NHAS
commented
5 months ago Without your config and wag version it is very difficult to help. I expect you just havent added the rule to iptables using the ExposePorts config option
Closed Mariaab1 closed 5 months ago
NHAS
commented
5 months ago Without your config and wag version it is very difficult to help. I expect you just havent added the rule to iptables using the ExposePorts config option
Mariaab1
commented
5 months ago Hello,
Thanks and sorry, you are right, my configuration file is this one:
{
"Socket": "/tmp/wag.sock",
"Proxied": false,
"MFATemplatesDirectory": "plantillas/resources/templates/",
"NAT": true,
"HelpMail": "X",
"Lockout": 5,
"ExternalAddress": "X",
"MaxSessionLifetimeMinutes": 1440,
"SessionInactivityTimeoutMinutes": 60,
"DownloadConfigFileName": "wg0.conf",
"ExposePorts": [ "4433/tcp" ],
"ManagementUI": {
"ListenAddress": "192.168.45.73:4433",
"Enabled": true
},
"Webserver": {
"Public": {
"ListenAddress": "192.168.45.73:8080"
},
"Tunnel": {
"Port": "445"
}
},
"Authenticators": {
"DefaultMethod": "totp",
"Issuer": "Tesi",
"Methods": [
"totp"
],
"DomainURL": "",
"OIDC": {
"IssuerURL": "",
"ClientSecret": "",
"ClientID": ""
},
"PAM": {
"ServiceName": ""
}
},
"Wireguard": {
"DevName": "wg0",
"ListenPort": 51821,
"PrivateKey": "X",
"Address": "172.16.101.1/24",
"MTU": 1420
},
"DatabaseLocation": "devices.db",
"Acls": {
"Policies": {
"*":{
"Allow": [
"192.168.45.73 4433/any"
]
}
}
}
}The version is Version: v7.3.2-2-g8f38706
but it is still not working
NHAS
commented
5 months ago Yep you're not using the ExposePorts directive to add an iptables rule that exposes the port on the wag host.
Wag inserts a block all iptables rule for its own host to stop you accidentally exposing services to your wireguard peers.
Mariaab1
commented
5 months ago "ExposePorts": [ "4433/tcp" ],
but it is there or do you mean something else? :(
Mariaab1
commented
5 months ago by the way about the denial policy in the acls I would like to know if there is an estimated date for the release, thank you in advance
NHAS
commented
5 months ago Hmmm using expose ports should work.
The ACLS already have a default hidden rule that says all traffic is allowed to talk to the wag host. Then we use iptables to limit what traffic actually gets through.
Can you give me your iptables rules once wag is running?
Also deny ACLs are functional in 7.3.2 they just don't have any admin UI attached to them.
So if you're waiting for the admin UI to catch up that'll be done with v8.0.0 which is in beta release right now.
Mariaab1
commented
5 months ago hello, these are the firewall rules:
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- anywhere anywhere multiport dports ssh ACCEPT tcp -- anywhere anywhere tcp dpt:4433 ACCEPT udp -- anywhere anywhere udp dpt:4433 ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DROP all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DROP all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DROP all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds ACCEPT tcp -- anywhere anywhere tcp dpt:4433 ACCEPT udp -- anywhere anywhere udp dpt:4433 ACCEPT icmp -- anywhere anywhere icmp echo-request state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:4433 ACCEPT tcp -- anywhere anywhere tcp dpt:4433 ACCEPT udp -- anywhere anywhere udp dpt:4433 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain f2b-sshd (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Finally, regarding to the acls of denial, I have set them up but I do not see them reflected in the firewall either. I think I'm missing something π
NHAS
commented
5 months ago Hmmm I don't know why that hasn't shown up there. I've got tests to make sure that it does get inserted, so odd.
Mariaab1
commented
5 months ago ups sorry in the Allow section de IP should be "192.168.45.1/24", nevertheless the effect is the same π
Mariaab1
commented
5 months ago Hello,
I am sorry to bring this up again.
We are still experiencing problems with Deny ACLs, this is the ACL part of the config.json file, for example:
"group:nerds": {
"Mfa": [
"192.168.3.4/32",
"10.0.0.0/24",
"10.0.0.0 443/tcp icmp"
],
"Allow": [
"192.168.3.5/32 22/tcp"
],
"Deny": [
"192.168.3.5/32 22/tcp"
]
}
And in the firewall we see reflected all the rules except deny:
This user is part of the group. We tried to copy directly the ACL part of your example to discard that for instance the order when defining them interfered or maybe we were defining something that would conflict.
However, we have tried several combinations and none of them seems to work, though if the word βDenyβ is misspelled it does display the error:
In any case thank you for the help! π
NHAS
commented
5 months ago Huh, I have been able to replicate this in v8.0.0-beta11.
Essentially I wasnt adding the deny rules to the GetEffectiveAcls function, which generates the file ruleset to be compiled into ebpf firewall rules.
I have now resolved this and can see the deny rules in the firewall. I am going to do a small release for version 8.0.0-beta12 to address this.
Thanks for the good spot and bugging me enough to look in to it!
Hello,
I am experiencing problems accessing the graphical interface when using the VPN.
Locally I have no problems, the VPN in general works fine too except on that IP.
ss -puntl shows that the port is listening from any adress:
tcp LISTEN 0 4096 192.168.45.73:4433 0.0.0.0:* users:(("wag",pid=85673,fd=21))I've also tried to allow acces specifically to it:"Policies": { "*":{ "Allow": [ "192.168.45.73 4433/any" ] },could you help me? thank you very much!