How to secure (Firewall), with geo-blocking with whitelist, the router and the service for which I opened a port?

Hello,
I'm looking a solution to get a geo-blocking for IP adress with a whitelist.

I'll try to explain what I want.

I want to authorize only FR ip adresses to access the wireguard server, and the several ports I opened to get some services working on my NAS/NUC.
Some services work through a reverse proxy where I have the geo-blocking functional. But some other services don't have such possibility like the port I use for another wireguard server I have in backup on Home Assistant.
I don't open many ports; to minimize my (I don't know the word in english...) accessibility on internet.

But I really want to have Geo-Blocking on the router.

Do you think it's possible?

I'm a very debutant with this router, and my old Synology came with this feature by default...
And the default web interface doesn't provide a true firewall... I see that with LUCI interface there is something, but It is really not for newcomers, and even more not for debutant as it is very not friendly.

I'm capable of learning, but I don't have much time now, with a two-year-old kid (in the "terribles two" as you said it).
I can do some things in a linux environment, but managing iptables rules or other things like that isn't for me.

Can someone help me?
Thanks, in advance.

Geo-blocking isn't real security, tbh. And it does not work very well because it relies on databases, which are often not accurate.

You can try to add it to your router by reading this

But all in all, from my point of view, this is pretty useless. Just make sure your all in all security (no exposing of dangerous ports like HTTP, maybe using custom port for WireGuard) is good and you don't need something like this.

Hello, I see, and I agree with the fact that relying on a database isn’t a great thing…
But for me, it more to limit the IP of potential attackers.
Limit to only FR ip limits drastically the potentiel attacks from China or Russia .
This is not a real security I know and agree with you.
But it secures me

I’ll try the geo blocking link you gave me.
But I have a question about those personalizations … like Crowdsec or fail2ban. Is any of those settings are persistent after an update of the firmware.

I already expose the strict minimum:

• port 443 for my reverse proxy (docker container SWAG (with Nginx, fail2ban, crowdsec) on a mini pc in a Debian VM on proxmox host ).
• Port 6690 (can’t be changed) for my Synology Drive synchronization);
• A custom port for a WireGuard server (old version of Firezone not maintained now) on my mini pc;
• another custom port for another WireGuard server with an Home Assistant add-on.

And that’s all.

For all incoming traffic to the reverse proxy, I set up geoblocking , and more a restriction for some domain names to only be accessible from my lan and the VPN .

I intend to set another VPN server I order to have a backup plan. But I’m not sure the GL-MT6000 can be a L2TP VPN server…

I use the VPN to get access to all my lan ressources which aren’t accessible from internet.

With the Synology router I’ve got a real firewall to configure, and it can do geo-blocking.

As information, in France, the ISP provides a router called « box » which provide internet, phone (like landline) and the TV.
I've got one of those, and the GL.iNet router is behind it, but it's in the DMZ of the "box", so everything is routed to the MT6000.
The box doesn't offer any firewall... just port forwarding.

So, to rebounce on what you said, @admon, the fact that I use a non-standard port for the Wireguard server is suffisant? The Public Key, and the Private Key, with Preshared Key are suffisant to protect from an intrusion, or at least attempt?

Thanks for your answer by the way, and sorry for the delay to my answer.

Put everything behind a VPN and update regularly. Geoblocking will not help.

What do you mean by « put everything behind a VPN »?
Have you read all I wrote?

It adds some layer of safety against automated scans. But since WireGuard is using UDP and does not answer to wrong data … you can't really detect it anyway.

You already use wireguard. Just put all services behind vpn and you are done.

You have to remember that wireguard is amazing.

Wire guard does not respond back to unsolicited ports unless if the keys match. So even if someone tries to connect to it, they don't know what's behind the port. Which Is really nice.

You're pretty safe with wire guard. Somebody would have to assume that it's wire guard. So change the default standard Port to something common.

Ok great

I assume you’re talking about VPN like mullvad/cyberghost etc…
Right?
If so, I don’t know which benefit I could get by using such a service.
I don’t want to be « anonymous » which is not very the case with such VPN , and I don’t want my sensible data to transit by another entity I don’t really trust.
I trust my ISP to do what is necessary, and if you tell me about dns blocking , I already use alternate dns servers I trust (limited trust of course).

My understanding of using such dns server is to be identify in another country to bypass geoblocking contents like Netflix and co.
I don’t need this.

My usage of VPN is only to be able to connect my laptop or smartphone to my lan in order to access ressources not directly accessible from internet.
And as for why I don’t always use my WireGuard server is because of the battery drain it do on my smartphone. Even if it’s less than OpenVPn or other protocols…

Thank you for confirming what @admon said earlier.
I’ll let this as it is so, I’m not searching to do anymore here, as long as I have done the restriction on my reverse proxy and on the Synology firewall.

I may have to do some configuration about the proxmox firewall.

As long as a strict firewall is included in your setup you are good to go.

By setup you mean my proxmox and my 2 nas (Synology & Asustor)?
Currently, only the nas as a firewall set up.
The proxmox not.
My reverse proxy is on a proxmox VM (docker swag), so with no firewall but there is geo blocking , and only port 443 is forwarded.
But I’ll look into setting up the firewall, but in my opinion it’ll not add much security.

Blocking countries is a meh, just to add why also many don't recommend this, is because ips cannot be tracked, you will have no clue who the owner is, and besides that alot of these geo lists sometimes also end up adding wrong ip or even rfc1918 (local network blocks), if you really want you can use banip but with gl-inet software this can be tricky especially on the vpn side it may not work.

However if you make use of a wireguard server this is a really powerfull tool, like others said this is the best way because you can also reduce the amount of open ports and even prevent the visibility for port scanners because it is udp, currently im using the same approach to reach various own hosted services and even vlans. , its also much much better than port knocking in that regard.

I have some friends who’s accessing my media server through 443 port (reverse proxy). I don’t want to impose them to use a WireGuard client. Some aren’t so technology as me
All my service behind the reverse proxy are accessible with credentials and except one , all with 2FA.

Hmm are they familiar with qr codes like how they work with wifi?

Then you can reduce the technical step have them to install the wireguard app and scan the QR code, then you can for example make them use a local dns from wireguard so the domains get resolved to media server.

one reason why i'd still come up with wireguard is that openwrt is not safe at all for a service exposed to wan (i.e reverse proxy), but this count probably also for the underlaying devices if they are set for DMZ or port forwarding.

Openwrt runs everything on root user this is by design and fine for a router, but not for servers, you should actually see it as a server at this point, and then it is not recommended to use root user, you want actually to isolate the process as much as possible and it also gives you a strong layer against exploits which often require root.

and you need to think about authentication, a password is not so good, a longer one is better (preferly from a password manager), but even more better is key authentication you can generate a key with putty via puttygen, you want a option against bruteforcing ssh, fail2ban can help, but you can also not expose authentication to outside.

For the ease the qr code thingy is much better imho

Or you could spin up ZeroTier for connecting your friends to your media server.