So just wondering if Wireguard through Luci can be setup with access limited within a specific VLAN or subdomain? What kind of configuration do I need? And how does Tailscale compare with it's ACL?
More context could be useful, as it's not totally clear what you're asking.
Wireguard is a VPN protocol... there is a LuCI interface to administer the service, but it's not really "through LuCI" in any way.
Can you be more specific here:
- Is the VPN in inbound one (i.e. allowing remote access to your network while off premisis), or an outbound one (such as connecting to a commercial VPN provider)?
- Likewise, is the goal to prevent remote peers (in the inbound case) from reaching certain VLANs behind your router, or (in the outbound case) do you want to selectively route such that some networks use (or have access to) the tunnel while others egress via the standard wan?
When I said through Luci, I just mean't setting this specific things with wireguard through Luci (GUI) not through config files.
I would like to connect to my home router when I'm elsewhere, and I would like to specifically (for the time being) connect to my NAS, which is on a separate VLAN and separate SSID at home. I would also allow a few members to do the same, so they use some of the NAS features when we are not at home.
This is really a function of the firewall configuration... just allow forwarding from the VPN zone to the zone with the VLAN in question.
This isn't a Wireguard question; this would be done by the firewall. As traffic enters the router on any network interface, the firewall decides whether it will be allowed to forward to another network.
So first get Wireguard remote connections working generally. Make sure that the Wireguard interface and the VLAN connected to the NAS are in different firewall zones. Then you can write specific rules to allow only certain traffic. This can all be done in LuCI.
@psherman @mk24 Thanks guys. This would work in the case where I only allow the NAS to be accessed remotely. What happens if I want to access other VLANs on my network, do I need (can I even do that) create multiple Wireguard interfaces and assign them to the appropriate VLANs through the firewall?
Again, I would like to share this to family members and I would be the only one with access to all the VLANs.
All of this can be handled by the firewall and/or the allowed ip's on the remote peer's configuration (the allowed ips can be easily modified, so you probably want to do this with the firewall).
You could even setup 2 different wireguard interfaces -- one that is more restrictive and one that is more permissive (they also need to be on different ports).
There are lots of ways to approach it. You need to define the specific access you want to allow/prevent and then you can go from there.
Ok, so you are saying that the peer's config is where you select the exact ip/subnet to join and not in the wireguard interface config (thought I believe I saw an IP address field in luci's wireguard interface settings), therefore I need to firewall it?
Every peer has an allowed IPs field.
On your OpenWrt 'server' side peer, that field serves as the address that the remote peer will use for the purpose of establishing the tunnel. It will allow the rotuer to know to send data that is bound for a given peer over the tunnel to said peer.
On the remote ('client') peer, there is, of course, a wg configuration that allows it to establish the tunnel back to your OpenWrt based peer at home. In this case, the allowed IPs defines what traffic should be sent via the tunnel. If you use 0.0.0.0/0
that means send all traffic through the tunnel. If you were to say 192.168.1.0/24
it would specify only that subent should go through the tunnel to the 'server' side, and if you were to specify 192.168.1.42/32
that would mean only traffic destined for that specific host should go through the tunnel. (any traffic that doesn't go through the tunnel would normally egress via the normal network/wan that the remote peer would use if it wasn't connected to the tunnel in the first place).
The problem with this approach is that it doesn't prevent access to other hosts/networks insofar as someone could just modify the allowed IPs on their ('client') peer configuration (i.e. on their phone/computer, etc.).
The firewall is the way you actually allow/deny specific traffic by crafting rules with appropriate granularity.
Ok, nice. I believe what you are saying is basically in line what I was thinking. Thanks for the info.
In theory, if I were to have 3 users, all with different permissions, say one full access to all vlans/subnets, one NAS access only, one IoT + NAS, I can accomplish this only by having three different WG interfaces (with different ports and the three different firewall configs)?
Can I define any port with Wireguard? I know that the default port is 51820, but I can just use anything right?
How's tailscale on openwrt and can the ACL part of tailscale help in my situation?
You could do 3 different wireguard interfaces, or you could do 1 interface with firewall rules based on the IP addresses.
Yes, as long as it is UDP.
I don't use tailscale, so that's not my area of expertise.
Based on the IP addresses the peers are trying to connect to, or what? Becuase then it still means that they can choose to what subnet they want to connect? It's not that I don't trust my family members, it's more that I don't trust their device hygiene.
Based on the IP addresses of the peers themselves (their WG address, specifically).
I see, didn't know that you can do that and also firewall based on the peer.
Which pages from the wiki are the most important to setup WG? https://openwrt.org/docs/guide-user/services/vpn/wireguard/start
And lastly for the DDNS, what do you recommend using? There is a simpler way to implement DuckDNS, but I thought going with Cloudflare and I believe the packages would be ddns-scripts and ddns-scripts-cloudflare for it. Let me know if you have any suggesetions on that when using it with WG.
Look at the road warrior type config -- that's the most relevant to your situation.
I personally use changeip, but there are tons of options. Just look at the supported options within ddns scripts. The service you use has nothing to do with WireGuard or anything else. IMO, the choice really boils down to a matter of the right option for you when it comes to cost, features, domain name options and other features.
This seems very simple, aside setting up the DDNS, and the config in the scripts, it pretty straight forward. Thanks for suggestoin on the road-warrior setup.
I wanted to ask though, can you ELI5 to me the road-warrior part, like what does it do different then doing it yourself aside automating the process through a script?
Also I see that an IP address for the WG interface is needed, actually a separate subnet, is this how WG works, it has it's own subnet and this is why you can then firewall it off specific peers off the other subnets?
In its current form, it's really just a script to automate the process. It can reduce the number of errors that users will encounter. IIRC, there was a previous version that explained the general principle and process of setting up the road warrior config (you'd be amazed how often people don't quite understand the goals).
Yes, it is a routed protocol, so it requires a unique subnet.
precisely.
So my current config (can't send the files atm) is the following:
1 wg interface named HOME_VPN
2 firewall rules, general and admin:
- one that covers the whole interface HOME_VPN for general users, input: reject (uci add_list firewall.XXX.network='HOME_VPN')
- another that covers the whole interface HOME_VPN, but also the IP (Wireguard IP) for the admin device, this rule also has input: accept. (uci add_list firewall.XXX.network='HOME_VPN' and uci add_list firewall.XXX.device='192.168.50.5')
Get connection both ways, but I don't get access to the router. If I remove the general rule, I get router access, but then I get internet access to all other WG devices.
@psherman I apologize for being a bit persistent, but I wanted to bump this up again (crazy, I know it’s hasn't been even a full day), but since I'm leaving home in about 12 hours for a 2 week trip and I would need to connect home while out, I have to try in case you missed it. Thank you!
I’ll be out for a bit today, but post the configs and I’ll review. I need both sides/peers
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall