Firewall rulles - allow vpn to acess LAN

plopes1960 · February 18, 2025, 10:22am

Hi all!

Please, I need your help!

I have "mess up" with firewall rulles in order to allow:

-from VPN to acess my LAN
-from my LAN to acess VPN

At the moment I have everything working as I want, but in firewall terms, I am afraid that it's vulnereable

Can you please point me something that it's not good, so I can change?

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config zone
option name 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wghome'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'vpn'

config forwarding
option src 'wan'
option dest 'vpn'

config redirect
option dest 'vpn'
option target 'DNAT'
option name 'WG'
list proto 'udp'
option src 'wan'
option src_dport '31231'
option dest_ip '10.91.23.6/32'
option dest_port '31231'

config forwarding
option src 'vpn'
option dest 'lan'

egc · February 18, 2025, 10:38am

It looks like you use WireGuard as a "server" to access your home.

There is room for improvement indeed, masquerading of VPN zone is not required, Masquerading of the LAN firewall zone is also not customary but might be useful in some scenario's.
The rule to allow port 31231 is also not "optimal"

For some more information see my notes:

You need the Server setup guide, make sure to download the guide as github only show the first 5 pages

plopes1960 · February 18, 2025, 10:45am

Many thanks!

Cause I have mess up, ticking and unticking some masquereade and mss clamping
In fact, this router will be behind NAT and only act as vpn bridge to acess a printer.

But, for sure, this firewalls rules and firewall zones are really messy.

From other wireguard peers, I can sent jobs to be printed by this printer... So, to me it's achieved my goal! But I know that I have mess up

egc · February 18, 2025, 10:54am

If your router is setup as a bridged AP so without a WAN then you need different settings and probably masquerading on the LAN zone

plopes1960 · February 18, 2025, 11:03am

my mistake... it's not a bridge ap.

It's in fact acting as a router, but will be behind ISP router...

ISP router subnet - 192.168.150.0.0/24
Openwrt router - 192.168.150.15/32
Openwrt router subnet - 10.50.50.0/24

egc · February 18, 2025, 11:08am

That is fine, my notes apply in that situation.

You can disable masquerading on VPN zone and on LAN zone and use a more appropriate ACCEPT rule for the WireGuard listen port as described in my notes.

Sometimes Masquerading on the LAN zone can be helpful, there is a paragraph in my notes covering that "Allow seamless access to LAN clients"

Firewall rules are also covered.

Summit48 · February 18, 2025, 11:44am

Have you looked at Tailscale?

If you install Tailscale on OpenWrt you can get direct access to your LAN and access the Printer without having to touch the ISP Router.

You could even do this with Tailscale on an Apple TV sitting on the ISP LAN.

plopes1960 · February 18, 2025, 11:54am

With wireguard I got all this as well!

And I don't use any third party hardware that does not belong to me

Tailscale and Zerotier are great in some scenarios / users!

But for me, for my use case I prefer wireguard, and with that I have stup a site-to-site from my home and my office with very low latency and great throughput

system · February 28, 2025, 11:54am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.