I set up a wireguard tunnel to manage my parents' router remotely. On this router I put openwrt and I created a wireguard server. The purpose of the wireguard tunnel is just to have access to the router remotely but I don't need to have access to the LAN. The network I use for wireguard is 192.168.100.0/24. During my tests I realized that by adding another router network (for example the lan one: 192.168.0.0/24) from the allowed ips of the client's peer (peer which is the server), the client was sending packets through the tunnel but the problem is that openwrt is responding.
Normally I just want my client (192.168.100.2) to be able to communicate only with the router (192.168.100.1). However here as I explained to you, by modifying the allowed ips on the client side it is possible for the client to ping 192.168.0.1 which is also the router but in another zone/network, is this normal?
By default openwrt is supposed to drop packets that change zone, right?
Here is my firewall configuration below and wireguard is exposed on the wan via a traffic rule.
This is expected as it is covered by the “input” rule. The addresses on the router in each network are the equivalent of a nickname for the router. The remote peer should not be able to connect to anything else on the network unless you allow forwarding to the zone/network. But the router itself will be reachable via all of the addresses that it holds, based on the input rule. (Theoretically you could make additional rules to block this behavior, but it doesn’t achieve any practical purpose if the router is supposed to be reachable on at least one of its network addresses anyway).
Please confirm that you cannot reach any other hosts on tbe 192.168.0.0/24 network.
Hello, thank you for your clarification. Indeed, I don't have access to other things inside the other networks/zones except for the router address of each networks.
And do you know why it behaves like that? Indeed it's not a security issue since I have access on the router via 192.168.100.1 but I was wondering why it works on the other router ips since it's not needed and I didn't create any forward rules.
Yes... the input rule defines the action that is taken when packets are destined for the router itself. In the case of the multiple IPs that the router holds, when the firewall evaluates the desitnation of the pakcets, it says "oh, that's me" -- just like you would if someone called you by your given name, and then another person called you by your nickname.
