewall config as of yet. I wanted to have some assurance that I was not missing or needing to edit a setting in the Wireguard Server or client file configuration itself to achieve my goal. Will give firewall editing a go and post/close the thread accordingly. Thank you for your help.

If your wireguard client is running on a glinet product, you can select VPN's Customize Routing Rules mode. In this mode, all data transmission does not pass through the VPN by default, but you can add routing rules to make LAN traffic use VPN for transmission. This mode does not resolve domain names through VPN by default, but you can set it manually.


This switch needs to be enabled to access the internal network of the server.

Update: I was unable to reach my goal per inital recommendation resolve presented eleney GL.iNet Staff. I tried a number of zone configurations without success. The challenge I have I believe is that the GL-MT3000 is not the primary router. It is attached via the primary router in use at this time as a virtual server.
The primary router at this time is configured as a single LAN which has access to WAN. I can explore reconfiguring it. In exploring initial solution presented I did further explore Luci firewall configuration options available to me. Adding a firewall traffic rule shows some promise. I have to explore further.

As to mostrecent suggestion. I am workingwith a GL-inet MT-3000 which is running a Wireguard server. I have explored all the default options ready available in WireGurad Settings and none of them showed any promise.

Most recent suggestion did clue me in to be aware of resolving inter\nal host names that is what I may be up against in configuring a new traffic rule.

Thanks