Secure network against VPN server

SharkScout · May 4, 2024, 3:28pm

On an openwrt, I created a "client" wireguard connection to a wireguard server:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	list addresses '10.0.0.1/32'
	option defaultroute '1'

config wireguard_wg0
	option public_key 'XXX'
	option preshared_key 'XXX'
	option endpoint_host 'XXX'
	option endpoint_port 'XXX'
	option route_allowed_ips '1'
	option allowed_ips '0.0.0.0/0'

Now, I want to protect the openwrt router against the wireguard server. So assuming the wireguard server is controlled by an adversary, I want to prevent:

the remote wireguard server to access lan.
the remote wireguard server from accessing the internet via the local openwrt router.

How can I achieve this?

psherman · May 4, 2024, 3:30pm

put the wireguard interface into the wan firewall zone or create a new zone that has the input rule set to REJECT. That's all you need to do.

SharkScout · May 4, 2024, 3:58pm

That's what I did (I created a new zone with input 'REJECT').

That prevents the wireguard server from initiating a connection.

However, the client initiates connections to the server.

Could the server use this initiated connection to access the local network, client side?

psherman · May 4, 2024, 3:59pm

No, unless you have other things in the firewall that would permit it.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

SharkScout · May 4, 2024, 4:08pm

Here are the relevant bits:

/etc/config/network
config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XX'
        list addresses '10.0.0.1/32'
        option defaultroute '1'
        option ip4table '100'

config wireguard_wg0
        option public_key 'XX'
        option preshared_key 'XXX'
        option endpoint_host 'XXX'
        option endpoint_port '30001'
        option route_allowed_ips '1'
        option allowed_ips '0.0.0.0/0'

config rule
        option in 'lan'
        option lookup 100


/etc/config/firewall
config zone
        option name 'wireguard_lan'
        list network 'wg0'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wireguard_lan'

config rule 'lan_dhcp'
        option name 'Allow-DHCP-lan'
        option src 'lan'
        option dest_port '67'
        option family 'ipv4'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'lan_dns'
        option name 'Allow-DNS-lan'
        option src 'lan'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

I was thinking of modifying allowed_ips to exclude all RFC1918 addresses.

Also, from the config, it's clear that lan cannot access wan. However, from an abundance of cautious, I'd like to test that practically. Is there a way to test it, maybe via traceroute or something like that?

psherman · May 4, 2024, 4:12pm

These should not be necessary unless you've changed other things...

SharkScout:

config rule 'lan_dhcp'
        option name 'Allow-DHCP-lan'
        option src 'lan'
        option dest_port '67'
        option family 'ipv4'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'lan_dns'
        option name 'Allow-DNS-lan'
        option src 'lan'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

Please post the complete files.

SharkScout · May 4, 2024, 4:15pm

Ok, that's what I thought, but it's good to confirm.

(I can't post the whole file, as this is a friend's device, and he is - understandably - not keen on his whole config being on the internet).

I haven't changed anything else in the firewall config related to this network though.

psherman · May 4, 2024, 4:20pm

Very little in those files are actually private and uniquely identifying -- WG keys, public IP addresses, passwords need to be redacted. Many people also choose to redact MAC addresses, but that isn't strictly necessary. Of course, we don't want to have you post anything that might be sensitive, so if you are working with an abundance of caution, it is understandable.

That said, if you (or your friend) cannot post the complete files, we can only provide advice based on what we see -- that means that there could be issues that we are unaware of and therefore cannot help solve.

SharkScout · May 4, 2024, 4:23pm

Yes, that's absolutely fair. I'll talk to him and revert back to you if he is more open.
But your answer already helps me confirm the situation. Thanks!

psherman · May 4, 2024, 4:24pm

You're welcome.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

system · May 14, 2024, 4:26pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.