Firewall Rules ovpn and wireguard

Nimoc · May 17, 2020, 9:48pm

Hello guys,
I’ve just set up wireguard and open vpn on my ar750s.
I was trying to setup firewall rules for the vpn connections but every time I disconnect and reconnect the rules are erased and I have to set them back again.
In particular, whenever I reconnect to wireguard or ovpn these are the rules:

And I have to change them to these every time:

Now, my question is: is this a bug or it is supposed to work like that?
Thank you in advance!!

Happi · May 18, 2020, 7:59am

Yes, it is supposed to work like this!

I, like you, think your rules are more correct and secure (maybe GL can comment?)

To make changes and have them hold on reboot, edit the following:

/etc/init.d/wireguard

then make your changes under

wireguard_add_firewall()
{
#zone
uci set firewall.wireguard.input
uci set firewall.wireguard.forward

(Edit: for ovpn it’s this file: /etc/init.d/startvpn)

chromebook · May 18, 2020, 9:15am

I was wondering the same actually

Nimoc · May 18, 2020, 10:27am

Thank you @Happi!! That’s exactly what I was trying to achieve. You spared me some trouble every time I have to connect to my vpn connection.
Anyway, I think that dropping inbound connections and rejecting forwarding is significantly safer than having everything on “accept”.

Happi · May 19, 2020, 2:40pm

Anyone from GL care to comment?

chromebook · May 20, 2020, 3:05pm

Seeing that your online @alzhao perhaps you could chime in?

alzhao · May 20, 2020, 3:06pm

Thanks. I actually waiting @luochongjun to have a look.

luochongjun · May 21, 2020, 1:36am

Your way is right, it’s a safer way to work.
@Nimoc ,As @Happi says, you can change the default rule by modifying the /etc/init.d/wireguard file.
We will adjust the default rules in the next version of the firmware.

Happi · May 21, 2020, 8:12pm

Thank you kindly, Sir!

While you are there, may I ask you also consider disabling masquerading on the WAN interface (when VPN active).

Also, I think it would be a lot better to change the way you set the firewall rules in your scripts, as this causes a lot of confusion if looking at these in LUCI.
For example, look at the image of my settings -

It shows a guestzone even though I never use the guest network.
It shows forwarding from LAN to WAN, even though I use always use VPN AND have the kill-switch enabled.

In my opinion, it would therefore be better to delete and insert firewall rules in their entirety instead of simple changing the setting “enabled=1 to enabled=0” in your scripts.

Thanks for you consideration.
Happi

luochongjun · May 22, 2020, 1:46am

What’s the reason for that?
If masquerading is disabled, port forwarding and VPN policy may become invalid.

Firewall rules are configured in the script to ensure that even if the firewall is modified by other programs, as long as the VPN up and down, the firewall configuration can be restored.
For most users, they don’t know how to configure the firewall.

Happi · May 23, 2020, 8:05am

This is recommended in many VPN provider guides. I always do it manually and have never had a problem with it.