Detailed Configuration of Wireguard (Page 1) - Software - Eko - One.pl

30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.
pl
Skip to forum content
eko.one.pl
OpenWrt, Linux, USB, notebooks and other interesting stuff
eko.one.pl
eko.one.pl website
Main
Users
Statute
search
Registration
Login
You're not logged in. Please login or register.
Active topics Unanswered topics
OpenWrt FAQ | I will sell various routers | I will give
Detailed configuration of Wireguard

eko.one.pl → Software → Wireguard detailed configuration
Pages 1
Log in or register to write a reply
Information via RSS
Posts: 21
1 Subject bysebastan 2023-04-19 14:37:45
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
Subject: Detailed Wireguard configuration
There's one thing I'd like to accomplish, and I can't make sense of what I read here and there. Wireguard has
been working reliably for a long time. I have clients, depending on the need, either a full tunnel, or only access
to LAN resources, or only to a specific IP in the LAN.
Only these are all things achieved from the client's position, I change the "allowed addresses" and that's it. And
https://eko.one.pl/forum/viewtopic.php?id=22966 1/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
how to do it on the server side so that, for example, 199.168.99.3 (this is addressing by) connects only with
192.168.1.55. One of the clients is to have access to only one IP and that's it. I honestly don't even know how to
start.
2 Reply byCaesars 2023-04-19 14:41:19

Caesars
...
Inactive
From: Warsaw
Posts: 101,705
A: Detailed Wireguard configuration
Firewall cut traffic from this IP to other hosts on this subnet?
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
3 Reply bysebastan 2023-04-19 14:44:55

sebastan
User
Inactive
Posts: 404
This seems to be all-in-all by default, so if I were to modify the firewall from your guide accordingly, what
would it look like for example?
4 Reply byCaesars 2023-04-19 15:11:43

Caesars
...
Inactive
From: Warsaw
Posts: 101,705
Something like
config rule
list src_ip '199.168.99.3'
option dest '*'
list dest_ip '!192.168.1.55'

option target 'REJECT'
It will reject anything that is not up to 192.168.1.55
Cezary'sSide
5 Reply bykebap 2023-04-20 12:14:57 (edited by Kebap 2023-04-20 12:17:26)

kebap
User
Inactive
Posts: 99
I have something like that

config rule
option name 'wg2lanport'
option family 'ipv4'
option src 'wg'
option dest 'lan'
list dest_ip '123.123.123.123'
option dest_port '12345'
option target 'ACCEPT'
list src_ip '11.11.11.11'
11.11.11.11 is the ip of the device in the wireguard network that is allowed to

connect
config rule
option name 'wg2lan'
option src 'wg'
option dest 'lan'
list src_ip '11.11.11.11'
list proto 'all'
and here access only to the entire lan for a given device

sebastan
User
Inactive
Posts: 404
Thank you, gentlemen. I applied your advice and achieved the intended goal in wireguard, which I have on
openwrt on AX3600. It works perfectly.
In addition, I also have a test wireguard on raspberry and as this is not an RPI forum, I tried to look for similar
advice regarding their iptables and I couldn't put together anything, and yesterday I came up with the idea of
\u200b\u200bChataGPT 4 query and I am in absolute shock, I got an answer with explanations, with
explanation, ready-made solutions and practical and theoretical description.
7 Reply byCaesars 2023-04-21 08:40:59

Caesars
...
Inactive
From: Warsaw
Posts: 101,705
Don't trust chatgpt too much. He lies and fabricates as much as he can on technical matters. You'll get farther if
you trust what he writes implicitly. Treat him like wikipedia - he has knowledge, but verify it.
Cezary'sSide

sebastan
User
Inactive
Posts: 404
How do I optimally restore the full wireguard configuration when I update a snapshot? Is there any smart way?
9 Reply byCaesars 2023-04-26 11:35:46

Caesars
...
Inactive
From: Warsaw
Posts: 101,705
The wireguard configuration is only /etc/config/newtork and /etc/config/firewall, so if you update with the
configuration you will have it. Another thing is that you can't always keep the configuration depending on what
they changed in the snapshot, but you have to check yourself when you can and when you can't.
Cezary'sSide

sebastan
User
Inactive
Posts: 404
I have in network - interfaces "install protocol extensions" at the interface by. What should I install?
11 Reply byCaesars 2023-04-26 11:39:45

Caesars
...
Inactive
From: Warsaw
Posts: 101,705
luci-proto-wireguard
Cezary'sSide
12 Reply bysebastan 2023-04-26 11:46:34 (edited by sebastan 2023-04-26 11:57:54)

sebastan
User
Inactive
Posts: 404
I figured this out myself, but it's still install protocol extensions
PS Started after another reboot, thanks

