Update wireguard-client.rst to clarify use of WireGuard net (#304)

This proposed tweak to the how-to is intended to address the issue discussed in this forum thread: https://forum.opnsense.org/index.php?topic=21170.0
3 years ago · 63252cb1b0
parent 764de73760
commit 63252cb1b0
1 changed files with 9 additions and 3 deletions
--- a/source/manual/how-tos/wireguard-client.rst
+++ b/source/manual/how-tos/wireguard-client.rst
@ -89,15 +89,21 @@ For external clients to connect to the WireGuard server firewall rules must be c

 If more granular rules are required note there is a new interface **wg0** where these may be configured.

-The final piece is to allow traffic from the Wireguard network. Do this via :menuselection:`Firewall --> Rules --> WireGuard` and click **+Add** with the following information (if an item is not specified, leave it set to the default value):
+The final piece is to allow traffic from the WireGuard network. First define an alias (e.g. **VPN_clients**) and include in it the IP addresses (e.g. 10.10.10.2 and 10.10.10.3) or subnet (e.g. 10.10.10.0/24) of the WireGuard clients from which traffic is to be allowed. Do this via :menuselection:`Firewall --> Aliases` (click **+** in the bottom right).
+
+Then create a firewall rule via :menuselection:`Firewall --> Rules --> WireGuard` (click **+Add** in the top right), with the following information (if an item is not specified, leave it set to the default value):

 =========================== ================ =====================================================================
 **Interface**               WireGuard        *The interface this rule applies to*
- **Source**                  WireGuard net    *Source subnet*
+ **Source**                  VPN_clients      *Source subnet - use the alias defined as above*
 **Destination**             any              *Traffic destination*
 **Description**             WG WAN to LAN    *Optional - provide a description*
 =========================== ================ =====================================================================

+.. Tip::
+
+    If you have only one local WireGuard instance and only one WireGuard endpoint configured, you can use the default **WireGuard net** as the source rather than defining and using a new alias.
+
 .. Hint::

    Rules defined under :menuselection:`Firewall --> Rules --> WireGuard` take precedence over rules individually configured for each tunnel.
@ -179,4 +185,4 @@ An example Server configuration file:
    PrivateKey = YNqHwpcAmVj0lVzPSt3oUnL7cRPKB/geVxccs0C0kk0=
    [Peer]
    PublicKey = CLnGaiAfyf6kTBJKh0M529MnlqfFqoWJ5K4IAJ2+X08=
-    AllowedIPs = 10.10.10.2/32
+    AllowedIPs = 10.10.10.2/32