Preventing router access to a WireGuard client

[ZebMcKayhan]

Yes, if it's not too much trouble for you.

Before we create files for persistance, if you log in over ssh and execute this line

iptables -D WGSI -i wgs1 -j ACCEPT

It should not give any output if it works.
Then test if all that should work over wg is working and you get the effect you want. Just be careful, any config change on the router will undo this so just do this and then test.

If this gets the job done let me know and we make it stick.

Note: this will prevent any access from wg to the router, so even dns will not work anymore.

 

[postoronnim-v]

Ofcource, its not using the tunnel anymore if AllowedIPs (client) is limited to wg subnet. All other data would not use the tunnel at all. Im assuming the OP want internet via his router as that would be the only reason left.

The Wireguard client installed on the smartphone doesn't have an option for Allowed IPs. I assume this option doesn't change anything on the server itself, and is merely informative for the client. In other words, the client can change this option at its own discretion (without consulting the server). But perhaps I'm mistaken.

 

[ZebMcKayhan]

The Wireguard client installed on the smartphone doesn't have an option for Allowed IPs. I assume this option doesn't change anything on the server itself, and is merely informative for the client. In other words, the client can change this option at its own discretion (without consulting the server). But perhaps I'm mistaken.

Hmm, ok. Using non-official apps? And you are right, it wouldnt be secure from user tampering. The AllowedIP at the client is meant to tell the client which destination ip to go over the tunnel and which should not. But there are only a set of AllowedIPs, you cannot prevent an ip. So if you want ALL ips except a specific subnet it would be messy.

 

[postoronnim-v]

Before we create files for persistance, if you log in over ssh and execute this line

A small addition. I currently have domain_vpn_routing installed on my router: https://github.com/Ranger802004/asusmerlin
Will this affect its operation? Is there anything I should check before making changes?

 

[postoronnim-v]

Using non-official apps?

I'm forced to use the v2rayNG client. It allows me to connect to a proxy VPS server (which allows internet access during cellular operator restrictions—we call them "whitelists"). It's in turn connected to my router, which is in turn connected to another VPS (which has access to the internet). Something like that.

 

[ZebMcKayhan]

A small addition. I currently have domain_vpn_routing installed on my router: https://github.com/Ranger802004/asusmerlin
Will this affect its operation? Is there anything I should check before making changes?

Depends on how it is setup to be used. The only thing that could matter is if you need dns lookup on the router (from wg server connected clients) for it to work.

"Allow DNS" options are disabled.

If this is your intended operation you should be good. We are not affecting any lan operation or any routing stuff.

Try it out with the command. If anything is not working just run the command again but change -D to -A and it will be back to normal

 

[postoronnim-v]

The only thing that could matter is if you need dns lookup on the router (from wg server connected clients) for it to work.

There is no need for this yet.

iptables -D WGSI -i wgs1 -j ACCEPT

After running this command, everything worked. Access to the disk was lost, as was access to the Transmission client. How can I make this command run after a reboot? /jffs/scripts/firewall-start ?

 

[bennor]

The Wireguard client installed on the smartphone doesn't have an option for Allowed IPs.

The Android Wireguard has an Allowed IP's section.

 

[bennor]

Ofcource, its not using the tunnel anymore if AllowedIPs (client) is limited to wg subnet. All other data would not use the tunnel at all. Im assuming the OP want internet via his router as that would be the only reason left.

Yep, not having internet traffic through the VPN tunnel to the router's WAN port would be an issue.

The problem appears to be with the Access Intranet option in WireGuard Server. When disabled while Wireguard clients might not be able to access other intranet clients they can still access the router and any USB device attached to the router. At least that's what happens for me on a RT-!X86U Pro.

 

[postoronnim-v]

The Android Wireguard has an Allowed IP's section.

That's correct. And you (as the client) have the right to enter whatever you want there. If your smartphone falls into the wrong hands, it will lead to access to your router and other devices on your network. The only difference for me is that instead of a smartphone, I'm forced to use a VPS, which, by default, is in the wrong hands.

 

[bennor]

A small addition. I currently have domain_vpn_routing installed on my router:

Perhaps step back for a second and list out everything you are running on the router. List out all of your VPN Director settings as well. List the specific WireGuard app (its developer) on your smartphone.

 

[ZebMcKayhan]

How can I make this command run after a reboot? /jffs/scripts/firewall-start ?

No, that would not be reliable as the firewall rebuilds itself every now and then and not when wg-server is started.

We would need to do this in wgserver-start

First you need to turn on userscripts in the gui (Administration -> system)

Then edit the file executed when wg server starts

nano /jffs/scripts/wgserver-start

This will open the nano text editor with a blank docuent.

Paste in

#!/bin/sh

#remove firewall rule to allow wgs1 access to router:
iptables -D WGSI -i wgs1 -j ACCEPT

#prevent this rule from being re-added:
sed -i '/iptables -A WGSI -i wgs1 -j ACCEPT/d' /etc/wg/fw_wgs1.sh

Save and exit (CTRL+x, y [enter])

Make the file executable:

chmod +x /jffs/scripts/wgserver-start

do this, then stop and restart your server and verify it is as intended.
Please also go into ssh and run

cat /etc/wg/fw_wgs1.sh

and make sure the command

iptables -A WGSI -i wgs1 -j ACCEPT

Is no longer in the list of commands to be reapplied on firewall rebuild.