Restricting Wireguard server client access to the router

[ZebMcKayhan]

Yes, if it's not too much trouble for you.

Before we create files for persistance, if you log in over ssh and execute this line

iptables -D WGSI -i wgs1 -j ACCEPT

It should not give any output if it works.
Then test if all that should work over wg is working and you get the effect you want. Just be careful, any config change on the router will undo this so just do this and then test.

If this gets the job done let me know and we make it stick.

Note: this will prevent any access from wg to the router, so even dns will not work anymore.

 

[postoronnim-v]

Ofcource, its not using the tunnel anymore if AllowedIPs (client) is limited to wg subnet. All other data would not use the tunnel at all. Im assuming the OP want internet via his router as that would be the only reason left.

The Wireguard client installed on the smartphone doesn't have an option for Allowed IPs. I assume this option doesn't change anything on the server itself, and is merely informative for the client. In other words, the client can change this option at its own discretion (without consulting the server). But perhaps I'm mistaken.

 

[ZebMcKayhan]

The Wireguard client installed on the smartphone doesn't have an option for Allowed IPs. I assume this option doesn't change anything on the server itself, and is merely informative for the client. In other words, the client can change this option at its own discretion (without consulting the server). But perhaps I'm mistaken.

Hmm, ok. Using non-official apps? And you are right, it wouldnt be secure from user tampering. The AllowedIP at the client is meant to tell the client which destination ip to go over the tunnel and which should not. But there are only a set of AllowedIPs, you cannot prevent an ip. So if you want ALL ips except a specific subnet it would be messy.

 

[postoronnim-v]

Before we create files for persistance, if you log in over ssh and execute this line

A small addition. I currently have domain_vpn_routing installed on my router: https://github.com/Ranger802004/asusmerlin
Will this affect its operation? Is there anything I should check before making changes?

 

[postoronnim-v]

Using non-official apps?

I'm forced to use the v2rayNG client. It allows me to connect to a proxy VPS server (which allows internet access during cellular operator restrictions—we call them "whitelists"). It's in turn connected to my router, which is in turn connected to another VPS (which has access to the internet). Something like that.

 

[ZebMcKayhan]

A small addition. I currently have domain_vpn_routing installed on my router: https://github.com/Ranger802004/asusmerlin
Will this affect its operation? Is there anything I should check before making changes?

Depends on how it is setup to be used. The only thing that could matter is if you need dns lookup on the router (from wg server connected clients) for it to work.

"Allow DNS" options are disabled.

If this is your intended operation you should be good. We are not affecting any lan operation or any routing stuff.

Try it out with the command. If anything is not working just run the command again but change -D to -A and it will be back to normal

 

[postoronnim-v]

The only thing that could matter is if you need dns lookup on the router (from wg server connected clients) for it to work.

There is no need for this yet.

iptables -D WGSI -i wgs1 -j ACCEPT

After running this command, everything worked. Access to the disk was lost, as was access to the Transmission client. How can I make this command run after a reboot? /jffs/scripts/firewall-start ?

 

[bennor]

The Wireguard client installed on the smartphone doesn't have an option for Allowed IPs.

The Android Wireguard has an Allowed IP's section.

 

[bennor]

Ofcource, its not using the tunnel anymore if AllowedIPs (client) is limited to wg subnet. All other data would not use the tunnel at all. Im assuming the OP want internet via his router as that would be the only reason left.

Yep, not having internet traffic through the VPN tunnel to the router's WAN port would be an issue.

The problem appears to be with the Access Intranet option in WireGuard Server. When disabled while Wireguard clients might not be able to access other intranet clients they can still access the router and any USB device attached to the router. At least that's what happens for me on a RT-!X86U Pro.

 

[postoronnim-v]

The Android Wireguard has an Allowed IP's section.

That's correct. And you (as the client) have the right to enter whatever you want there. If your smartphone falls into the wrong hands, it will lead to access to your router and other devices on your network. The only difference for me is that instead of a smartphone, I'm forced to use a VPS, which, by default, is in the wrong hands.

 

[bennor]

A small addition. I currently have domain_vpn_routing installed on my router:

Perhaps step back for a second and list out everything you are running on the router. List out all of your VPN Director settings as well. List the specific WireGuard app (its developer) on your smartphone.

 

[ZebMcKayhan]

How can I make this command run after a reboot? /jffs/scripts/firewall-start ?

