Using WireGuard with FirewallD and Policy Objects

I’m working with WireGuard and some of the new features in FirewallD and wanted to get some feedback on my configuration. I am trying to accomplish the following:

  • External VPN clients can access WireGuard
  • VPN clients can access systems on the internal network
  • VPN clients can access each other
  • Internal clients can access VPN clients
  • Select clients can access the VPN server directly via SSH and Cockpit.

One thing worth noting is that this is running in a homelab. I was experimenting with pfSense but wanted to use Linux WireGuard VPN server behind the pfSense server. pfSense is NAT’ing 51820/udp to the Linux server which manages the WireGuard configurations and then masquerades the traffic back to the pfSense firewall via the same interface the traffic comes in on. The Fedora Server running FirewallD here is on a separate VLAN managed by pfSense (172.16.100.0/24). That is why there is only the single interface (ens18).

The following configuration appears to accomplish all of my goals listed above but I’m curious if I’m using policy objects correctly (the docs and examples are pretty sparse at the moment) and if I’m overlooking issues or exposing security problems. Any feedback would be appreciated.

ens18: 172.16.100.2 <–> pfSense: 172.16.100.1 <–> internet
wg0: 192.168.100.1

Zones:

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens18
  sources: 
  services: wireguard
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

admin (active)
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 192.168.100.2/32
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

vpn (active)
  target: default
  icmp-block-inversion: no
  interfaces: wg0
  sources: 
  services: 
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Policies:

adminPolicy (active)
  priority: -1
  target: CONTINUE
  ingress-zones: admin
  egress-zones: HOST
  services: cockpit ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

vpnForward (active)
  priority: -1
  target: ACCEPT
  ingress-zones: vpn
  egress-zones: external vpn
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

vpnOutbound (active)
  priority: -1
  target: ACCEPT
  ingress-zones: external
  egress-zones: vpn
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: