the wireguard tunnels (there are two of them) are setting up reliably. However, I have an open problem where I just can't get any further:
I need the following firewall rule on the server side so that I can access the server via RDP:
part of /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network ''
list network 'vpn'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'RDP allow'
option target 'ACCEPT'
list dest_ip '[IP-RDP-Server]'
option src ''
option dest ''
part of /etc/config/network
config wireguard_vpn 'wgclient3'
option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=‘
option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=‘
list allowed_ips '[VPN-IP-Client]/32'
list allowed_ips '[VPN-IP-Client]::4/128'
On the client side, the VPN interface is in the WAN zone, on the server in the LAN zone. I expected that I don't need any firewall rule at all. and above all it only works if source and destination are set as 'any'. What is wrong there?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
You normally do not need any firewall rule BUT you have to open up the firewall of the LAN clients (e.g. the computer you want RDP to) for the WG subnet!
Note your redacted your WG subnet form your first post, there is no need to redact private RFC1918 addresses
If this is a holdover from your previous configuration and you're actually using fw4, remove the wrong (empty) list network '' option from the lan firewall zone. Restarting the firewall service will return an error, the zone and corresponding rules will not be created and the default policies will be used.
Since the default FORWARD policy is REJECT, this would explain the need for an explicit traffic rule.
Since vpn and lan are both in lan firewall zone, then traffic is allowed between them. Fix the mistakes noted by @pavelgl and also remove the RDP allow rule
Rule LAN-Reject is not needed.
Also rule LAN-to-WAN-reject is not necessary, if you remove the lan->wan forwarding.
Thank you for the information. I think that is the problem. I have no idea what
option path '/etc/firewall.user' should be. There is no file '/etc/firewall.user'. Even fw4 doesn't tell me anything. It was probably not a good idea to use the configuration file /etc/config/firewall from an older openwrt version.
How do I get rid of this stuff? I commented out the two lines in the /etc/config/firewall file. Then I did the following:
What for? You have only lan and wan zones. Wan is masqueraded which means that hosts in 192.168.20.0/24 don't know where is 192.168.40.0/24. If you only want to access the RDP server from the wireguard, then you don't need the rule.
I think so too, but I can't access RDP without the "RDP allow" rule, but I can with the rule. Something must still be wrong.
Is the procedure I described above (commenting out) correct?
first I have commented out. After uci commit firewall /etc/init.d/firewall restart uci commit network /etc/init.d/network restart reboot
the lines was automatic removed.