How to prevent WireGuard VPN server clients from accessing the local network (allow only Internet access)?

[postoronnim-v]

I have set up a WireGuard VPN server. Now the client has access to the LAN when connected to the server. How can I block access to the LAN, leaving only Internet access? Access Intranet is disabled in the server settings.

 

[eibgrad]

iptables -I FORWARD -i <wg-network-interface> -o br+ -j REJECT

I don't have access to Wireguard on my router, or else I would have specified it. You just need to check w/ ifconfig what that is and replace it in the rule.

Test it first by copying/pasting from ssh, and if it works, make it persistent w/ a firewall-start script.

The following link explains how to create and install a firewall-start script.

Routing guest 1 clients thru vpn client tunnel while access intranet set to disable

Trying to route some devices on guest 1 thru vpn client, seems to work ok if i enable the acess intranet option, but obviously that defeats the purpose of trying to isolate guest 1 from lan. When i disable intranet acess, guest 1 drops the vpn tunnel. I tried adding 192.168.101.0/24 which is my...

www.snbforums.com

 

[postoronnim-v]

Test it first by copying/pasting from ssh

nothing changed after running this command iptables -I FORWARD -i wgs1 -o br+ -j REJECT
The client still has access to the local network

 

[eibgrad]

Then you'll have to dump some of the internals so I can see exactly what's happening.

ifconfig
brctl show
ip route
ip rule
iptables -vnL
iptables -t nat -vnL

Feel free to mask your public IP. Just make it obvious and consistent.

 

[eibgrad]

Well I don't see that rule in the dump of the FORWARD chain.

When you add it, make sure it appears in the table.

iptables -vnL FORWARD

For example...

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  wgs1   br+     0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
...

 

[postoronnim-v]

Well I don't see that rule in the dump of the FORWARD chain.

I rebooted the router. Now I will repeat the report with the command

 

[eibgrad]

Well at least the rule is there now. But no indication of it being hit (based on packet counts) from any attempted access from the WG server and into the local network (br0).

 

[eibgrad]

Again, I don't have access to WG on my own router, but doesn't it allow you to configure LAN only, internet only, or Both, much like the OpenVPN server?

(I've never seen the GUI in this regard, I'm flying blind)

 

[eibgrad]

You gave me the nat table, I need the FORWARD chain of the filter table.

iptables -vnL FORWARD

 

[postoronnim-v]

(I've never seen the GUI in this regard, I'm flying blind)

 

[eibgrad]

Thanks for the GUI images.

As before, the rule is there, but there's still no indication of any attempt to route traffic through the WG tunnel and into the local network. You are trying before posting these dumps, correct?

 

[postoronnim-v]

You are trying before posting these dumps, correct?

I connected the client before dumping. Should I have connected the client while dumping?

 

[eibgrad]

I connected the client before dumping. Should I have connected the client while dumping?

What I want you to do is attempt access of the LAN from the WG client so we can see if it enters the router via the wgs1 network interface and gets blocked from accessing the LAN (br0) by that rule. If that happens, the pkts count field on the rule should be > 0. But as it stands, I can't tell if it's 0 because you never attempted the access, or you did and it's bypassing the rule for some unknown reason. Normally blocking inbound access from VPN servers in this way is pretty straight-forward. We do it all the time. So it *should* work.

 

[eibgrad]

I just noticed the following.

Chain WGSF (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0   wgs1    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  wgs1   eth0    0.0.0.0/0            0.0.0.0/0

Chain WGSI (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   352 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:51820
  307 18420 ACCEPT     all  --  wgs1   *       0.0.0.0/0            0.0.0.0/0

What this tells me is that you are only attempting access of the router itself (WGSI), NOT other LAN devices (WGSF), hence why the rule isn't being hit.

Do you want to prevent access of the LAN *and* router, or just the former? If it should include the router, it could deny access to things like the DNS server.

 

[postoronnim-v]

Do you want to prevent access of the LAN *and* router, or just the former?

I want to disable access to the local network and router. Just for security purposes. How safe is it to leave access to the router?

 

[eibgrad]

I want to disable access to the local network and router. Just for security purposes. How safe is it to leave access to the router?

What you consider safe is up to you. Who's accessing the router? Just you? Anyone else you might not fully trust? My primary concern is if we limit access to the router, and you've configured those WG clients to access the router's DNS server (which is common w/ VPN configurations), then that will be a problem (although we could refine the rules to limit access to that one service). But if that isn't the case (and it might not be if you're denying access to the LAN anyway, so presumably you don't need local name resolution), then blocking access to the router as a whole would probably be fine. You can always add the additional rule and just see what if anything becomes a problem.

iptables -I INPUT -i wgs1 -j REJECT

 

[postoronnim-v]

What you consider safe is up to you. Who's accessing the router? Just you? Anyone else you might not fully trust?

This rule worked. Thank you very much for helping me. It seems to me that by setting up a WireGuard server I can compromise the router and devices in the local network, as if I opened access to the WAN. I am not an expert. Tell me, is this measure unnecessary? There is no point in restricting access to the router in my case?

 

[eibgrad]

This rule worked. Thank you very much for helping me. It seems to me that by setting up a WireGuard server I can compromise the router and devices in the local network, as if I opened access to the WAN. I am not an expert. Tell me, is this measure unnecessary? There is no point in restricting access to the router in my case?

You're opening access to the LAN and router, but it's in a secure fashion, unlike simple port forwarding directly over the WAN. If it's only for YOUR use, and you protect any private keys, it's reasonably safe. Many ppl want access to the LAN and/or router, and NOT just for the purposes of routing through your home router and out to the internet. But if your requirements are only internet access, then adding these rules does serve as additional protection. Again, YOU have to determine the purpose of using the VPN and what makes sense to do.

 

[postoronnim-v]

If it's only for YOUR use, and you protect any private keys, it's reasonably safe

Yes, I am the only one with access to the keys. Apparently, I was unjustifiably worried about security.