Wireguard on OpenWRT

[rob0809 0]

Hi.  I have Wireguard set up on my OpenWRT router (Raspberry Pi 4) to connect to Torguard.  I'm using Policy Routing to route only selected clients through the VPN.  That works fine.  I have ports forwarded through the firewall and it works when the client goes through the WAN (Xfinity) but when I use Policy Routing to send the traffic through the VPN, the forwarded ports no longer work.  I believe it is because the responses are going to the VPN instead of the LAN. I can use tcpdump to see the requests hit the ports on the Wireguard interface.  So what do I need to do to redirect the responses to the WAN instead of the Wireguard interface (if that is in fact my problem).  Any help would be appreciated.

Thanks,

Rob

[19807409 32]

You say that you use policy routing but do not say how exactly, I assume that you do not use 0.0.0.0/0 but instead as example your local client ip's. To see how your firewall is configured run

uci show firewall

.

Considering you added wg0 interface to wan zone, not sure which firewall you are using, but on using default's openwrt, you could try something like this, lets say it is port 12345:

[email protected][-1].target='DNAT'
[email protected][-1].name='Open-TorGuard-Port-12345'
[email protected][-1].proto='tcp udp'
[email protected][-1].src='wg0'
[email protected][-1].src_dport='12345'
[email protected][-1].dest='lan'
[email protected][-1].dest_port='12345'
uci commit firewall
/etc/init.d/firewall restart

This would route tcp port 12345 from wg0 interface (which is in wan) zone to your router, as example for web server or ssh (whatever you have set) on your router (in this case rpi).

If your wg interface is in lan zone and you use listen port 23456 (non torguard interface, but your private over WAN, which can use your VPN wg interface for outgoing connections if you want), then this would be sufficient:

uci add firewall rule
uci set [email protected][-1].src="*"
uci set [email protected][-1].target="ACCEPT"
uci set [email protected][-1].proto="udp"
uci set [email protected][-1].dest_port="23456"
uci set [email protected][-1].name="Allow-Wireguard-Inbound"
uci commit firewall
/etc/init.d/firewall restart

If you want to redirect it to specific IP in your lan, then specify that ip in your redirect.

[rob0809 0]

Thanks for your response.  You got me thinking and I'm not sure if this is incorrect or unsafe but I added a WG zone and forwarded it to WAN.

 

[email protected][1]=forwarding
[email protected][1].src='WGZone'
[email protected][1].dest='wan'
[email protected][2]=zone
[email protected][2].name='WGZone'
[email protected][2].input='REJECT'
[email protected][2].output='ACCEPT'
[email protected][2].masq='1'
[email protected][2].network='wg0'
[email protected][2].forward='ACCEPT'

It works but if you could confirm I'm not opening up any holes I shouldn't be, I'd appreciate it.  

[19807409 32]

7 hours ago, rob0809 said:

It works but if you could confirm I'm not opening up any holes I shouldn't be, I'd appreciate it.  

In your setup you created new zone, however, you dont need a new zone, you can assign wireguard to wan zone, you had to activate masquerading for ability to communicate between them.

I would assume it is secure, depending on which ports you use, you shuold always make some penetration tests/port scans to verify your setup, beside that I cant see your other settings like full firwall etc.. (which I also do not need). In general, even if you trust torguard that it isolates clients, sometimes it might be the case that it is not due to testing or something else, if you do accept in that moment all ports to be forwarded without to specify them like you did on your torguard portforward page, then in case that isolation is off, everybody in VPN would have full access to your router like if connected in your LAN.