Hello everyone,
I have been running OpenWRT on a RPi3b to act as a AP for the other devices. OpenWRT is also set-up in a way that all the traffic goes through a Surfshark Wireguard VPN. Note the OpenWRT device works as a router (my ISP modem is set as DMZ on the OpenWRT internal IP). I have also set-it up netdata and docker as additional services and I would love to have access to those outside my local network. My understanding is that I cannot access any server behind a VPN as the VPN would just reject any incoming call and for safety reason I'd prefer not to expose the LuCi interface to the internet. Here my question: is there a way to selectively forward the incoming traffic (to specific ports) so that it goes through or around the VPN thus making those services accessible from outside the local network? Find the config files hereafter
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix ''
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
list dns '8.8.8.8'
list dns '8.8.4.4'
config interface 'Surfshark_Milan'
option proto 'wireguard'
list addresses 'my_ip'
option private_key 'my_key'
option mtu ''
option peerdns '0'
option metric '10'
list dns 'my_dns'
list dns 'my_dns'
config wireguard_Surfshark_Milan
list allowed_ips ''
option route_allowed_ips '1'
option persistent_keepalive '30'
option endpoint_host ''
option endpoint_port ''
option public_key 'my_key'
config wireguard_Surfshark_Milan
option public_key
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host ''
option persistent_keepalive '25'
option endpoint_port ''
config interface 'WAN'
option proto 'dhcp'
option peerdns '0'
option metric '20'
option device 'eth1'
list dns '8.8.8.8'
list dns '8.8.4.4'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'Surfshark_Milan'
option ipv6 '0'
config device
option name 'wlan0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config interface 'Surfshark_BE'
option proto 'wireguard'
option auto '0'
option private_key ''
list addresses ''
option mtu ''
option peerdns '0'
list dns ''
list dns ''
config wireguard_Surfshark_BE
option public_key ''
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host ''
option persistent_keepalive '25'
config interface 'Surfshark_US'
option proto 'wireguard'
option auto '0'
option private_key ''
list addresses ''
option mtu ''
option peerdns '0'
list dns ''
list dns ''
config wireguard_Surfshark_US
option public_key ''
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host ''
option persistent_keepalive '25'
config interface 'docker'
option device 'docker0'
option proto 'none'
option auto '0'
config device
option type 'bridge'
option name 'docker0'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
list network 'WAN'
option masq '1'
option mtu_fix '1'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'Surfshark_Milan'
list network 'Surfshark_BE'
list network 'Surfshark_US'
option input 'REJECT'
option forward 'REJECT'
config rule
option name 'wan-local-wg'
option src 'wan'
option dest_port '51820'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'vpn'
config redirect
option target 'DNAT'
option dest_port '19999'
option name 'Netdata'
option src_dport '19999'
option dest_ip '192.168.2.1'
option enabled '0'
option src 'lan'
option dest 'wan'
config redirect
option dest 'wan'
option target 'DNAT'
option name 'RPi'
option src 'lan'
option src_dport '443'
option dest_ip '192.168.2.1'
option dest_port '443'
option enabled '0'
config zone 'docker'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option name 'docker'
list network 'docker'
config redirect
option target 'DNAT'
option name 'HA'
option src_dport '8123'
option src 'lan'
option dest 'wan'
option dest_ip '192.168.2.1'
option dest_port '8123'
option enabled '0'
I do hope this info can be of some help!
Thanks in advance
Matteo