Firewall settings for blocking lan with Wireguard (with LUCI)

Hello,
I installed Wireguard on my OpenWrt routeur and it works fins (I can access my network from the outside).
But I would like that my devices connected thru Wireguard can only have access to internet and not to the devices connected to my lan (ie NAS).
I tried different firewall settings but I couldn't find the good ones, it's either blocking everything or allowing everything.
Does anyone have an idea on how to achieve it ?
Stéphane

  • Add the WG interface to its own firewall zone
  • Configure the new Zone to only permit Forwarding to WAN

Hello,
Thank you, I tried that but nothing works, either local or internet.
Here my firewall settings, I think I set it up according to you advices.


My networks knowledge are very limited.

From the LAN zone remove WireGuard as destination

WireGuard zone enable OUTPUT and enable INPUT

Reboot and test again.

If it does not work then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show

I tried but it did not work, I'm still block.
Here the configurations:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.138",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.0",
		"revision": "r19685-512e76967f",
		"target": "ath79/generic",
		"description": "OpenWrt 22.03.0 r19685-512e76967f"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'zzzz:zzzz:zzzz::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'
	option ipv6 '0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config wireguard_vpn 'wgclient'
	option public_key 'key1'
	option preshared_key 'key2'
	list allowed_ips '192.168.9.2/32'
	list allowed_ips 'zzz:zzzz:zzzz:zzzz:zzzz:zzzz/128'

config interface 'WifiGuest'
	option proto 'static'
	option type 'bridge'
	option netmask '255.255.255.0'
	option device 'wlan0-1'
	option ipaddr '192.168.20.1'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config interface 'WireguardVPN'
	option proto 'wireguard'
	option private_key 'key3'
	option listen_port '51820'
	list dns '1.1.1.1'
	list dns '9.9.9.9'
	list addresses '192.168.30.1/24'

config wireguard_WireguardVPN
	option description 'Smartphone'
	option public_key 'key4'
	option private_key 'key5'
	list allowed_ips '192.168.30.2'
	option persistent_keepalive '25'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone 'lan'
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone 'wan'
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding 'lan_wan'
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'zzzz::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Wireguard'
	list proto 'udp'
	option src 'wan'
	option dest 'Wireguard'
	option dest_port '51820'
	option target 'ACCEPT'

config zone
	option name 'GuestWifi'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'WifiGuest'

config forwarding
	option src 'GuestWifi'
	option dest 'wan'

config rule
	option name 'GuestWifi-DHCP'
	list proto 'udp'
	option src 'GuestWifi'
	option target 'ACCEPT'
	option dest_port '67-68'

config rule
	option name 'GuestWifi-DNS'
	option src 'GuestWifi'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option forward 'ACCEPT'
	list network 'WireguardVPN'
	option input 'ACCEPT'
	option output 'ACCEPT'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

root@OpenWrt:~# ip route show
default via 192.168.1.254 dev eth0.2  src 192.168.1.210 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.210 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
192.168.30.0/24 dev WireguardVPN scope link  src 192.168.30.1 
root@OpenWrt:~# wg show
interface: WireguardVPN
  public key: key6
  private key: (hidden)
  listening port: 51820

peer: peer1
  allowed ips: 192.168.30.2/32
  persistent keepalive: every 25 seconds
type or paste code here

Upgrade to 23.05.4
EDIT: sysupgrade will preserve your settings

2 Likes

I don't see a handshake. This rule is incorrect. It should be an Input rule with no Dest.

Can you verify that you're testing Wireguard from WAN?

Is this an old config?

Upgrading looks like a good idea.

The following looks like a remnant from earlier attempts?
Better remove it:

To make it more readable add a netmask to the AllowedIPs, so use list allowed_ips '192.168.30.2/32'

Option persistent_keepalive can be removed that should be set on the "client" side

However the above are not show stoppers.

This router is not directly connected to the internet but to another router.
Can you connect with your phone to this upstream net work (192.168.1.X) and then test if you can connect from that upstream network to your WG server on this router?

1 Like

Hi,
I made a full install of my routeur with the latest OpenWrt release.
Unfortunately it's still not working.
I tried to adjust my settings according to previous comments but it did not pay.

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
	"model": "TP-Link Archer C7 v2",
	"board_name": "tplink,archer-c7-v2",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'zzzz:zzzz:zzzz::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'WifiGuest'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	list dns '1.1.1.1'
	list dns '9.9.9.9'
	option device 'phy0-ap1'

config interface 'Wireguard'
	option proto 'wireguard'
	option private_key 'key1'
	option listen_port '51820'
	list addresses '192.168.30.1/24'
	list dns '1.1.1.1'
	list dns '9.9.9.9'

config wireguard_Wireguard
	option description 'Smartphone'
	option public_key 'key2'
	option private_key 'key3'
	option persistent_keepalive '25'
	list allowed_ips '192.168.30.2'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'WifiGuest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'WifiGuest'

config forwarding
	option src 'WifiGuest'
	option dest 'wan'

config rule
	option name 'GuestWifi-DHCP'
	list proto 'udp'
	option src 'WifiGuest'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'GuestWifi-DNS'
	option src 'WifiGuest'
	option dest_port '53'
	option target 'ACCEPT'

config zone
	option name 'Wireguard'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'Wireguard'

config forwarding
	option src 'Wireguard'
	option dest 'wan'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option src 'wan'
	option target 'ACCEPT'
	option src_port '51820'

root@OpenWrt:~# ip route show
default via 192.168.1.254 dev eth0.2  src 192.168.1.210 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.210 
192.168.10.0/24 dev br-lan scope link  src 192.168.10.1 
192.168.20.0/24 dev phy0-ap1 scope link  src 192.168.20.1 
192.168.30.0/24 dev Wireguard scope link  src 192.168.30.1 
root@OpenWrt:~# wg show
interface: Wireguard
  public key: key4
  private key: (hidden)
  listening port: 51820

peer: key2
  allowed ips: 192.168.30.2/32
  persistent keepalive: every 25 seconds

it needs to to be option dest_port '51820'

Otherwise it looks good.

Remember my second remark, this router looks like it sits behind another router.
This upstream router also needs to port forward and have a publicly available IPv4 address otherwise you cannot connect from outside.

To test with e.g. you phone connect to the upstream network and use this routers WAN address (192.168.0.X) as endpoint in your phones WG config

Hi,
I added 51820 as destination port but still nothing.
You're right my routeur is behind a box which is set up to forward port 51820 to my box.

Did you remove 51820 as SRC also?

It wasn't removed and since I removed it it's working. Thank you.

One last question, is there a way to block the access to LUCI web interface from wireguard ? All the other devices are not available except this one.

1 Like
  • Make a rule blocking inbound DST 80/tcp from the WG Zone; or
  • Edit this:

This will block [all] inbound traffic to the router from the WG zone.

Blocking all is too strong and the first one still allow an access to LUCI.
But anyway I have what I wanted blocking the access to other machines on my network.
Thank you all for your replies