OpenWrt Wireguard Client's Firewall configuration

Tim · May 31, 2020, 5:41am

I want to use wireguard client on my x86 openwrt [LuCI openwrt-19.07 branch (git-20.136.49537-fb2f363) / OpenWrt 19.07.3 r11063-85e04e9f46].
.
I have finish configure the wireguard connection on the openwrt, which shows the handshake success. The picture shows the handshake success.

Then I start configure the firewall setting. What I have done is assign Lan zone for the WG interface. I did not make any change in firewall section.
However, this kind of firewall setting not works.

I can connect the internet through my real IP address, instead of wireguard's IP address. The wireguard settings should be right, since the wireguard setting works well in my phone app and windows software.
Even though I have try many kind of methods from Internet about the firewall setting, I could not make it works. I also put the /etc/config/network and /etc/config/firewall in the below.

I thought there are some problems about my firewall settings. Can you help me figure it out?
Really appreciate it!

network:

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd9f:166d:f613::/48'

config interface 'lan'
option ifname 'eth0'
option proto 'static'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option ip6assign '60'
option type 'bridge'

config interface 'wan'
option proto 'dhcp'
option ifname 'eth1'

config interface 'wg'
option proto 'wireguard'
list addresses '10.66.66.3/24'
option private_key 'kCmDYVcgFM6L+RyKB3666dGLoQA4tGLAo39bAGb6666=' #fake

config wireguard_wg
option public_key 'SGTCu8PhtgyDBWr0pI6GlV666/NEDIBw4btXGra6666=' #fake
option endpoint_port '58806'
list allowed_ips '0.0.0.0/0'
option preshared_key '7NlhDyJ065tHxXLUDGjLuP8wLZ4VRtRUjlFG/BO6666=' #fake
option endpoint_host '167.999.226.131' #fake
option persistent_keepalive '25'

firewall

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config rule
option src '*'
option target 'ACCEPT'
option proto 'udp'
option dest_port '58806'
option name 'Allow-Wireguard-Inbound'

config forwarding
option dest 'wan'
option src 'lan'

lleachii · May 31, 2020, 7:25am

It's not particularly a firewall settings that makes this work. Where's the route(s) to send traffic over your WG interface?

Example:

config route
	option target '0.0.0.0'
	option netmask '0.0.0.0/1'
	option interface 'wg'
	
config route
	option target '128.0.0.0'
	option netmask '0.0.0.0/1'
	option interface 'wg'

Also:

You need to masquerade traffic going out this interface unless the far end has routes added too
If this WG interface is a 3rd Party VPN, I advise adding it to the WAN Firewall Zone

Tim · May 31, 2020, 2:35pm

Hi lleachii,

Thank you for your help. I put the route table below.

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.10.1.1       0.0.0.0         UG    0      0        0 eth1
10.10.1.0       *               255.255.255.0   U     0      0        0 eth1
10.66.66.0      *               255.255.255.0   U     0      0        0 wg
167.999.226.131 10.10.1.1       255.255.255.255 UGH   0      0        0 eth1
192.168.3.0     *               255.255.255.0   U     0      0        0 br-lan

I also checked the Network>>Static Routes interface, which is empty.

I do not know whether or not the WG interface belong to 3rd pary VPN. I install the WG interface through the package wireguard and luci-app-wireguard. I build a WG server on my VPS.

Now, I have change the "Interface >> WG >> Firewall Settings" to wan zone.

I am not a tech man, I do not know how to add specific routing tables.
Can you provide detailed steps I can follow.
Really appreciate it!

krazeh · May 31, 2020, 2:45pm

Go into the config for the peer in Luci and tick the box for 'Route allowed IPs'

Tim · May 31, 2020, 2:52pm

Hi krazeh,

Thank you for you help. I have followed your instruction and check the "Route Allowed IPs". However, it seems not work.
I still use my real IP connect to the Internet, instead of WG's IP. Thank you!

krazeh · May 31, 2020, 2:53pm

Restart the interface. If it's still not working then post your routing table again.

Tim · May 31, 2020, 2:55pm

Thank you very much. I just reboot my router. It works!
Really appreciate it!

Tim · May 31, 2020, 3:10pm

I want to make sure everything is correct and secured.

When we make configurations about the wireguard client on OpenWrt. We input correct values into related boxes and make sure the handshake success.

For the firewall settings, just change the "Interface >> WG >> Firewall Settings" to WAN zone, which shows in previous picture.

For the routing table problem, just trick the "Interface >> WG >> Peers >> Route Allowed IPs", which shows in above picture.
Then we could use wireguard's IP to connect the Internet.

So, does this kind of firewall and routing table's settings are secured?

Thank you very much!

krazeh · May 31, 2020, 3:14pm

Yes, if you're using it to connect to the internet through another endpoint then you should put it in the WAN zone.

If you also use wireguard to connect to your LAN remotely then you might want to think about setting up a separate interface for that. You can then put that one in the LAN zone.

lleachii · May 31, 2020, 3:19pm

Did you add them yet?

So you're connecting to a VPN server you don't know?

Tim · May 31, 2020, 3:26pm

Got it, thank you very much!

I am not connect to my Lan remotely. But thank you for your instructions.
Really appreciate your help!
Have a great day!

Tim · May 31, 2020, 3:29pm

Hi lleachii,

I have followed your instructions to change the "Interface >> WG >> Firewall Settings" to WAN zone.
Then I followed krazeh's instructions to trick the "Interface >> WG >> Peers >> Route Allowed IPs".

After doing the two steps, I could connect the Internet through my wireguard's IP.

Thank you for your help. Have a great day!

system · June 10, 2020, 3:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.