but in the QR this will be translated to IP, this is not usable for me as I have a dynamic IP and use a dyndns to update my ip.
2. I only want to VPN my dns, not all my traffic, but I can't find how to configure this.
3. I would like to restrict access to my internal network to only some devices. Now all are exposed.
Is this possible in the openwrt wireguard implementation?
The endpoint shows as myhost.duckds.org but it is resolved on your client.
But you can always check on your client what is in the clients config
See my notes how to setup a WireGuard server:
Your WireGuard Clients have a different IP address (e.g. 172.16.1.2) then your lan subnet so usually your LAN clients will not allow that unless specifically allowed.
But if you want to be sure add the WG interface to its own firewall zone and do not make a forward rule from wg firewall zone to LAN but make traffic rules to allow the WG clients you want to the LAN IP addresses you want
yes, I can modify the endpoint in the ios wireguard client.
however I need to think about this when rescanning the QR.
using host directly would be easier.
Either you add the WG interface/network to the LAN zone, but as you want fine grained control you better make a separate zone for the WG interface like you are doing, but this zone has to have the same settings as the lan zone.
Note that a network/interface can only be added to one firewall zone, it looks like you also have the LAN zone added, but I assume there is a separate LAN zone which covers the LAN interface?
Masquerading should not be enabled just like it is not enabled for the LAN zone
The client decides what traffic where to route so if you do not want to route all traffic of your clients to route via your router then do not use 0.0.0.0/0 but e.g. the IP address of your AGH server that way the client only routes that specific traffic through the tunnel.
remove the lan from the covered networks in that screenshot. You can only have a network in a single zone, and lan is already in the lan firewall zone.
Is this the 'server' side of the equation? If so, disable masquerading.
It's easy enough to setup a firewall rule to allow only access to the desired resources. Please describe your goal when you are remotely connected - is it for tunneling all traffic (including internet traffic), too?
EDIT: looks like @egc beat me by a few seconds!! lol
I have to enter them every time again,
But when I do it like this, I can access my dns server,
but not my server on 192.168.180.13 (which is in zone lan)
If it is your phone/tablet/laptop connecting as the remote peer, the only allowed IP that should exist (in the peer config section on the 'server') is the one that is in the same subnet as the WG main interface.
Moving forward, let's see the your configs in text form rather than screenshots. This makes it far easier to read and also much easier to recommend specific changes.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
wg > wan will allow you to reach the internet from your remote peer via your ISP where the 'server' is located... so in other words, tunnel all traffic through home. Applies if you have allowed_ips on your remote peers set to 0.0.0.0/0 and/or if you have other public IPs in that section.
lan > wg will allow you to reach your remote client from your home lan. This is probably not really necessary in your case, but is useful in a site-to-site configuration.
wg > lan allows you to access your lan from your remote peer.
thnx, I was indeed wondereing about lan > wg
and wg > wan I probably do not need, as I do not want to forward any public addresses,
but now I know where they are for .
/etc/config/firewall:
config zone
option name 'wgserver'
option input 'ACCEPT' #use REJECT if you do not want access to the router
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'wgserver'
config forwarding
# to give WG clients access to your LAN clients
# if you want more fine grained control remove this and make a traffic rule see below
option dest 'lan'
option src 'wgserver'
config forwarding
option dest 'wgserver'
option src 'lan'
config forwarding
# to give your WG client access to the internet via the router
option src 'wgserver'
option dest 'wan'
#Extra traffic rule for access to individual LAN clients if there is no general forwarding:
config rule
option name 'access-from-wg'
option src 'wgserver'
list dest_ip '192.168.5.199'
option target 'ACCEPT'
list proto 'all'
option dest '*'
Also this
4. Allow seamless access to LAN clients
Your LAN clients might not accept traffic from your WG clients because traffic comes from another subnet and LAN clients might have their own firewall which blocks non local traffic.
The best way to solve this is to tweak the firewall of local clients to accept traffic from the WG subnet.
For Windows:
How to Add IP Address in Windows Firewall
Step 1) On the Start menu, Click ‘Windows Firewall with Advanced Security’.
Step 2) Click the ‘Advanced settings’ option in the sidebar.
Step 3) On the left side, click the option ‘Inbound Rules’.
Step 4) On the right, under the section ‘Actions’, click on the option ‘New Rule’. Windows Firewall shows you the New Inbound Rule Wizard.
Step 5) A new window will open and Select the ‘custom’ option and click Next.
Step 6) In the left-hand side again, go to the option ‘Scope’.
Step 7) Add the IP address and click on the ‘Ok’ button.
But if that is not feasible you can masquerade the WireGuard traffic which comes out of the router.
Simplest method is to use option 2b for setting up the firewall and Enable Masquerading on the LAN interface.
However this Masquerades all traffic so better is to only Masquerade WG traffic with the following firewall NAT rule:
Network > Firewall > NAT rules:
/etc/config/firewall:
config nat
option name 'SNAT-WGserver'
option src 'lan'
option src_ip '172.22.22.0/24' # the WG subnet, note the .0 at the end
option target 'MASQUERADE'
list proto 'all'
option enabled '1'
With Masquerading WG traffic you loose logging and access control but in a typical SoHo setup, where you trust your users, that is not a big deal.
the video works, but does not cover specific use cases,
if you do that and then compare it to the manual, you probably have a hard time figuring out what the differences are.
I think If I knew about this manual before starting that would be helpful.
however, the video covers QR, the manual does not.
