Wireguard- How to restrict LAN resource access by WAN clients?

[0vrthnk]

Asus RG-58AXU
Merlin FW v3004.388.8_4

Hi, first post after much lurking/searching. I have to believe that this is not an uncommon use case, but no joy so far for Asus Merlin/wireguard.

I have a functional wireguard(server) vpn running in my RG-58AXU w/ one WAN Android client accessing my NVR over cellular data.
Works great. Orders of magnitude(subjectively) faster for this purpose than OpenVPN, which I tested first before trying wireguard. I'd like wireguard a WHOLE lot more with authentication, but that's a different challenge.

I am not using the VPN for any other LAN to WAN traffic.

Is there any way within the Merlin UI to limit incoming/outgoing WAN vpn access to specific LAN resources?

Example(not my actual numbers):

RG-58AXU LAN IP: 192.168.1.1
wireguard port: 56354
NVR on LAN, IP 192.168.1.101:14777
Android wireguard client 10.6.0.10

I need to restrict the wireguard client LAN access to the NVR _only_.
I'm not averse to blocking ALL wireguard traffic except port 14777, if that's doable, but it seems heavy-handed.
I do NOT want to resort to local firewall rules on the other devices on my LAN, etc

If not through the ui, if this can be accomplished w/ a script, etc through SSH, can anyone point me in the direction of some code that could be adapted to my use case?

My iptable kung-fu blows, but I'm very willing to try/learn.

Thanks so much for any help/thoughts.

 

[ZebMcKayhan]

Is there any way within the Merlin UI to limit incoming/outgoing WAN vpn access to specific LAN resources?

Well, yes... perhaps possible to setup something using network service filter. However, I would use firewall-start to add my custom firewall rules:
https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts

If you want to block all but one ip it could be done in one command:

iptables -I FORWARD -i wgs1 -o br0 ! -d 192.168.1.101 -j REJECT

-I = Insert on top
-i = input iface (wgs1 - wg server)
-o = output iface (br0 - lan)
-d = destination ip (all but 192.168.1.101)
! = not (inverted trouth)
REJECT = a reply is sent that this destination is not reachable. Could be DROP instead for silent dropping but it's usually causing issues with long timeouts.

So a typical firewall-start script could be:

#!/bin/sh
iptables -D FORWARD -i wgs1 -o br0 ! -d 192.168.1.101 -j REJECT
iptables -I FORWARD -i wgs1 -o br0 ! -d 192.168.1.101 -j REJECT

-D = delete

rule is deleted before added again to prevent duplication.

 

[0vrthnk]

Zeb, EXACTLY what I'm looking for. Will report back when I've had a chance to test it. Thanks!

 

[ZebMcKayhan]

Zeb, EXACTLY what I'm looking for. Will report back when I've had a chance to test it. Thanks!

Don't forget to set "Enable JFFS custom scripts and configs" to yes in the router gui (Administration -> system) if you have not already done so, otherwise firewall-start will never be executed.

Don't forget to make firewall-start executable with chmod +x /jffs/scripts/firewall-start

Finally, just adding the rules in the file will not add them to the firewall until the firewall restarts so you either need to reboot, restart the firewall manually or execute the file or commands manually. The delete rule may generate an error the first time as the rule does not exist to delete, but no worries, the next command will be executed anyway to insert the rule. This was alittle quick and dirty as the delete command should be piped so the error message does not show, but I'm lazy. Add a 2>/dev/null at the end of the delete command to skip seing the error message.

You can list your rules by

iptables -nvL FORWARD

Your added rule be right on top if all is well.