Wireguard firewall rules, and dynamic dns problem

Miecz · March 15, 2022, 12:55pm

Ok first off, i set up my wireguard and it works with my public ip, but whenever i try to connect with my ddns (duckdns) i get only access to my lan, nothing else, dont know what to change here to get full access...

Second question, if i wanted to set up more restricted users, like one with access just to lan, and one just to certain port, could anyone give me an example of how should i do it?
So i could have for example 3 users connected:

one with full access
one with access only to lan
one with access only to a port inside my lan

lleachii · March 15, 2022, 2:23pm

You don't provide enough information (i.e. your config)
Are we to assume "full access" means Internet?
My guess would be you didn't allow traffic to/from the Internet

Wireguard is not user based, I'm sure you noticed that

Configure each IP/key-pair in that manner, you seem to have LAN-only access currently

Miecz · March 15, 2022, 2:43pm

as i said, when i connect through my public ip, i have full access (yes internet and lan), when i connect using ddns i have only lan access, i would like to have full access on both (cause my ip changes sometimes), the ddns is a default openwrt setup

config service "duckdns"
        option enabled          "1"
        option domain           "exampledomain.duckdns.org"
        option username         "exampledomain"
        option password         "a7c4d0ad-114e-40ef-ba1d-d217904a50f2"
        option ip_source        "network"
        option ip_network       "wan"
        option force_interval   "72"
        option force_unit       "hours"
        option check_interval   "10"
        option check_unit       "minutes"
        #option ip_source       "interface"
        #option ip_interface    "eth0.1"
        #option ip_source       "web"
        #option ip_url          "http://ipv4.wtfismyip.com/text"
        option update_url       "http://www.duckdns.org/update?domains=[USERNAME]&token=[PASSWORD]&ip=[IP]"
        option use_https        "1"
        option cacert           "/etc/ssl/certs/ca-bundle.pem"

No i dont, as said above, for now depending if i use my ip (full access) or ddns (only lan), not to mention third peer (that what i meant by saying user btw) id like to set up so it has access only to one port, i saw a config with iptables for this purpose here: https://gist.github.com/qdm12/4e0e4f9d1a34db9cf63ebb0997827d0d
but i also read it is not recommended for openwrt, and it is better to use firewall, but since im a noob, its hard for me to start, without an example of such firewall rule (the wireguard setup is basically the same as in that github link)

lleachii · March 15, 2022, 2:44pm

???

Perhaps you should clarify what you wish then.

Is this OpenWrt related?
OpenWrt adds firewall rules to /etc/config/firewall - do you have those rules?

I explained that. Simply set your firewall only to allow that IP to your desired DST IP/port.

You noted this is working, correct?

I'm not sure why you showed it.

???

Isn't it the same Public IP???

What's different (You should know)???

Miecz · March 15, 2022, 2:51pm

i dont understand what you dont understand, i said i have full access when i use my public ip directly, and dont have full access when i use ddns domain, and id like to have full accesss on both, what is there so hard to understand?
I can see that youre very hostile towards me, i said im new with this stuff, i dont understand everything, im trying to learn so all you gonna do is just be so cynical, please stop responding here, thanks.

lleachii · March 15, 2022, 2:51pm

I asked

Miecz · March 15, 2022, 2:52pm

and what you want me to tell you, i just tried using both, one has full access, one doesnt, what else is there to say, i cant explain it cause i have no idea why is that, thats why i asked for help...

lleachii · March 15, 2022, 2:53pm

Ummm...I want you to tell us if/why it doesn't match. That should be clear.

nslookup your_domain

Does it match?

(We need you to actually troubleshoot, as we're not at your machine...and there's not enough details. We need to actually get enough details to help you.)

You're saying you use a Public IP...then you use DDNS...but the behavior is different...DDNS should just give you the Public IP.

Are you testing remotely or locally?

Miecz · March 15, 2022, 2:58pm

Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      domain.duckdns.org
Address 1: <my public ip>
*** Can't find domain.duckdns.org: No answer

remotely on a phone from mobile network

trendy · March 15, 2022, 3:02pm

If the ddns is pointing to the correct wan IP of the router, then there is no difference.

