Ok first off, i set up my wireguard and it works with my public ip, but whenever i try to connect with my ddns (duckdns) i get only access to my lan, nothing else, dont know what to change here to get full access...
Second question, if i wanted to set up more restricted users, like one with access just to lan, and one just to certain port, could anyone give me an example of how should i do it?
So i could have for example 3 users connected:
as i said, when i connect through my public ip, i have full access (yes internet and lan), when i connect using ddns i have only lan access, i would like to have full access on both (cause my ip changes sometimes), the ddns is a default openwrt setup
No i dont, as said above, for now depending if i use my ip (full access) or ddns (only lan), not to mention third peer (that what i meant by saying user btw) id like to set up so it has access only to one port, i saw a config with iptables for this purpose here: https://gist.github.com/qdm12/4e0e4f9d1a34db9cf63ebb0997827d0d
but i also read it is not recommended for openwrt, and it is better to use firewall, but since im a noob, its hard for me to start, without an example of such firewall rule (the wireguard setup is basically the same as in that github link)
i dont understand what you dont understand, i said i have full access when i use my public ip directly, and dont have full access when i use ddns domain, and id like to have full accesss on both, what is there so hard to understand?
I can see that youre very hostile towards me, i said im new with this stuff, i dont understand everything, im trying to learn so all you gonna do is just be so cynical, please stop responding here, thanks.
and what you want me to tell you, i just tried using both, one has full access, one doesnt, what else is there to say, i cant explain it cause i have no idea why is that, thats why i asked for help...
Ummm...I want you to tell us if/why it doesn't match. That should be clear.
nslookup your_domain
Does it match?
(We need you to actually troubleshoot, as we're not at your machine...and there's not enough details. We need to actually get enough details to help you.)
You're saying you use a Public IP...then you use DDNS...but the behavior is different...DDNS should just give you the Public IP.
If the ddns is pointing to the correct wan IP of the router, then there is no difference.
Create a separate wg zone in firewall, which includes the wg interface where these 3 peers connect.
Allow with a firewall rule traffic from IP of user1 to 0.0.0.0/0 in wan zone.
Allow with a firewall rule traffic from IP of user2 to subnet in lan zone.
Allow with a firewall rule traffic from IP of user3 to the IP:port in lan zone.
If you still have questions there needs to be some troubleshooting.
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; uci export ddns; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
And...Did you run this nslookup from the phone/network having the issue?
And this IP matches the one on the OpenWrt's WAN port (not from an IP website)?
(It appears to be a PC/laptop)
(Also @trendy provided some good information and how to get configs if you weren't sure and afraid to ask. You're in good hands with him. I hope you get it worked out!)
All the forwardings are not needed.
You can create the rules in Luci, it is the easiest. Otherwise an example would be:
uci add firewall rule
uci set firewall.@rule[-1].name='internet'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='wg'
uci add_list firewall.@rule[-1].src_ip='192.168.8.2'
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].dest_ip='0.0.0.0/0'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='wg2lan'
uci set firewall.@rule[-1].family='ipv4'
uci add_list firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='wg'
uci add_list firewall.@rule[-1].src_ip='192.168.8.3'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].target='ACCEPT'
uci add firewall rule
uci set firewall.@rule[-1].name='wg2lanport'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].src='wg'
uci add_list firewall.@rule[-1].src_ip='192.168.8.4'
uci set firewall.@rule[-1].dest='lan'
uci add_list firewall.@rule[-1].dest_ip='192.168.1.100'
uci set firewall.@rule[-1].dest_port='8080'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart
192.168.8.X are the wg clients.
192.168.1.100 is a host in the lan. If no protocol is selected, then tcp+udp is assumed and I randomly selected port 8080.
Thank you very much, this is just ready to go, working perfectly, thank you very much again man, i spend so much time trying to google a solution, where i should just ask right away, this is just perfect.
Id have one last question, cause i finally set up everything like i wanted and everything works, just one thing, the 'wg2lanport' setting, only for ports, it still gives access to the router gui "192.168.1.1", is there a way to block this off too? if not thats not the biggest deal, but it would be nice, just in case.
Also, if its not a problem, could you maybe give me one more example of how to reach peer2 network (also on openwrt, not yet set up), from peer1, im assuming the rule 'internet' would work on peer2, but what rule would i have to make on the server to pass through, and the server would have access to peer2 network too?