How to restrict WAN access for VPN Client (Mango)

ngtimofeev · 2022-12-29T15:38:56.911Z

I have the following setup at home:

Brume2 as the main router (192.168.1.1) which distributes IP address (DHCP);
After Brume2 I have unmanageable switch with all home devices connected to it;
Mango router (WAN 192.168.1.5) is also connected to this switch and I use it to run the WireGuard VPN Server (corresponding port forwarding rule is set in Brume2).

VPN Server works fine, however, my intension is to use Mango router ONLY as a VPN Server and RESTRICT access to my home network devices for the connected VPN Clients (via WAN).

When the “Allow Access Local Network” option is disabled, there’s no access to the devises connected to the Mango network (LAN), but it doesn’t affect Mango’s WAN subnet.

Is there any way to setup the firewall rule in order to restrict the access to the upper level devices? Probably to everything except the main Brume2 (192.168.1.1)?

I appreciate any help in this matter.

agent_smith · 2022-12-29T18:04:51.635Z

Hi,

I’m currently actively studying the Wireguard documentation, but I can’t say that I’m good at it
But, if you use a mobile device as a WG client, in my case it is an iPhone, in the WG APP client settings when editing allowed IPs, it is possible to activate the button “exclude private IPs”.
Then you can simply add to the list of allowed ip wich you need to access your local network. For example, your Brume2, as address 192.168.1.1/32 and you will have an access to your Brume from your mobile phone, while other IP addresses on the same subnet will not be available. For me it works. But I find it useless as an elevated user can always edit the profile and override excluded private addresses and access them.

ngtimofeev · 2022-12-30T07:53:29.748Z

Hi Agent_smith, thanks for the advice. But as you said, this setting is on the Client side, not the Server, so indeed anyone can change.
I’m trying to play with the firewall rules in Luci, but no success so far.

Leo · 2022-12-30T14:19:50.721Z

I don’t quite understand your question.
What other devices do you have in your home network? It would be nice if you could draw a network topology diagram.

alzhao · 2022-12-30T17:55:52.664Z

ngtimofeev:

When the “Allow Access Local Network” option is disabled, there’s no access to the devises connected to the Mango network (LAN), but it doesn’t affect Mango’s WAN subnet.

Yes. But if you use wireguard server on your Brume2 directly, this could be resolved, right?

ngtimofeev · 2022-12-30T20:36:11.526Z

Hi Alzhao,
For the personal use I run another VPN server on Brume2 with the full access to the LAN.
The purpose of Mango router is to provide the VPN access to friends, colleagues, etc. who are abroad and need to be ‘in the home country’, but I wanted to forbid the access to my home LAN for them.

ngtimofeev · 2022-12-30T20:38:30.179Z

The solution was to change the ‘WireGuard’ Zone Firewall settings and to add the ‘WireGuard to WAN’ restriction in the Traffic Rules.
Now the VPN Clients can only access the Mango router via 10.0.0.1 (wg) and 192.168.1.5 (wan) IPs, but the route to the main LAN (via WAN port) is restricted.

1865×926 111 KB

4801×443 32.6 KB

agent_smith · 2022-12-31T01:53:24.619Z

@ngtimofeev
In your case, I would add some details, would close access to VPN clients to the internal network for ZONE wareguard> WAN Input > Drop, so they can’t reach the web interface of the mango router at IP 10.0.0.1 and I would create another traffic rules that allow only IP address of your personal VPN client for Mango(e.g. with an IP 10.0.0.2/32, see my e.g below), to access to the mango shell, brume shell and other ip addresses from internal network, if required. Very important ! It must be dragged and droped above the deny rule in your case “forbid-wg-to-lan” then saved and applied.

31759×1067 95.9 KB

11434×1290 96.7 KB

21541×1291 96.5 KB

ngtimofeev · 2023-01-01T14:24:45.912Z

Hi agent_smith, thanks for your input!
Actually my intension was to allow the VPN Clients to access the Mango, as I have an external drive connected to the router and can share the files with my colleagues in that way. '\\10.0.0.1\GL-Samba'
Since the Mango’s WEB interface is password protected I’m not worried that anyone can actually login into it.