sebastan
User
Inactive
Posts: 404
I took care of the firewall settings again, so that one client in wireguard would have access to only one device in
the lan network and that he would NOT use the internet through the wireguard tunnel. I would like to have it
secured from the server side, because I know that I can achieve some of these assumptions in the client
configuration by replacing 0.0.0.0/0 with what I want. But I don't want the client to decide.
I messed something up in the firewall and now I have access to 192.168.1.1, and I don't want that and I don't
want internet through the tunnel. I also think the order of the rules matters. Wireguard installed according to
Cezary's guide.
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option proto 'udp'
config rule
option src 'wan'
option proto 'udp'
option name 'wireguard'
config rule
option name 'Allowed Connections'
option src 'wg'
option src_ip '10.9.0.2'
option dest 'lan'
option dest_ip '192.168.1.55'
config rule
option name 'Restricted Connections'
option src 'wg'
option dest 'lan'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option network 'wg0'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'wg'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
14 Reply byCaesars 2023-05-19 09:24:26
Caesars
...
Inactive
From: Warsaw
Posts: 101,705
If you leave 0.0.0.0 on the client, its default route gets switched to the wireguard tunnel, so if you cut off its
access on the server, it will not have internet (not at all, not through the tunnel). So... do it on the client.
Cezary'sSide
sebastan
User
Inactive
Posts: 404
and in this my firewall what is to be changed?
16 Reply byCaesars 2023-05-19 09:32:15
Caesars
...
Inactive
From: Warsaw
Posts: 101,705
Disable forwarding by <> lan, disable the rule reject, leave only forwarding between the specified address and
the lan specified address.
But change it on the client, because you will have a problem with dns, etc. You will write right away that you did
it as I wrote and it doesn't work.
Cezary'sSide

sebastan
User
Inactive
Posts: 404
If I delete the rule according to <> lan, do I deprive other clients according to lan access? On the client, I
changed the allowed addresses to 192.168.1.55/32 and it works of course.
Are you suggesting to throw it away?
config rule
option name 'Restricted Connections'
option src 'wg'
option dest 'lan'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
18 Reply byCaesars 2023-05-19 09:53:27
Caesars
...
Inactive
From: Warsaw
Posts: 101,705
If you don't have too many of these clients, you can add rules for each client.
Cezary'sSide
sebastan
User
Inactive
Posts: 404
One more thing: I have DNS dns.adguard.com added to my phone (Android). This is enough ad restriction for
me. Well, but it is known that after turning on wireguard, there is no internet on this DNS, I have to change it to
"automatic" Is it manageable somehow?
20 Reply byCaesars 2023-05-21 20:16:48
Caesars
...
Inactive
From: Warsaw
Posts: 101,705
In wireguard configuration on android you can specify dns server...
Cezary'sSide
sebastan
User
Inactive
Posts: 404
That's what I did, you know, but inspired by your answer, I looked at the site and found an address in a different
format dns.adguard-dns.com. Typing this both in the phone and in wireguard actually solved the problem, thank
you as usual.
Posts: 21
Pages 1
Log in or register to write a reply
eko.one.pl → Software → Wireguard detailed configuration
PunBB based forum , powered by Informer Technologies, Inc

Detailed Configuration of Wireguard (Page 1) - Software - Eko - One.pl

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detailed Configuration of Wireguard (Page 1) - Software - Eko - One.pl

Uploaded by

Copyright:

Available Formats

30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.

Skip to forum content

OpenWrt, Linux, USB, notebooks and other interesting stuff

You're not logged in. Please login or register.

Active topics Unanswered topics

OpenWrt FAQ | I will sell various routers | I will give

Detailed configuration of Wireguard

Log in or register to write a reply

Information via RSS

Subject: Detailed Wireguard configuration

2 Reply byCaesars 2023-04-19 14:41:19

A: Detailed Wireguard configuration

Firewall cut traffic from this IP to other hosts on this subnet?

3 Reply bysebastan 2023-04-19 14:44:55

A: Detailed Wireguard configuration

4 Reply byCaesars 2023-04-19 15:11:43

A: Detailed Wireguard configuration

list dest_ip '!192.168.1.55'

It will reject anything that is not up to 192.168.1.55

5 Reply bykebap 2023-04-20 12:14:57 (edited by Kebap 2023-04-20 12:17:26)

A: Detailed Wireguard configuration

I have something like that

11.11.11.11 is the ip of the device in the wireguard network that is allowed to

6 Reply bysebastan 2023-04-21 07:56:17

A: Detailed Wireguard configuration

7 Reply byCaesars 2023-04-21 08:40:59

A: Detailed Wireguard configuration

8 Reply bysebastan 2023-04-26 11:31:57

A: Detailed Wireguard configuration

9 Reply byCaesars 2023-04-26 11:35:46

A: Detailed Wireguard configuration

10 Reply bysebastan 2023-04-26 11:38:39

A: Detailed Wireguard configuration

11 Reply byCaesars 2023-04-26 11:39:45

A: Detailed Wireguard configuration

12 Reply bysebastan 2023-04-26 11:46:34 (edited by sebastan 2023-04-26 11:57:54)

A: Detailed Wireguard configuration

PS Started after another reboot, thanks

13 Reply bysebastan 2023-05-19 09:17:03

A: Detailed Wireguard configuration

option icmp_type 'echo-request'

14 Reply byCaesars 2023-05-19 09:24:26

A: Detailed Wireguard configuration

15 Reply bysebastan 2023-05-19 09:29:06

A: Detailed Wireguard configuration

and in this my firewall what is to be changed?

16 Reply byCaesars 2023-05-19 09:32:15

A: Detailed Wireguard configuration

17 Reply bysebastan 2023-05-19 09:40:19

A: Detailed Wireguard configuration

Are you suggesting to throw it away?

18 Reply byCaesars 2023-05-19 09:53:27

A: Detailed Wireguard configuration

19 Reply bysebastan 2023-05-21 20:13:17

A: Detailed Wireguard configuration

20 Reply byCaesars 2023-05-21 20:16:48

A: Detailed Wireguard configuration

In wireguard configuration on android you can specify dns server...

21 Reply bysebastan 2023-05-21 20:26:01

A: Detailed Wireguard configuration

Log in or register to write a reply

eko.one.pl → Software → Wireguard detailed configuration

PunBB based forum , powered by Informer Technologies, Inc