Firewall setting for wireguard VPN

Hello everyone,

the wireguard tunnels (there are two of them) are setting up reliably. However, I have an open problem where I just can't get any further:

I need the following firewall rule on the server side so that I can access the server via RDP:
part of /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network ''
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'RDP allow'
option target 'ACCEPT'
list dest_ip '[IP-RDP-Server]'
option src ''
option dest '
'

part of /etc/config/network
config wireguard_vpn 'wgclient3'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=‘
option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=‘
list allowed_ips '[VPN-IP-Client]/32'
list allowed_ips '[VPN-IP-Client]::4/128'

On the client side, the VPN interface is in the WAN zone, on the server in the LAN zone. I expected that I don't need any firewall rule at all. and above all it only works if source and destination are set as 'any'. What is wrong there?

Thanks for your help in advance

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall

You normally do not need any firewall rule BUT you have to open up the firewall of the LAN clients (e.g. the computer you want RDP to) for the WG subnet!

Note your redacted your WG subnet form your first post, there is no need to redact private RFC1918 addresses

1 Like
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.40.1'
	list dns '8.8.8.8'

config interface 'wan'
	option device 'eth0.2'
	option proto 'static'
	option ipaddr '192.168.20.20'
	option netmask '255.255.255.0'
	option gateway '192.168.20.254'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0 6t'

config interface 'vpn'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	option listen_port '51820'
	list addresses '192.168.9.1/24'
	list addresses 'fd00:9::1/64'

config wireguard_vpn 'wgclient1'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'fd00:9::2/128'

config wireguard_vpn 'wgclient2'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
	list allowed_ips '192.168.9.3/32'
	list allowed_ips 'fd00:9::2/128'

config wireguard_vpn 'wgclient3'
        option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
        option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
        list allowed_ips '192.168.9.4/32'
        list allowed_ips 'fd00:9::4/128'
config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network ''
	list network 'vpn'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'RDP allow'
	option target 'ACCEPT'
	list dest_ip '192.168.40.22'
	option src '*'
	option dest '*'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config rule
	option dest 'lan'
	option src 'wan'
	option name 'LAN-Reject'
	option target 'REJECT'

config rule
	option dest_port '53'
	option src 'lan'
	option name 'DNS-to-WAN-Allow'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option dest_port '80'
	option name 'HTTP-to-WAN-Allow'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option src 'lan'

config rule
	option dest_port '443'
	option name 'HTTPS-to-WAN-Allow'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	option src 'lan'

config rule
	option dest_port '993'
	option src 'lan'
	option name 'imap-ssl-tls-to-WAN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option dest_port '465'
	option src 'lan'
	option name 'mail-ssl/tls-to-WAN'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'tcp'

config rule
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option dest_port '22'
	option name 'ssh-(sftp)-to-WAN'

config rule
	option name 'LAN-to-WAN-reject'
	option dest 'wan'
	option target 'REJECT'
	option src 'lan'
	list proto 'all'

config rule 'wg'
	option name 'Allow-WireGuard'
	option src 'wan'
	option dest_port '51820'
	option proto 'udp'
	option target 'ACCEPT'

If this is a holdover from your previous configuration and you're actually using fw4, remove the wrong (empty) list network '' option from the lan firewall zone. Restarting the firewall service will return an error, the zone and corresponding rules will not be created and the default policies will be used.

Since the default FORWARD policy is REJECT, this would explain the need for an explicit traffic rule.

2 Likes

Since vpn and lan are both in lan firewall zone, then traffic is allowed between them. Fix the mistakes noted by @pavelgl and also remove the RDP allow rule

Rule LAN-Reject is not needed.
Also rule LAN-to-WAN-reject is not necessary, if you remove the lan->wan forwarding.

2 Likes

Thank you for the information. I think that is the problem. I have no idea what
option path '/etc/firewall.user' should be. There is no file '/etc/firewall.user'. Even fw4 doesn't tell me anything. It was probably not a good idea to use the configuration file /etc/config/firewall from an older openwrt version.

How do I get rid of this stuff? I commented out the two lines in the /etc/config/firewall file. Then I did the following:

uci commit firewall
/etc/init.d/firewall restart
uci commit network
/etc/init.d/network restart
reboot

The "lines config include" and "option path '/etc/firewall.user'" have disappeared from /etc/config/firewall. But I still need the rule "RDP allow".

What for? You have only lan and wan zones. Wan is masqueraded which means that hosts in 192.168.20.0/24 don't know where is 192.168.40.0/24. If you only want to access the RDP server from the wireguard, then you don't need the rule.

I think so too, but I can't access RDP without the "RDP allow" rule, but I can with the rule. Something must still be wrong.
Is the procedure I described above (commenting out) correct?

Can you post again the following in preformatted text?

uci export network; uci export firewall

Have you removed/commented out :point_down:

that is actually the problem?

Run fw4 restart and look for lines like these:

Section @zone[0] (lan) option 'network' specifies invalid value ''
Section @zone[0] (lan) skipped due to invalid options

first I have commented out. After
uci commit firewall /etc/init.d/firewall restart uci commit network /etc/init.d/network restart reboot
the lines was automatic removed.

Please post the output of

uci show firewall.@zone[0]; nft list chain inet fw4 forward; nft list chain inet fw4 forward_lan

Are the IPv6 for wgclient1 and wglcient2 intentionally same? You'd probably want to change that and reload network.

1 Like

that was the solution: I deleted the line "list network ''". Now everything seems to work. Thank you very much for your help.

My mistake was to use configuration files from older openwrt versions.

How to do a version update correctly?

By not preserving the old configuration files. You should only use them as guides to configure the new version from scratch.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.