[Solved] Help/Clarifications with Wireguard Firewall rules

Andy2244 · February 14, 2020, 12:56pm

Sorry for yet another thread, but i don't fully understand why the setup based on those guides is not working (can't ping endpoints, traffic does not reach the LAN):

and

Both guides just "open" the WG port and in the wg peer interface settings assign it to the LAN, yet this is not working for me. I want to connect from external Android/Windows clients to the WG host on the Router and access the LAN services. The router is just behind a fully-bridged dsl modem and WAN uses VLAN 7.

The only way i got the setup from the guides working, is to actually create a port forward rule from WAN to to LAN on the router ip (192.168.1.1), yet this should not be needed, if the router is also the first device?

So whats the actual real world (security/speed) difference between my working port forward rule and the rule from the guides and what step is missing from the guides? I noticed some other guides add a extra zone for WG and than setup forward rules from this zone to LAN/WAN. So again whats the advantage to setup a extra zone, if we than forward anyway, compared to a normal forward rule?

krazeh · February 14, 2020, 1:06pm

Post the content of your /etc/config/network and /etc/config/firewall files. Redact any sensitive info like public IPs and wireguard keys

ulmwind · February 14, 2020, 1:07pm

Can you access WG-server initially?

trendy · February 14, 2020, 1:25pm

Why not follow the guide from the documentation?

Andy2244 · February 14, 2020, 1:36pm

Not a luci setup and the following lines looked "strange" aka i did not fully understand what happens there and how to replicate this via luci.

# Configure firewall
uci rename firewall.@zone[0]="lan"
uci rename firewall.@zone[1]="wan"
uci rename firewall.@forwarding[0]="lan_wan"
uci del_list firewall.lan.network="${WG_IF}"
uci add_list firewall.lan.network="${WG_IF}"
uci -q delete firewall.wg

This is the same "open" rules the guides listed, yet they omitted the above steps, so whats supposed to happen here and why wasn't this needed in the guides?

uci set firewall.wg="rule"
uci set firewall.wg.name="Allow-WireGuard"
uci set firewall.wg.src="wan"
uci set firewall.wg.dest_port="${WG_PORT}"
uci set firewall.wg.proto="udp"
uci set firewall.wg.target="ACCEPT"

Andy2244 · February 14, 2020, 1:44pm

No, can not ping remote lan addresses (192.168.1.1) or the vpn openwrt endpoint via its own subnet (10.0.11.1).

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option _orig_ifname 'eth1 radio0.network1 wlan1'
	option _orig_bridge 'true'
	option ifname 'eth1'

config interface 'wan'
	option ifname 'eth0'
	option proto 'pppoe'
	option password ''
	option ipv6 '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option delegate '0'
	option peerdns '0'
	option username ''
	option keepalive '10 20'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6 3 2 1 0'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '7'
	option ports '5 4t'

config interface 'wg0'
	option proto 'wireguard'
	option delegate '0'
	option listen_port '56111'
	option private_key '********'
	list addresses '10.0.11.1/24'

config wireguard_wg0
	option description 'handy_andy'
	list allowed_ips '10.0.11.201/32'
	option route_allowed_ips '1'
	option public_key '********'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option syn_flood '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan wg0'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option dest_port '56111'
	option src '*'
	option name 'Allow-Wireguard-Inbound'
	option dest '*'
	option target 'ACCEPT'
	list proto 'udp'
	option family 'ipv4'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

If i switch to this forward rule all works?

config redirect
	option src 'wan'
	option name 'wireguard'
	option src_dport '56111'
	option target 'DNAT'
	option dest 'lan'
	list proto 'udp'
	option dest_ip '192.168.1.1'
	option dest_port '56111'
	option enabled '0'

Andy2244 · February 14, 2020, 1:59pm

ok sorry i'm stupid.... this actually works after a reboot, if i also add "Persistent Keep Alive = 25"

config rule
	option dest_port '56111'
	option name 'Allow-Wireguard-Inbound'
	option target 'ACCEPT'
	list proto 'udp'
	option family 'ipv4'
	option src 'wan'

So seems a NAT issue, with Persistent Keep Alive at default 0.

trendy · February 14, 2020, 2:45pm

Firewall zones in Luci already appear as LAN and WAN. The only thing you should do is to assign the WG interface in LAN zone.

These rules open WG's port on the WAN so the router can accept incoming connections.

Andy2244 · February 14, 2020, 6:40pm

Ok just to clarify, it was a client NAT problem, since the Windows10 client software actually has no UI option for the keep alive values yet.
You have to manually add PersistentKeepalive = 60 in the config [Peer] section of the client and than can leave the server (openwrt) keep alive value at 0.

system · February 24, 2020, 6:40pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.