Isolate one WireGuard profile from LAN

soyunplayer · December 11, 2023, 9:28pm

Hi mates

I have a great friend who need a VPN connection so I’ve created a WG profile for him.

I really trust him but for security reason I would like to prevent this profile access my LAN

I’ve tried using the lucci firewall and even the IP tables rules directly with no success.

The WG IP is 10.0.0.5 but we have been doing some test and he always can ping my LAN or directly open the FLint GUI.

I’ve tried
iptables -I FORWARD -i wgserver -o br-lan -s 10.0.0.5 -d 192.168.8.0/24 -j DROP

It works for some devices but 192.168.8.1 (Flint IP) remains reachable

Can someone help me?

Thanks in advance

fangzekun · December 12, 2023, 4:01am

hi，
Please try with command iptables -I INPUT -i wgserver -s 10.0.0.2 -d 192.168.28.0/24 -j REJECT

soyunplayer · December 12, 2023, 5:44am

Thanks for the reply.

I will try ASAP

Just to understand.

Why have you changed source, from10.0.0.3 to 10.0.0.2?

Why have you changed the destination from 192.168.8.0 to 192.168.28.0?

Thanks in advance

fangzekun · December 12, 2023, 6:03am

Sorry for that.That is my subnet, please replace it with yours. iptables -I INPUT -i wgserver -s 10.0.0.5 -d 192.168.8.0/24 -j REJECT

soyunplayer · December 12, 2023, 6:25am

I’ve added a modification of your rule and my rule and works!!

iptables -I FORWARD -i wgserver -s 10.0.0.5 -d 192.168.8.0/24 -j DROP

iptables -I INPUT -i wgserver -s 10.0.0.5 -d 192.168.8.0/24 -j DROP

Now Flint (INPUT) and the LAN (FORWARD).are unreachables

Thanks!!!

P.S: Why do you use reject instead drop?

fangzekun · December 12, 2023, 6:30am

Both “REJECT” and “DROP” are OK.
“REJECT”: response with a icmp packet says “destination unreaschable”.
“DROP”: Drop request without any response.

soyunplayer · December 12, 2023, 6:36am

I know. I would like drop because they’re is no answer but if someone who knows a lot uses REJECT I wonder why

bring.fringe18 · December 14, 2023, 12:40am

DROP is used, typically, when you don’t want to notify script kiddies there’s an endpoint/server listening on the other end. It also saves a touch of CPU performance, bandwidth as it doesn’t send back the response of REJECT.

aragorn · December 20, 2023, 1:37pm

Hello
Where exactly do you put these commands?
is it in Luci - Firewall - Custom rules …/cgi-bin/luci/admin/network/firewall/custom ?

is 10.0.0.5 the client ip, which is visible only inside the VPN tunnel?

Thanks

bring.fringe18 · December 20, 2023, 10:22pm

It looks like 10.0.0.5 is the source IP for the WG Client connected to the upstream WG Server but my general iptable/firewall writing skills aren’t exactly good.

LuCI → Network → Firewall → Custom Rules is the optimal/proper place to put them but see this seemingly unrelated HOW-TO. There’s a rather important note about custom firewall rules:

aragorn · December 21, 2023, 12:36am

Do you refer to this remark?
" If you have custom firewall rules be sure to add /etc/firewall.user too."

Is this something, which has to be done if I want to backup my custom rules or it is something, which must be done in order my custom rules to work at all?

bring.fringe18 · December 21, 2023, 1:02am

I suppose it depends if you want your custom firewall to work after restoring a backup but I also keep a log of changes to my devices so whatever works best for you.

soyunplayer · January 10, 2024, 7:19am

Hi

Sorry for the delay in the resposnse, I haven’t seen it.

I’ve put the rules in LuCI → Network → Firewall → Custom Rules as bring.fringe18 said.

Thansk he answered you in time. sorry again