I use GL-MT300N (Mango) inside my home network to run the VPN WireGuard Server. Everything works fine, but the VPN Clients have access to my home network devices through the WAN port, which I want to restrict.
The Allowed IPs option in the VPN Clients' Peer section does the job, but it's unsecure option, as the Clients can always change it. I'm now trying to find the way to apply the similar rule in the Router itself - either in the WireGuard Server settings or the router Firewall, in order to protect my home network from the VPN Clients.
Appreciate if someone can advice on it.
Yes, I was playing with the Firewall settings in Luci, but no success so far. I either can ping all the home network devices or completely block the VPN. Appreciate any practical advice..
Try this generic rule.
Set the correct IP addresses.
uci add firewall rule
uci set firewall.@rule[-1].name='Forbid-wg-to-lan'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src_ip='192.168.9.0/24' # wg subnet
uci set firewall.@rule[-1].dest_ip='192.168.1.0/24' # lan subnet
uci commit firewall
/etc/init.d/firewall restart
If it doesn't work, you will need to provide additional information.
It is what the firewall functionality of your router is for. The AllowedIPs option you set on the peer restrict the IP header of egress packets coming from your home router to it. It is supposed to protect the peer's network from your home network, not vice versa.
On your home network, put that WireGuard interface into a separate zone, and restrict what that zone can access.
Hi Pavel, cheers for your response.
My setup is the following:
• Brume2 as the main router (192.168.1.1) which distributes IP address (DHCP);
• After Brume2 I have unmanageable switch with all home devices connected to it;
• Mango router connected via WAN port (192.168.1.5) to this switch and I use it to run the WireGuard VPN Server (corresponding port forwarding rule is set in Brume2).
Nothing is connected to the Mango (no lan, no wifi), I want to use it purely as VPN server, without access to my LAN (or only with access to main router – 192.168.1.1, but not to other devices). But at the moment VPN Clients can access all my LAN network 192.168.1.xxx.
Hi trendy,
I have LAN zone removed from the wireguard zone, but since the Mango router is in my the LAN network and connected via WAN port the VPN Clients still have access to LAN.
uci add firewall rule
uci set firewall.@rule[-1].name='Forbid-wg-to-lan'
uci set firewall.@rule[-1].target='REJECT'
uci set firewall.@rule[-1].src='wireguard'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].dest_ip='192.168.1.0/24'
uci commit firewall
/etc/init.d/firewall restart
Hi Pavel,
Thanks for your solution! It perfectly works for me.
With the following Firewall settings the VPN Clients are able to ping only these two addresses: 192.168.1.5 (WAN) & 10.0.0.1 (WG).
The route to my LAN via WAN port is now restricted now and LAN devices are inaccessible - that's what I required.