Create a separate wg zone in firewall, which includes the wg interface where these 3 peers connect.
Allow with a firewall rule traffic from IP of user1 to 0.0.0.0/0 in wan zone.
Allow with a firewall rule traffic from IP of user2 to subnet in lan zone.
Allow with a firewall rule traffic from IP of user3 to the IP:port in lan zone.

If you still have questions there needs to be some troubleshooting.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export ddns; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

lleachii · March 15, 2022, 3:02pm

And...Did you run this nslookup from the phone/network having the issue?
And this IP matches the one on the OpenWrt's WAN port (not from an IP website)?

(It appears to be a PC/laptop)

(Also @trendy provided some good information and how to get configs if you weren't sure and afraid to ask. You're in good hands with him. I hope you get it worked out!)

Miecz · March 15, 2022, 3:35pm

config include
	option path '/etc/firewall.user'

config rule
	option src 'wan'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '12345'
	option name 'wireguard'

config zone
	option name 'wg'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option output 'ACCEPT'
	option masq '1'
	list network 'wg0'

config forwarding
	option src 'wg'
	option dest 'wan'

config forwarding
	option src 'wan'
	option dest 'wg'

config forwarding
	option src 'wg'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wg'

thats the rule i have with my wireguard, i could rly use an example how to set it up cause firewall in openwrt is very overwhelming

trendy · March 15, 2022, 3:45pm

masq is not needed.

All the forwardings are not needed.
You can create the rules in Luci, it is the easiest. Otherwise an example would be:

uci add firewall rule
uci set firewall.@rule[-1].name='internet'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='wg'
uci add_list firewall.@rule[-1].src_ip='192.168.8.2'
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].dest_ip='0.0.0.0/0'
uci set firewall.@rule[-1].target='ACCEPT' 

uci add firewall rule
uci set firewall.@rule[-1].name='wg2lan'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='wg'
uci add_list firewall.@rule[-1].src_ip='192.168.8.3'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].target='ACCEPT'

uci add firewall rule
uci set firewall.@rule[-1].name='wg2lanport'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].src='wg'
uci add_list firewall.@rule[-1].src_ip='192.168.8.4'
uci set firewall.@rule[-1].dest='lan'
uci add_list firewall.@rule[-1].dest_ip='192.168.1.100'
uci set firewall.@rule[-1].dest_port='8080'
uci set firewall.@rule[-1].target='ACCEPT'

uci commit firewall
service firewall restart

192.168.8.X are the wg clients.
192.168.1.100 is a host in the lan. If no protocol is selected, then tcp+udp is assumed and I randomly selected port 8080.

Miecz · March 15, 2022, 4:06pm

Thank you very much, this is just ready to go, working perfectly, thank you very much again man, i spend so much time trying to google a solution, where i should just ask right away, this is just perfect.

Miecz · March 15, 2022, 7:11pm

Id have one last question, cause i finally set up everything like i wanted and everything works, just one thing, the 'wg2lanport' setting, only for ports, it still gives access to the router gui "192.168.1.1", is there a way to block this off too? if not thats not the biggest deal, but it would be nice, just in case.

Also, if its not a problem, could you maybe give me one more example of how to reach peer2 network (also on openwrt, not yet set up), from peer1, im assuming the rule 'internet' would work on peer2, but what rule would i have to make on the server to pass through, and the server would have access to peer2 network too?

trendy · March 15, 2022, 8:10pm

Because you have input accept. If you change it to reject, you might need to specifically allow DNS and DHCP.

Miecz · March 15, 2022, 8:41pm

yeah, i dont think i should mess with this, i just changed accept to reject, and then changed it back and i cant connect with stuff again lol

trendy · March 15, 2022, 8:44pm

Look at the example of guest interface. Same principal, the zone is reject and allows the essentials only.

This shouldn't need any rule and can work straight.

system · March 25, 2022, 8:44pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.