Limit access to LAN IP range over wireguard

Hello,

during the Covid Lockdown I want to give a friend access to my LAN to play LAN-Games.
However, I want to restrict the remote access to certain IP addresses in my LAN.

I am already using a GL-AR750s with a wirecard server to access with my laptop and mobile from work / while traveling.
Getting access to my LAN is working smoothless.

However, I am not able to restrict the access.

If I understood everything right, I have to adopt the allowed IPs in the etc/config/wireguard_server.

I tried:

config peers 'wg_peer_3447'
option name 'Guest1'
option client_key 'XX'
option private_key 'YY'
option client_ip '10.0.0.8/32'
option allowed_ips '192.168.0.120/24'

The effect ot the last line is that I can't access any LAN IP addresse, even for example 192.168.0.18X. However, I can access the WAN/ internet.

What shall I do?

Any help welcomed,

regards,

Mario

Add firewall rules to allow or deny traffic forwarding depending on the source and destination IPs.
E.g. allow traffic from 10.0.0.8 only to 192.168.0.1 and deny anything else from that source IP.

I do the same thing but with my raspberry, I block access to local network and allow only one IP address

PostUp = iptables -I FORWARD -i wg0 -d 192.168.1.0/24 -j REJECT
PostUp = iptables -I FORWARD -i wg0 -d 192.168.1.120 -j ACCEPT
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

This is not the correct way to describe a host. 192.168.0.120/32 or if you want to specify the whole lan 192.168.0.0/24

@trendy

I want to allow access only to IPs 192.168.0.120 - 192.168.0.255 because 192.168.0.100-119 is used by NAS / Raspberry etc. to which I do not want to grant access.

As 192.168.0.1 is my WAN Router, I would have to restict access to that IP, right?
How and where do I set up the rule for 10.0.0.8 then?

I am not so familiar to iptables ...

Regards and thanx to all for their help,

Mario

uci -q delete firewall.wg_allow
uci set firewall.wg_allow="rule"
uci set firewall.wg_allow.name="wg_allow"
uci set firewall.wg_allow.src="lan"
uci set firewall.wg_allow.src_ip="10.0.0.8/32"
uci set firewall.wg_allow.dest="lan"
uci add_list firewall.wg_allow.dest_ip="192.168.0.120/29"
uci add_list firewall.wg_allow.dest_ip="192.168.0.128/25"
uci set firewall.wg_allow.proto="all"
uci set firewall.wg_allow.target="ACCEPT"
uci -q delete firewall.wg_deny
uci set firewall.wg_deny="rule"
uci set firewall.wg_deny.name="wg_deny"
uci set firewall.wg_deny.src="lan"
uci set firewall.wg_deny.src_ip="10.0.0.8/32"
uci set firewall.wg_deny.dest="lan"
uci set firewall.wg_deny.proto="all"
uci set firewall.wg_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

OK, I gave it a try:

#!/bin/sh
uci -q delete firewall.wg_allow
uci set firewall.wg_allow="rule"
uci set firewall.wg_allow.name="wg_allow"
uci set firewall.wg_allow.src="lan"
uci set firewall.wg_allow.src_ip="10.0.0.5/32"
uci add_list firewall.wg_allow.src_ip="10.0.0.6/32"
uci add_list firewall.wg_allow.src_ip="10.0.0.7/32"
uci add_list firewall.wg_allow.src_ip="10.0.0.8/32"
uci set firewall.wg_allow.dest="lan"
uci add_list firewall.wg_allow.dest_ip="192.168.0.120/29"
uci add_list firewall.wg_allow.dest_ip="192.168.0.128/26"
uci add_list firewall.wg_allow.dest_ip="192.168.0.192/29"
uci set firewall.wg_allow.proto="all"
uci set firewall.wg_allow.target="ACCEPT"
uci -q delete firewall.wg_deny
uci set firewall.wg_deny="rule"
uci set firewall.wg_deny.name="wg_deny"
uci set firewall.wg_deny.src="lan"
uci set firewall.wg_deny.src_ip="10.0.0.5/32"
uci add_list firewall.wg_deny.src_ip="10.0.0.6/32"
uci add_list firewall.wg_deny.src_ip="10.0.0.7/32"
uci add_list firewall.wg_deny.src_ip="10.0.0.8/32"
uci set firewall.wg_deny.dest="lan"
uci set firewall.wg_deny.proto="all"
uci set firewall.wg_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

And got the following error messages:

Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Option 'sambashare'.dest_proto is unknown
Warning: Section 'sambashare' does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Flushing conntrack table ...
 * Populating IPv4 filter table
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guestzone_DHCP'
   * Rule 'guestzone_DNS'
   * Rule 'glservice_https'
   * Rule 'glssh'
   * Rule #13
   * Rule 'Allow-Wireguard'
   * Rule 'wg_allow'
   * Rule 'wg_deny'
   * Forward 'lan' -> 'wan'
   * Forward 'guestzone' -> 'wan'
   * Forward 'wireguard' -> 'wan'
   * Forward 'wireguard' -> 'lan'
   * Forward 'lan' -> 'wireguard'
   * Forward 'guestzone' -> 'wireguard'
   * Forward 'wireguard' -> 'guestzone'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
   * Zone 'wireguard'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
   * Zone 'wireguard'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
   * Zone 'wireguard'
 * Populating IPv6 filter table
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'guestzone_DHCP'
   * Rule 'guestzone_DNS'
   * Rule 'glservice_https'
   * Rule 'glssh'
   * Rule #13
   * Rule 'wg_allow'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Rule 'wg_deny'
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
     ! Skipping due to different family of ip address
   * Forward 'lan' -> 'wan'
   * Forward 'guestzone' -> 'wan'
   * Forward 'wireguard' -> 'wan'
   * Forward 'wireguard' -> 'lan'
   * Forward 'lan' -> 'wireguard'
   * Forward 'guestzone' -> 'wireguard'
   * Forward 'wireguard' -> 'guestzone'
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
   * Zone 'wireguard'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
   * Zone 'guestzone'
   * Zone 'wireguard'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'
uci: Entry not found
uci: Entry not found
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v6.34: The set with the given name does not exist
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
   ! Failed with exit code 3
 * Running script '/var/etc/gls2s.include'
   ! Skipping due to path error: No such file or directory
 * Running script '/usr/bin/glfw.sh'
 * Running script '/usr/sbin/glqos.sh'
 * Running script '/var/etc/mwan3.include'

OK, I am lost. What do I have to change? Are different rules in conflict?

Regards,

Mario

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

You can explicitly specify the protocol family to minimize warnings:

uci set firewall.wg_allow.family="ipv4"
uci set firewall.wg_deny.family="ipv4"
uci commit firewall
/etc/init.d/firewall restart

But the rest messages are unrelated to the added rules.

However it looks like you are using a separate firewall zone for the WG interface.
Make sure it matches the source zone in the added rules.

Is it OK that way?

I use a GL.iNet GL-AR750S that comes with a preconfigured wireguard server.
So how do I find out the firewall zone?

Regards,

Mario

According to your firewall output:

uci set firewall.wg_allow.src="wireguard"
uci set firewall.wg_deny.src="wireguard"
uci commit firewall
/etc/init.d/firewall restart

You can verify this by adding one of your trusted clients to the list of denied source IPs.

Thanx a lot - that was the solution. As my openwrt router is behind my primary router (a native fritzbox), I had just adopt the destination to "wan" not "lan":

#!/bin/sh
uci -q delete firewall.wg_allow
uci set firewall.wg_allow="rule"
uci set firewall.wg_allow.name="wg_allow"
uci set firewall.wg_allow.src="wireguard"
uci set firewall.wg_allow.family="ipv4"
#set a range of ips 
uci set firewall.wg_allow.src_ip="10.0.0.16/28"
#because router is behind primary router use wan not lan
uci set firewall.wg_allow.dest="wan"
#allowed range 192.168.0.110-192.168.0.179
uci add_list firewall.wg_allow.dest_ip="192.168.0.110/31"
uci add_list firewall.wg_allow.dest_ip="192.168.0.112/28"
uci add_list firewall.wg_allow.dest_ip="192.168.0.128/27"
uci add_list firewall.wg_allow.dest_ip="192.168.0.160/28"
uci add_list firewall.wg_allow.dest_ip="192.168.0.176/30"
# optional for full access
#uci add_list firewall.wg_allow.dest_ip="192.168.0.0/24"
uci set firewall.wg_allow.proto="all"
uci set firewall.wg_allow.target="ACCEPT"
uci -q delete firewall.wg_deny
uci set firewall.wg_deny="rule"
uci set firewall.wg_deny.name="wg_deny"
uci set firewall.wg_deny.src="wireguard"
uci set firewall.wg_deny.family="ipv4"
uci set firewall.wg_deny.src_ip="10.0.0.16/28"
uci set firewall.wg_deny.dest="wan"
uci set firewall.wg_deny.proto="all"
uci set firewall.wg_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart```

Thanx to all for the very (incredible) fast support!

Regards,

Mario

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.