Professional Documents
Culture Documents
pl
eko.one.pl
eko.one.pl
eko.one.pl website
Main
Users
Statute
search
Registration
Login
Pages 1
Posts: 21
1 Subject bysebastan 2023-04-19 14:37:45
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
There's one thing I'd like to accomplish, and I can't make sense of what I read here and there. Wireguard has
been working reliably for a long time. I have clients, depending on the need, either a full tunnel, or only access
to LAN resources, or only to a specific IP in the LAN.
Only these are all things achieved from the client's position, I change the "allowed addresses" and that's it. And
https://eko.one.pl/forum/viewtopic.php?id=22966 1/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
how to do it on the server side so that, for example, 199.168.99.3 (this is addressing by) connects only with
192.168.1.55. One of the clients is to have access to only one IP and that's it. I honestly don't even know how to
start.
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
Registered: 2012-10-05
Posts: 404
This seems to be all-in-all by default, so if I were to modify the firewall from your guide accordingly, what
would it look like for example?
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
Something like
config rule
list src_ip '199.168.99.3'
option dest '*'
https://eko.one.pl/forum/viewtopic.php?id=22966 2/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
Registered: 2019-12-31
Posts: 99
config rule
option name 'wg2lan'
option family 'ipv4'
option src 'wg'
option dest 'lan'
option target 'ACCEPT'
list src_ip '11.11.11.11'
list proto 'all'
and here access only to the entire lan for a given device
Registered: 2012-10-05
Posts: 404
https://eko.one.pl/forum/viewtopic.php?id=22966 3/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
Thank you, gentlemen. I applied your advice and achieved the intended goal in wireguard, which I have on
openwrt on AX3600. It works perfectly.
In addition, I also have a test wireguard on raspberry and as this is not an RPI forum, I tried to look for similar
advice regarding their iptables and I couldn't put together anything, and yesterday I came up with the idea of
\u200b\u200bChataGPT 4 query and I am in absolute shock, I got an answer with explanations, with
explanation, ready-made solutions and practical and theoretical description.
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
Don't trust chatgpt too much. He lies and fabricates as much as he can on technical matters. You'll get farther if
you trust what he writes implicitly. Treat him like wikipedia - he has knowledge, but verify it.
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
Registered: 2012-10-05
Posts: 404
How do I optimally restore the full wireguard configuration when I update a snapshot? Is there any smart way?
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
https://eko.one.pl/forum/viewtopic.php?id=22966 4/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
The wireguard configuration is only /etc/config/newtork and /etc/config/firewall, so if you update with the
configuration you will have it. Another thing is that you can't always keep the configuration depending on what
they changed in the snapshot, but you have to check yourself when you can and when you can't.
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
Registered: 2012-10-05
Posts: 404
I have in network - interfaces "install protocol extensions" at the interface by. What should I install?
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
luci-proto-wireguard
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
Registered: 2012-10-05
Posts: 404
I figured this out myself, but it's still install protocol extensions
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
I took care of the firewall settings again, so that one client in wireguard would have access to only one device in
the lan network and that he would NOT use the internet through the wireguard tunnel. I would like to have it
secured from the server side, because I know that I can achieve some of these assumptions in the client
configuration by replacing 0.0.0.0/0 with what I want. But I don't want the client to decide.
I messed something up in the firewall and now I have access to 192.168.1.1, and I don't want that and I don't
want internet through the tunnel. I also think the order of the rules matters. Wireguard installed according to
Cezary's guide.
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
https://eko.one.pl/forum/viewtopic.php?id=22966 6/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
https://eko.one.pl/forum/viewtopic.php?id=22966 7/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '55055'
option name 'wireguard'
config rule
option name 'Allowed Connections'
option src 'wg'
option src_ip '10.9.0.2'
option dest 'lan'
option dest_ip '192.168.1.55'
option target 'ACCEPT'
config rule
option name 'Restricted Connections'
option src 'wg'
option src_ip '10.9.0.2'
option dest 'lan'
option target 'REJECT'
config zone
option name 'wg'
option input 'ACCEPT'
option forward 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option network 'wg0'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'wg'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
https://eko.one.pl/forum/viewtopic.php?id=22966 8/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
Caesars
...
Inactive
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
If you leave 0.0.0.0 on the client, its default route gets switched to the wireguard tunnel, so if you cut off its
access on the server, it will not have internet (not at all, not through the tunnel). So... do it on the client.
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
Caesars
...
Inactive
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
Disable forwarding by <> lan, disable the rule reject, leave only forwarding between the specified address and
the lan specified address.
But change it on the client, because you will have a problem with dns, etc. You will write right away that you did
it as I wrote and it doesn't work.
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
If I delete the rule according to <> lan, do I deprive other clients according to lan access? On the client, I
changed the allowed addresses to 192.168.1.55/32 and it works of course.
config rule
option name 'Restricted Connections'
option src 'wg'
option src_ip '10.9.0.2'
option dest 'lan'
option target 'REJECT'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
Caesars
...
Inactive
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
If you don't have too many of these clients, you can add rules for each client.
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
https://eko.one.pl/forum/viewtopic.php?id=22966 10/11
30/05/2023, 17:15 Detailed configuration of Wireguard (Page 1) - Software - eko.one.pl
One more thing: I have DNS dns.adguard.com added to my phone (Android). This is enough ad restriction for
me. Well, but it is known that after turning on wireguard, there is no internet on this DNS, I have to change it to
"automatic" Is it manageable somehow?
Caesars
...
Inactive
From: Warsaw
Registered: 2006-02-25
Posts: 101,705
You have an unnecessary router, broken or not - I will gladly take it.
Cezary'sSide
sebastan
User
Inactive
Registered: 2012-10-05
Posts: 404
That's what I did, you know, but inspired by your answer, I looked at the site and found an address in a different
format dns.adguard-dns.com. Typing this both in the phone and in wireguard actually solved the problem, thank
you as usual.
Posts: 21
Pages 1
https://eko.one.pl/forum/viewtopic.php?id=22966 11/11