Tunnel interface VPN access rules

I need to understand the necessary access rules for configuring a tunnel interface VPN between two Sonicwalls while not allowing any access to the WAN from either site.

I have found several support articles from sonicwall which detail the tunnel interface configuration but none of them mention anything about the access rules necessary to make sure they work. Here are some specific questions to hopefully make this easier to address:

1. Can we create rules denying all traffic to and from the WAN interfaces on both sides while allowing LAN-to-VPN and VPN-to LAN traffic?
2. Or - is there some access rule that needs to be in place for the tunnel itself to be created? (i.e. WAN-to-WAN rules allowing traffic to and from the site public IPs?

Our goal is to connect two sites and allow traffic between them but not allow anybody on either side to have direct WAN access.

Client routes - X0 subnet
Fire wall rules deny lan to wan, allow vpn to lan and lan to vpn. If you do a deny wan to lan then it might interfere with the tunnel access.

Thanks. Isn’t WAN-to-LAN denied by default due to zone trust settings? Does the VPN auto-create certain WAN-to-LAN rules that are necessary for the tunnel to work?

Depends on how your sonicwall is set up / but you are correct; by default wan to lan is denied.

My suggestion - set up both ends using the base settings, run continuous pings from PCs at both ends to google.com and to the other side of the tunnel; then start applying restrictive firewall rules.

You could create address objects for the wan of each end point and then create rules so instead of wan to wan it would be offsite one to lan is allowed, then on the other side of the tunnel offsite two to lan is allowed.