Access webgui only from inside wireguard network ? [SOLVED]

[joomlafab]

Hi !

I've got a remote/independant wireguard VPN server. I can set up a wireguard client in the VPN section of my AX86UPro, and with VPN Director I can add rules so that some machines on the network use it.

Now I wonder if it's possible (and how) to set up a rule so that the webgui would be reachable from machines on the same vpn network.

Let's say my wireguard client conf looks like that

[Interface]
PrivateKey = ***
Address = 10.0.0.25/32

[Peer]
PreSharedKey = ***
PublicKey = ***
AllowedIPs = 10.0.0.0/24
Endpoint = xx.yy.zz.tt:51820
PersistentKeepalive = 25

For instance, could I set a rule in VPN Director with my wireguard client as interface, and the router IP (192.168.50.1) as Local IP ? I'm a little scared to lock myself out of the webgui....
In the client conf, obviously the kill switch would be off because I still want to access the webguy from local network, but what about the firewall ? Should it be off ? Is it safe ?

The idea would be that my router is not open on WAN, but can be reached from any machine on my VPN network 10.0.0.0/24.

If anyone has already done that, please explain me !

 

[ZebMcKayhan]

Now I wonder if it's possible (and how) to set up a rule so that the webgui would be reachable from machines on the same vpn network.

The easiest way would be to set the vpn option "Inbound firewall" to allow. But this would at the same time give access to your lan from vpn which you perhaps don't want? If not custom firewall rules may be required.

what about the firewall ? Should it be off ?

No, never turn it off if router is connected to internet.

 

[ZebMcKayhan]

For instance, could I set a rule in VPN Director with my wireguard client as interface, and the router IP (192.168.50.1) as Local IP ? I'm a little scared to lock myself out of the webgui....

If you don't plan on using the vpn connection for internet data, the only vpndirector rule you need is whatever you put in AllowedIPs as "remote ip". Like:
Local Ip: leave blank
Remote Ip: 10.0.0.0/24

This would provide both lan and router to find a route to 10.0.0.0/24 network over vpn.

 

[kuchkovsky]

I have a similar use case and have created the following scripts:

/jffs/scripts/nat-start

#!/bin/sh

# Example mappings to forward SMB, Web UI, and a LAN device port via WireGuard
# Format: EXTERNAL_PORT:LOCAL_DEVICE_IP:INTERNAL_PORT
# For the Web UI, you only need this line:
# 8080:192.168.50.1:80
PORT_FWD_MAPPINGS='
139:192.168.50.1:139
445:192.168.50.1:445
8080:192.168.50.1:80
10000:192.168.50.2:1000
'

# The client IP of your router
WGC_ROUTER_IP='10.0.0.2'

# wgcX is required for the mappings to be accessible outside your LAN (e.g., when you’re not home);
# the number in the wgcX interface name should correspond to the client configuration number in the Web UI.
# br0 is optional and provides convenience, allowing the custom mappings like 10.0.0.2:8080 to be accessible on your LAN
INTERFACES='wgc1 br0'

# A custom iptables chain for these rules
CHAIN_NAME='WGC1_VSERVER'


# Create the custom chain if it doesn't exist
if ! iptables -t nat -L $CHAIN_NAME -n > /dev/null 2>&1; then
    iptables -t nat -N $CHAIN_NAME
fi

# Ensure there's a jump to the custom chain from PREROUTING for packets destined to WGC_ROUTER_IP
if ! iptables -t nat -C PREROUTING -d $WGC_ROUTER_IP/32 -j $CHAIN_NAME > /dev/null 2>&1; then
    iptables -t nat -I PREROUTING -d $WGC_ROUTER_IP/32 -j $CHAIN_NAME
fi

# Add/Update DNAT rules to the custom chain
for FWD in $PORT_FWD_MAPPINGS; do
    IFS=':'
    set -- $FWD
    EXT_PORT=$1; IP=$2; INT_PORT=$3
    IFS=' '

    for IF in $INTERFACES; do
        # Check if the DNAT rule already exists in the custom chain
        if ! iptables -t nat -C $CHAIN_NAME -p tcp -i $IF --dport $EXT_PORT -j DNAT --to-destination $IP:$INT_PORT > /dev/null 2>&1; then
            iptables -t nat -A $CHAIN_NAME -p tcp -i $IF --dport $EXT_PORT -j DNAT --to-destination $IP:$INT_PORT
        fi
    done
done

