Firewall Rules ovpn and wireguard

Nimoc · 2020-05-17T21:48:31.005Z

Hello guys,
I’ve just set up wireguard and open vpn on my ar750s.
I was trying to setup firewall rules for the vpn connections but every time I disconnect and reconnect the rules are erased and I have to set them back again.
In particular, whenever I reconnect to wireguard or ovpn these are the rules:

Annotazione 2020-05-17 2346101416×103 14.4 KB

And I have to change them to these every time:

Annotazione 2020-05-17 2255491432×130 15.4 KB

Now, my question is: is this a bug or it is supposed to work like that?
Thank you in advance!!

Happi · 2020-05-18T07:59:02.264Z

Yes, it is supposed to work like this!

I, like you, think your rules are more correct and secure (maybe GL can comment?)

To make changes and have them hold on reboot, edit the following:

/etc/init.d/wireguard

then make your changes under

wireguard_add_firewall()
{
#zone
uci set firewall.wireguard.input
uci set firewall.wireguard.forward

(Edit: for ovpn it’s this file: /etc/init.d/startvpn)

chromebook · 2020-05-18T09:15:23.572Z

Happi:

I, like you, think your rules are more correct and secure (maybe GL can comment?)

I was wondering the same actually

Nimoc · 2020-05-18T10:27:13.400Z

Thank you @Happi!! That’s exactly what I was trying to achieve. You spared me some trouble every time I have to connect to my vpn connection.
Anyway, I think that dropping inbound connections and rejecting forwarding is significantly safer than having everything on “accept”.

Happi · 2020-05-19T14:40:04.735Z

Nimoc:

Anyway, I think that dropping inbound connections and rejecting forwarding is significantly safer than having everything on “accept”.

Anyone from GL care to comment?

chromebook · 2020-05-20T15:05:33.982Z

Happi:

Anyone from GL care to comment?

Seeing that your online @alzhao perhaps you could chime in?

alzhao · 2020-05-20T15:06:21.767Z

Thanks. I actually waiting @robotluo to have a look.

robotluo · 2020-05-21T01:36:46.361Z

Your way is right, it’s a safer way to work.
@Nimoc ,As @Happi says, you can change the default rule by modifying the /etc/init.d/wireguard file.
We will adjust the default rules in the next version of the firmware.

Happi · 2020-05-21T20:12:34.212Z

Thank you kindly, Sir!

While you are there, may I ask you also consider disabling masquerading on the WAN interface (when VPN active).

Also, I think it would be a lot better to change the way you set the firewall rules in your scripts, as this causes a lot of confusion if looking at these in LUCI.
For example, look at the image of my settings -

Capture1011×372 22.5 KB

It shows a guestzone even though I never use the guest network.
It shows forwarding from LAN to WAN, even though I use always use VPN AND have the kill-switch enabled.

In my opinion, it would therefore be better to delete and insert firewall rules in their entirety instead of simple changing the setting “enabled=1 to enabled=0” in your scripts.

Thanks for you consideration.
Happi

robotluo · 2020-05-22T01:46:20.456Z

Happi:

consider disabling masquerading on the WAN

What’s the reason for that?
If masquerading is disabled, port forwarding and VPN policy may become invalid.

Happi:

I think it would be a lot better to change the way you set the firewall rules in your scripts,

Firewall rules are configured in the script to ensure that even if the firewall is modified by other programs, as long as the VPN up and down, the firewall configuration can be restored.
For most users, they don’t know how to configure the firewall.

Happi · 2020-05-23T08:05:32.947Z

robotluo:

Happi:

consider disabling masquerading on the WAN

What’s the reason for that?
If masquerading is disabled, port forwarding and VPN policy may become invalid.

This is recommended in many VPN provider guides. I always do it manually and have never had a problem with it.

admon · 2024-08-18T05:44:47.085Z