Hello,
I installed Wireguard on my OpenWrt routeur and it works fins (I can access my network from the outside).
But I would like that my devices connected thru Wireguard can only have access to internet and not to the devices connected to my lan (ie NAS).
I tried different firewall settings but I couldn't find the good ones, it's either blocking everything or allowing everything.
Does anyone have an idea on how to achieve it ?
Stéphane
- Add the WG interface to its own firewall zone
- Configure the new Zone to only permit Forwarding to WAN
Hello,
Thank you, I tried that but nothing works, either local or internet.
Here my firewall settings, I think I set it up according to you advices.
My networks knowledge are very limited.
From the LAN zone remove WireGuard as destination
WireGuard zone enable OUTPUT and enable INPUT
Reboot and test again.
If it does not work then please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
wg show
I tried but it did not work, I'm still block.
Here the configurations:
root@OpenWrt:~# ubus call system board
{
"kernel": "5.10.138",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
"model": "TP-Link Archer C7 v2",
"board_name": "tplink,archer-c7-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.0",
"revision": "r19685-512e76967f",
"target": "ath79/generic",
"description": "OpenWrt 22.03.0 r19685-512e76967f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'zzzz:zzzz:zzzz::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
option ipv6 '0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config wireguard_vpn 'wgclient'
option public_key 'key1'
option preshared_key 'key2'
list allowed_ips '192.168.9.2/32'
list allowed_ips 'zzz:zzzz:zzzz:zzzz:zzzz:zzzz/128'
config interface 'WifiGuest'
option proto 'static'
option type 'bridge'
option netmask '255.255.255.0'
option device 'wlan0-1'
option ipaddr '192.168.20.1'
list dns '1.1.1.1'
list dns '9.9.9.9'
config interface 'WireguardVPN'
option proto 'wireguard'
option private_key 'key3'
option listen_port '51820'
list dns '1.1.1.1'
list dns '9.9.9.9'
list addresses '192.168.30.1/24'
config wireguard_WireguardVPN
option description 'Smartphone'
option public_key 'key4'
option private_key 'key5'
list allowed_ips '192.168.30.2'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding 'lan_wan'
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'zzzz::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-Wireguard'
list proto 'udp'
option src 'wan'
option dest 'Wireguard'
option dest_port '51820'
option target 'ACCEPT'
config zone
option name 'GuestWifi'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'WifiGuest'
config forwarding
option src 'GuestWifi'
option dest 'wan'
config rule
option name 'GuestWifi-DHCP'
list proto 'udp'
option src 'GuestWifi'
option target 'ACCEPT'
option dest_port '67-68'
config rule
option name 'GuestWifi-DNS'
option src 'GuestWifi'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'Wireguard'
option forward 'ACCEPT'
list network 'WireguardVPN'
option input 'ACCEPT'
option output 'ACCEPT'
config forwarding
option src 'Wireguard'
option dest 'wan'
root@OpenWrt:~# ip route show
default via 192.168.1.254 dev eth0.2 src 192.168.1.210
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.210
192.168.10.0/24 dev br-lan scope link src 192.168.10.1
192.168.30.0/24 dev WireguardVPN scope link src 192.168.30.1
root@OpenWrt:~# wg show
interface: WireguardVPN
public key: key6
private key: (hidden)
listening port: 51820
peer: peer1
allowed ips: 192.168.30.2/32
persistent keepalive: every 25 seconds
type or paste code here
Upgrade to 23.05.4
EDIT: sysupgrade will preserve your settings
I don't see a handshake. This rule is incorrect. It should be an Input rule with no Dest.
Can you verify that you're testing Wireguard from WAN?
Is this an old config?
Upgrading looks like a good idea.
The following looks like a remnant from earlier attempts?
Better remove it:
To make it more readable add a netmask to the AllowedIPs, so use list allowed_ips '192.168.30.2/32'
Option persistent_keepalive can be removed that should be set on the "client" side
However the above are not show stoppers.
This router is not directly connected to the internet but to another router.
Can you connect with your phone to this upstream net work (192.168.1.X) and then test if you can connect from that upstream network to your WG server on this router?
Hi,
I made a full install of my routeur with the latest OpenWrt release.
Unfortunately it's still not working.
I tried to adjust my settings according to previous comments but it did not pay.
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
"model": "TP-Link Archer C7 v2",
"board_name": "tplink,archer-c7-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ath79/generic",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'zzzz:zzzz:zzzz::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 6t'
config interface 'WifiGuest'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '9.9.9.9'
option device 'phy0-ap1'
config interface 'Wireguard'
option proto 'wireguard'
option private_key 'key1'
option listen_port '51820'
list addresses '192.168.30.1/24'
list dns '1.1.1.1'
list dns '9.9.9.9'
config wireguard_Wireguard
option description 'Smartphone'
option public_key 'key2'
option private_key 'key3'
option persistent_keepalive '25'
list allowed_ips '192.168.30.2'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WifiGuest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'WifiGuest'
config forwarding
option src 'WifiGuest'
option dest 'wan'
config rule
option name 'GuestWifi-DHCP'
list proto 'udp'
option src 'WifiGuest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'GuestWifi-DNS'
option src 'WifiGuest'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'Wireguard'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'Wireguard'
config forwarding
option src 'Wireguard'
option dest 'wan'
config rule
option name 'Allow-WireGuard'
list proto 'udp'
option src 'wan'
option target 'ACCEPT'
option src_port '51820'
root@OpenWrt:~# ip route show
default via 192.168.1.254 dev eth0.2 src 192.168.1.210
192.168.1.0/24 dev eth0.2 scope link src 192.168.1.210
192.168.10.0/24 dev br-lan scope link src 192.168.10.1
192.168.20.0/24 dev phy0-ap1 scope link src 192.168.20.1
192.168.30.0/24 dev Wireguard scope link src 192.168.30.1
root@OpenWrt:~# wg show
interface: Wireguard
public key: key4
private key: (hidden)
listening port: 51820
peer: key2
allowed ips: 192.168.30.2/32
persistent keepalive: every 25 seconds
it needs to to be option dest_port '51820'
Otherwise it looks good.
Remember my second remark, this router looks like it sits behind another router.
This upstream router also needs to port forward and have a publicly available IPv4 address otherwise you cannot connect from outside.
To test with e.g. you phone connect to the upstream network and use this routers WAN address (192.168.0.X) as endpoint in your phones WG config
Hi,
I added 51820 as destination port but still nothing.
You're right my routeur is behind a box which is set up to forward port 51820 to my box.
Did you remove 51820 as SRC also?
It wasn't removed and since I removed it it's working. Thank you.
One last question, is there a way to block the access to LUCI web interface from wireguard ? All the other devices are not available except this one.
- Make a rule blocking inbound DST 80/tcp from the WG Zone; or
- Edit this:
This will block [all] inbound traffic to the router from the WG zone.
Blocking all is too strong and the first one still allow an access to LUCI.
But anyway I have what I wanted blocking the access to other machines on my network.
Thank you all for your replies