/jffs/scripts/wgclient-start

#!/bin/sh

WG_CLIENT_NUMBER=1
WG_CLIENT_SUBNET='10.0.0.0/24'

if [ "$1" = "$WG_CLIENT_NUMBER" ]; then
    ip route add "$WG_CLIENT_SUBNET" dev "wgc$WG_CLIENT_NUMBER"
fi

/jffs/scripts/wgclient-stop

#!/bin/sh

WG_CLIENT_NUMBER=1
WG_CLIENT_SUBNET='10.0.0.0/24'

if [ "$1" = "$WG_CLIENT_NUMBER" ]; then
    ip route del "$WG_CLIENT_SUBNET" dev "wgc$WG_CLIENT_NUMBER"
fi

Notes:
1. The custom route is necessary to ensure LAN devices can respond correctly. This route eliminates the need for additional VPN Director rules and provides better performance.
2. The "Inbound Firewall" setting for the WG client should be set to "Allow". Otherwise, services running on the router will not be reachable by other WG peers.
3. The "AllowedIPs" in the client configuration should include your WG subnet (e.g., 10.0.0.0/24) and optionally some public subnets. It should not include IPs from the LAN subnet (192.168.0.0/16). You can use this tool to calculate only the IPs you need:

WireGuard AllowedIPs Calculator

How to

www.procustodibus.com

 

[CaptainSTX]

Hi !

I've got a remote/independant wireguard VPN server. I can set up a wireguard client in the VPN section of my AX86UPro, and with VPN Director I can add rules so that some machines on the network use it.

Now I wonder if it's possible (and how) to set up a rule so that the webgui would be reachable from machines on the same vpn network.

Let's say my wireguard client conf looks like that

[Interface]
PrivateKey = ***
Address = 10.0.0.25/32

[Peer]
PreSharedKey = ***
PublicKey = ***
AllowedIPs = 10.0.0.0/24
Endpoint = xx.yy.zz.tt:51820
PersistentKeepalive = 25

For instance, could I set a rule in VPN Director with my wireguard client as interface, and the router IP (192.168.50.1) as Local IP ? I'm a little scared to lock myself out of the webgui....
In the client conf, obviously the kill switch would be off because I still want to access the webguy from local network, but what about the firewall ? Should it be off ? Is it safe ?

The idea would be that my router is not open on WAN, but can be reached from any machine on my VPN network 10.0.0.0/24.

If anyone has already done that, please explain me !

I run both a VPN client and VPN server on my AX88Pro router running Merlin. With the VPN director I setup a rule that 10.8.0.0/24 (default IP range for devices connecting on VPN server) connect to Internet using WG Client 1). I also have rules that devices that I would use to log into the router's GUI locally from the LAN use WG Client 1. With this setup I have no issues logging into my router from either the LAN or the WWW if connecting through the VPN server. Is this what you want to accomplish?

 

[joomlafab]

Hi guys, thanks a lot to all of you for your explanations and suggestions. I’m a little busy today but I’ll give a try to your ideas soon and will give feedback.

Merlin is such a great project and the community is amazing. I’ve been using it for years and evangelising friends and family about it. Now if i can manage my oldest relative’s router for them safely from home, it will be great.

No, never turn it off if router is connected to internet.

Sure. I expressed myself badly. I didn’t mean to switch off completely the firewall, only allow the inbound firewall in the vpn client conf

 

[ZebMcKayhan]

Sure. I expressed myself badly. I didn’t mean to switch off completely the firewall, only allow the inbound firewall in the vpn client conf

This all depends on what is on the other side of the VPN,. And who are using the vpn. For strictly private use I would think it's fairly safe.

However, since this is a wg client, you may also need to adjust the server settings for this peer.
Normally the server only sends data to the client (10.0.0.25) over the tunnel. But the gui only listens to lan ip (192.168.50.1 - or if you changed it). So you may need to add this to server peer AllowedIPs (server) for this peer to be 10.0.0.25/32, 192.168.50.1/32.
Now, if your server router also have 192.168.50.1 you have an issue.
Then you should preferably change one of the lans ipaddress. Or follow @kuchkovsky advice

​

 

[joomlafab]

Hi guys,

again thanks a lot to all of you for your help and sorry for the late feedback.