No, that would not be reliable as the firewall rebuilds itself every now and then and not when wg-server is started.

We would need to do this in wgserver-start

First you need to turn on userscripts in the gui (Administration -> system)

Then edit the file executed when wg server starts

nano /jffs/scripts/wgserver-start

This will open the nano text editor with a blank docuent.

Paste in

#!/bin/sh

#remove firewall rule to allow wgs1 access to router:
iptables -D WGSI -i wgs1 -j ACCEPT

#prevent this rule from being re-added:
sed -i '/iptables -A WGSI -i wgs1 -j ACCEPT/d' /etc/wg/fw_wgs1.sh

Save and exit (CTRL+x, y [enter])

Make the file executable:

chmod +x /jffs/scripts/wgserver-start

do this, then stop and restart your server and verify it is as intended.
Please also go into ssh and run

cat /etc/wg/fw_wgs1.sh

and make sure the command

iptables -A WGSI -i wgs1 -j ACCEPT

Is no longer in the list of commands to be reapplied on firewall rebuild.

 

[postoronnim-v]

and make sure the command
iptables -A WGSI -i wgs1 -j ACCEPT

iptables -t nat -A LOCALSRV -p udp --dport 51820 -j ACCEPT
iptables -A WGSI -p udp --dport 51820 -j ACCEPT
ip6tables -A WGSI -p udp --dport 51820 -j ACCEPT
ip6tables -A WGSI -i wgs1 -j ACCEPT
iptables -t mangle -I PREROUTING -i wgs1 -j MARK --or 0x1
iptables -t mangle -I POSTROUTING -o wgs1 -j MARK --or 0x1
ip6tables -t mangle -I PREROUTING -i wgs1 -j MARK --or 0x1
ip6tables -t mangle -I POSTROUTING -o wgs1 -j MARK --or 0x1

My ip6tables entry differs from the expected iptables entry. But access to router resources via the Wireguard server client has been interrupted. Should we leave it as is?

 

[ZebMcKayhan]

My ip6tables entry differs from the expected iptables entry. But access to router resources via the Wireguard server client has been interrupted. Should we leave it as is?

Depends, and up to you. I didnt know you had IPv6 enabled. So, right now the firewall allows IPv6 from Wireguard Server to the router but not IPv4. if you are not using IPv6 over your VPS then it shouldnt matter.

but just for the sake of:
/jffs/scripts/wgserver-start

#!/bin/sh

#remove firewall rule to allow wgs1 access to router:
iptables -D WGSI -i wgs1 -j ACCEPT
ip6tables -D WGSI -i wgs1 -j ACCEPT

#prevent this rule from being re-added:
sed -i '/iptables -A WGSI -i wgs1 -j ACCEPT/d' /etc/wg/fw_wgs1.sh
sed -i '/ip6tables -A WGSI -i wgs1 -j ACCEPT/d' /etc/wg/fw_wgs1.sh

you can just edit the file with the updates. save and exit. restart the WG server and check again.

 

[postoronnim-v]

I didnt know you had IPv6 enabled.

It is disabled by default in the router settings.

restart the WG server and check again.

now everything worked out

iptables -t nat -A LOCALSRV -p udp --dport 51820 -j ACCEPT
iptables -A WGSI -p udp --dport 51820 -j ACCEPT
ip6tables -A WGSI -p udp --dport 51820 -j ACCEPT
iptables -t mangle -I PREROUTING -i wgs1 -j MARK --or 0x1
iptables -t mangle -I POSTROUTING -o wgs1 -j MARK --or 0x1
ip6tables -t mangle -I PREROUTING -i wgs1 -j MARK --or 0x1
ip6tables -t mangle -I POSTROUTING -o wgs1 -j MARK --or 0x1

And another question: was it possible to make prohibition commands:

#!/bin/sh
iptables  -I WGSI 1 -i wgs1 -j DROP
ip6tables -I WGSI 1 -i wgs1 -j DROP

 

[ZebMcKayhan]

And another question: was it possible to make prohibition commands:

Sure, but there is really no need. The firewall is built up upon dropping everything last, then on top of it allow whatever should be allowed. now we removed the firewall rule that would allow wgs1 to access the router so this means it will be dropped by the firewall.

any specific reason you would want to add these?

if you would want to looks at the firewall rules for the INPUT chain, filter table, you can just:

iptables -nvL FORWARD

and to follow into custom chains, for example:

iptables -nvL WGSI