Setting up Wireguard Peers with personalized access to LAN

floatingpurr · February 16, 2024, 12:19pm

So, I've just set up a wireguard server in OpenWrt following this procedure: https://openwrt.org/docs/guide-user/services/vpn/wireguard/server. With such settings, all peers have full access to the LAN Zone (OpenWrt included!).

I'm wondering how I can personalize the access to the LAN zone for each peer. For instance:

Peer A: full access (a kind of LAN admin)
Peer B, Peer C: only 192.168.1.100/32
etc...

I've already configured Allowed IPs for each peer, but that is just a routing policy for clients, not a security restriction. I'd need something at the firewall level. I'm looking for a way to do it in the right (i.e., OpenWrt-onic) way.

krazeh · February 16, 2024, 12:23pm

Put the VPN interface into it's own firewall zone. Add appropriate firewall rules to allow forwarding between the VPN zone and LAN zone.

floatingpurr · February 16, 2024, 12:46pm

To summarize, I'd need to:

Add a My_VPN zone
Attach that zone to the Wireguard interface
Do not forward anything from My_VPN to LAN
Set My_VPN input to reject to avoid to reach the local router interface
Add specific traffic rules for peers using their VPN IPs as Source address

Something like that?

krazeh · February 16, 2024, 12:48pm

Pretty much. Make sure you remove the WG interface from the LAN firewall zone.

floatingpurr · February 16, 2024, 3:52pm

Here's the whole picture, I'd be glad to hear your feedback:

network (interface + 2 peers):

config interface 'My_VPN'
	option proto 'wireguard'
	option private_key '...'
	option listen_port '...'
	list addresses '10.0.0.1/24'

config wireguard_My_VPN
	option description 'All_LAN_Peer'
	option preshared_key '...'
	option public_key '...'
	list allowed_ips '10.0.0.2/32'
	option private_key '...'

config wireguard_My_VPN
	option description 'Restricted_Peer'
	option preshared_key '...'
	option public_key '...'
	list allowed_ips '10.0.0.3/32'
	option private_key '...'

Firewall (custom zone + WAN port + 2 traffic rules for peers):

config zone
	option name 'My_VPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'My_VPN'

config rule 'wg'
	option name 'Allow-WireGuard-WAN'
	option src 'wan'
	option dest_port '...'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-All-LAN'
	option src 'My_VPN'
	list src_ip '10.0.0.2' # All access to the All_LAN_Peer
	option target 'ACCEPT'
	option dest 'lan'


config rule
	option name 'Allow-Restricted-Access'
	option src 'My_VPN'
	list src_ip '10.0.0.3'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.1.100'

Working this way I have:

An open port on the WAN to accept incoming Wireguard connections
A dedicated VPN Zone
All_LAN_Peer who can access all the LAN
Restricted_Peer who can access just the host 192.168.1.100 (Since I specified both dest 'lan' and `dest_ip '192.168.1.100')

I'm still trying to allow All_LAN_Peer to reach OpenWrt via 192.168.1.1. Since I have the following settings:

config zone
	option name 'My_VPN'
	option input 'REJECT'

It looks like the Allow-All-LAN rule is not enough. Even explicit traffic rules (e.g., Allow 192.168.1.1) do not kick in. How those things interact with each other? Please, pardon my poor knowledge of firewalls

psherman · February 16, 2024, 3:56pm

Add this line:

	list dest_ip '192.168.1.0/24'

krazeh · February 16, 2024, 4:05pm

Shouldn't they delete option dest 'lan' if they're wanting to access the router? Rather than add a dest_ip.

psherman · February 16, 2024, 4:09pm

I thought the all-lan wasn't able to reach the lan... my bad.

Yes, removing the lan zone will effectively make the rule "allow input" to the router.

floatingpurr · February 16, 2024, 4:16pm

Thank you both!

If I do that, I can access the router, but I can't reach the other LAN hosts anymore. I could probably add two separate rules.

Would you mind explaining* to me the reason why it happens?

psherman · February 16, 2024, 4:20pm

A rule that doesn't specify a destination zone will be interpreted as "the router itself is the destination" -- that is to say that it is treating the rule as governing input to the router itself (for admin and/or other services on the router itself).

Yes... because one if accessing the router itself while the other is accessing the lan zone.

floatingpurr · February 16, 2024, 4:28pm

Thank you!

And here it's:

config rule
	option name 'Allow-All-LAN'
	option src 'My_VPN'
	list src_ip '10.0.0.2' 
	option target 'ACCEPT'
	option dest 'lan'

config rule
	option name 'Allow-OpenWRT'
	option src 'My_VPN'
	list src_ip '10.0.0.2'
	option target 'ACCEPT'
	list dest_ip '192.168.1.0/24'

I guess that such rules take the precedence over the default 'My_VPN' Zone option input 'REJECT'.

Side question: is there a good reference about the OpenWrt firewall?

krazeh · February 16, 2024, 4:30pm

That doesn't need to be in the second rule.

I would start at [OpenWrt Wiki] Firewall documentation

floatingpurr · February 16, 2024, 5:05pm

Thank you again. I leave it the correct rules for reference:

config rule
        option name 'Allow-All-LAN'
        option src 'Home_VPN'
        list src_ip '10.0.0.2'
        option target 'ACCEPT'
        option dest 'lan'

config rule
        option name 'Allow-OpenWRT
        option src 'Home_VPN'
        list src_ip '10.0.0.2'
        option target 'ACCEPT'

system · February 26, 2024, 5:05pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.