Hello guys,
I’ve just set up wireguard and open vpn on my ar750s.
I was trying to setup firewall rules for the vpn connections but every time I disconnect and reconnect the rules are erased and I have to set them back again.
In particular, whenever I reconnect to wireguard or ovpn these are the rules:
Thank you @Happi!! That’s exactly what I was trying to achieve. You spared me some trouble every time I have to connect to my vpn connection.
Anyway, I think that dropping inbound connections and rejecting forwarding is significantly safer than having everything on “accept”.
Your way is right, it’s a safer way to work. @Nimoc ,As @Happi says, you can change the default rule by modifying the /etc/init.d/wireguard file.
We will adjust the default rules in the next version of the firmware.
While you are there, may I ask you also consider disabling masquerading on the WAN interface (when VPN active).
Also, I think it would be a lot better to change the way you set the firewall rules in your scripts, as this causes a lot of confusion if looking at these in LUCI.
For example, look at the image of my settings -
It shows a guestzone even though I never use the guest network.
It shows forwarding from LAN to WAN, even though I use always use VPN AND have the kill-switch enabled.
In my opinion, it would therefore be better to delete and insert firewall rules in their entirety instead of simple changing the setting “enabled=1 to enabled=0” in your scripts.
What’s the reason for that?
If masquerading is disabled, port forwarding and VPN policy may become invalid.
Firewall rules are configured in the script to ensure that even if the firewall is modified by other programs, as long as the VPN up and down, the firewall configuration can be restored.
For most users, they don’t know how to configure the firewall.