Jump to content
TorGuard
  • 0
Sign in to follow this  
rob0809

Wireguard on OpenWRT

Rate this question

Question

rob0809

Hi.  I have Wireguard set up on my OpenWRT router (Raspberry Pi 4) to connect to Torguard.  I'm using Policy Routing to route only selected clients through the VPN.  That works fine.  I have ports forwarded through the firewall and it works when the client goes through the WAN (Xfinity) but when I use Policy Routing to send the traffic through the VPN, the forwarded ports no longer work.  I believe it is because the responses are going to the VPN instead of the LAN. I can use tcpdump to see the requests hit the ports on the Wireguard interface.  So what do I need to do to redirect the responses to the WAN instead of the Wireguard interface (if that is in fact my problem).  Any help would be appreciated.

Thanks,

Rob

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0
19807409

You say that you use policy routing but do not say how exactly, I assume that you do not use 0.0.0.0/0 but instead as example your local client ip's. To see how your firewall is configured run

uci show firewall

.

Considering you added wg0 interface to wan zone, not sure which firewall you are using, but on using default's openwrt, you could try something like this, lets say it is port 12345:

[email protected][-1].target='DNAT'
[email protected][-1].name='Open-TorGuard-Port-12345'
[email protected][-1].proto='tcp udp'
[email protected][-1].src='wg0'
[email protected][-1].src_dport='12345'
[email protected][-1].dest='lan'
[email protected][-1].dest_port='12345'
uci commit firewall
/etc/init.d/firewall restart

This would route tcp port 12345 from wg0 interface (which is in wan) zone to your router, as example for web server or ssh (whatever you have set) on your router (in this case rpi).

If your wg interface is in lan zone and you use listen port 23456 (non torguard interface, but your private over WAN, which can use your VPN wg interface for outgoing connections if you want), then this would be sufficient:

uci add firewall rule
uci set [email protected][-1].src="*"
uci set [email protected][-1].target="ACCEPT"
uci set [email protected][-1].proto="udp"
uci set [email protected][-1].dest_port="23456"
uci set [email protected][-1].name="Allow-Wireguard-Inbound"
uci commit firewall
/etc/init.d/firewall restart

If you want to redirect it to specific IP in your lan, then specify that ip in your redirect.

Share this post


Link to post
Share on other sites
  • 0
rob0809

Thanks for your response.  You got me thinking and I'm not sure if this is incorrect or unsafe but I added a WG zone and forwarded it to WAN.

 

[email protected][1]=forwarding
[email protected][1].src='WGZone'
[email protected][1].dest='wan'
[email protected][2]=zone
[email protected][2].name='WGZone'
[email protected][2].input='REJECT'
[email protected][2].output='ACCEPT'
[email protected][2].masq='1'
[email protected][2].network='wg0'
[email protected][2].forward='ACCEPT'

It works but if you could confirm I'm not opening up any holes I shouldn't be, I'd appreciate it.  

Share this post


Link to post
Share on other sites
  • 0
19807409
7 hours ago, rob0809 said:

It works but if you could confirm I'm not opening up any holes I shouldn't be, I'd appreciate it.  

In your setup you created new zone, however, you dont need a new zone, you can assign wireguard to wan zone, you had to activate masquerading for ability to communicate between them.

I would assume it is secure, depending on which ports you use, you shuold always make some penetration tests/port scans to verify your setup, beside that I cant see your other settings like full firwall etc.. (which I also do not need). In general, even if you trust torguard that it isolates clients, sometimes it might be the case that it is not due to testing or something else, if you do accept in that moment all ports to be forwarded without to specify them like you did on your torguard portforward page, then in case that isolation is off, everybody in VPN would have full access to your router like if connected in your LAN.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...