Long story short, I ended up using @kuchkovsky script, that works great. Thanks a lot ! I just had to adjust the ports in the mapping to my needs and now from within my VPN, I can reach webgui or ssh to the connected router, or access other mapped services.

Before that I tried fiddling with VPN director unsucessfully, I'm not sure what I did wrong, but anyway the iptables mapping is perfect. Thanks anyway to all of you.

Just to be clear, the Wireguard VPN server is not on my asus router. It's on a VPS I own in a different location. I can set up as many VPN networks as I want on this machine, so I've made one specifically for the purpose of remotely managing an Asus router. Hence I'm not worried about safety within the VPN itself.

The WG client conf is unchanged from my first post.

As far as I understood from @kuchkovsky, setting to "Allow" the "Inbound Firewall" in the WG client conf will only allow traffic from the vpn, hopefully, so it should be pretty safe.

 

[ZebMcKayhan]

Before that I tried fiddling with VPN director unsucessfully, I'm not sure what I did wrong, but anyway the iptables mapping is perfect. Thanks anyway to all of you.

It's all about getting AllowedIPs correct on all ends. You can't "fix" that with vpndirector rules.

As this becomes somewhat a site-2-site/multisite setup it is sometimes more convenient to setup a server peer on the router to connect out to your VPS, just as I did due to I'm behind CGNAT: https://www.snbforums.com/threads/wireguard-server-tweaks.85758/post-852124

Then you don't need to worry about dnat, vpndirector rules or routes. But you will need to get your AllowedIPs in order on all 3 sides.

Anyhow, if it works, it works. Glad you found your way!

 

[kuchkovsky]

As far as I understood from @kuchkovsky, setting to "Allow" the "Inbound Firewall" in the WG client conf will only allow traffic from the vpn, hopefully, so it should be pretty safe.

That’s correct. The allow rule only applies to the WireGuard interface.

Inbound Firewall: Block

admin@router:/tmp/home/root# iptables-save | grep WGCI
:WGCI - [0:0]
-A INPUT -j WGCI
-A WGCI -i wgc1 -j DROP

Inbound Firewall: Allow

admin@router:/tmp/home/root# iptables-save | grep WGCI
:WGCI - [0:0]
-A INPUT -j WGCI
-A WGCI -i wgc1 -j ACCEPT

 

[joomlafab]

Thanks to both of you for those enlightments.

@ZebMcKayhan you are right, I didn't add 192.168.50.1. to the AllowedIPs on the VPN server when I tried with VPN Director, only on the client, my mistake. Anyway, I'm perfectly happy with the current setup.

 

[ZebMcKayhan]

Thanks to both of you for those enlightments.

@ZebMcKayhan you are right, I didn't add 192.168.50.1. to the AllowedIPs on the VPN server when I tried with VPN Director, only on the client, my mistake. Anyway, I'm perfectly happy with the current setup.

Just for future reference, say your wg ip range are 10.6.0.0/24. VPS (server) is 10.6.0.1, roaming device is 10.6.0.2 and router is 10.6.0.3 (and 192.168.50.1)

The setup would be
Vps:
Address: 10.6.0.1/24
Roaming device AllowedIPs: 10.6.0.2/32
Router device AllowedIPs: 10.6.0.3/32, 192.168.50.1/32

Router:
Address: 10.6.0.3/24
AllowedIPs: 10.6.0.0/24

Roaming device
Address: 10.6.0.2/24
AllowedIPs: 10.6.0.0/24, 192.168.50.1/32

By using Address/24 the kernel will automatically add wg routes to main table so you wouldn't need any extra routes or vpndirector rules.

By strictly using 192.168.50.1/32 only this lan ip will be allowed over wg network, not the rest of your lan, even though it may be accepted in the router firewall it will not be accepted by Wireguard. It could be seen as additional security layers.

I assumed Roaming device only sends data to wg peers and router lan ip over vpn. All other data goes out ordinary internet. This could be shifted to 0.0.0.0/0 to send all data over the tunnel but then the VPS need somewhere to send this data.

but you will need to access router gui By ip 192.168.50.1 as this is the only Address it listens to, but this is the point and the reason for this being needed.