Wireguard server with GeoIP

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello folks,
I deployed OpenWRT on my new Xiaomi AX3200 wireless router.
I replaced the original firmware with OpenWRT 23.05.05 and I am not facing issues right now.

I decided to enable remote access to my LAN, so I installed Wireguard server.
I would permit wireguard vpn access just from my home country.
How can reach this goal?
I installed banip package, but I am failing concerning configuration.

This is my scenario:

ISP Router {.1} --- ethernet cable [192.168.1.0/24] --- {.2} OpenWRT Router

ISP router forwards UDP 51820 traffic from its wan interface to its lan interface using port-forwarding.
OpenWRT manages LAN network 192.168.99.0/24

I cannot remove ISP router and I currently cannot route a public subnet to OpenWRT WAN interface.

Can I limit wireguard access just from specific country?

Thanks for your help!

2

BanIP supports use of GeoIP ipsets, but they might not be accurate and find yourself locked out.
In any case you can try it buy blocking all other countries.

1 Like
3

Hello,
Can I set geo-ip filtering just for a specific port-forwarding policy?

I need to deploy 2 port-forwarding rules:

  1. wireguard --> just from specific country
  2. web server --> anyone

Some tip for me?
Should I use a different software package than "banIP"?

Alternatively, I will have to apply all public subnets assigned to ISPs in the country of interest to the port-forwarding rule.
For example, these two servicesa may be a source from which to download a list of public IP subnets:

Thanks

4

Hello,
I will quick describe how I solved my request just using nftables firewall installed by default in OpenWRT (I understood OpenWRT is using nftables instead of iptables nowdays).

My goals are:

  • Let's set up two port-forwarding rules so far (Network > Firewall > Port Forwards).

  • Permit WireGuard connections just from remote peers located in my homecountry

  • Permit webserver connections from all over the world

image
image897×486 41.3 KB

I assume I have already deployed port forwards rules.

Let define an IPSet called "IP-My-Country":

  1. Let download ISP subnet list of my homecountry using this web service ipv4.fetus.jp.

  2. Let delete some lines written on the top of this file, in this way I copied just the ISP subnets list

    image
    image750×564 47.2 KB

  3. Let copy this txt file from our PC to our OpenWRT router via SCP.
    I will copy this text file to "/etc" system path.

  4. Let connect to our OpenWRT router via SSH and follow instructions below:

Create a copy of firewall configuration file as backup: cp /etc/config/firewall /etc/config/firewall_old

Then, let create an new "ipset" object within the "firewall" file.
Please you have to employee these lines before the first firewall rules.

config ipset
    option name 'IP-My-Country'
	option match 'src_net'
	option enabled '1'
	option loadfile '/etc/my_txt_file.txt'

Save this the edited /etc/config/firewall file, restart/reload firewall service or reboot the router.

/etc/init.d/firewall restart --> firewall service restart
*/etc/init.d/firewall reload * --> firewall configurations reload

Finally I applied this ipset inside wireguard server port-forwarding rule as shown
(Network > Firewall > Port Forwards > pickup the forwarding rule > Advanced Settings > "Use ipset" > let choose your ipset created before)

image
image897×333 26 KB

Finally I saved all changes using the web interfaces and I rebooted my router.

In this way, port-forwarding for the WG server will work just for the set of IP addresses within the ipset.

OpenWRT IPSET KB: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_config_ipset

Regards

5

Since the WG server is running on the OpenWrt, you don't need a port forward, rather a traffic rule to allow incoming traffic to port 51820.
Other than that, any change in the IPs not updated in the file or not tracked by the service you are using will keep you out of the VPN.

6

Hello @trendy ,

Since the WG server is running on the OpenWrt, you don't need a port forward, rather a traffic rule to allow incoming traffic to port 51820.

I understood your point of view (and I agree with you).

I found different guides about WG deployment (this is an example: https://www.ivpn.net/setup/router/openwrt-wireguard/).
I understood that it is necessary create/edit zone and port-forwarding.
In any case I am open to change settings, so avoid to set-up port-forwarding concerning Wireguard VPN server :grinning:

Other than that, any change in the IPs not updated in the file or not tracked by the service you are using will keep you out of the VPN.

I will create a script to automate this update process.
I will work on this project soon.

Regards

7

This is a different use case than yours.
Your scenario is described here:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/server

8

Hi,
thanks for your tip!
I will update this configuration.
Unfortunatelly I cannot change my setting soon.

Regards
Federico

1 Like
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.