search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
528 stars 28 forks source link

Allow internal devices to access wireguard client #40

Closed bluecraank closed 1 year ago

bluecraank commented 1 year ago

Problem

So far everything is running, I only have the problem that, apart from the server, no other devices can ping WireGuard peers or generally no communication can be established

My solution

        err = ipt.Append("filter", "FORWARD", "-i", "ens160", "-o", "wg0", "-j", "ACCEPT")
        if err != nil {
                return err
        }

So i added this code in iptables.go before line 29 to allow incoming traffic from interface where everything else is connected to wg0 interface

General solution

There should be a way to allow this, but i do not know really how. How i solved it allows EVERYTHING from internal, thats may not be the best way

paulb-smartit commented 1 year ago

Whilst no strictly what you want, we use it to ssh onto clients using ProxyJump in the ssh config.

Host remoteSystem
  ProxyJump witegaurdServer

As long as we can ssh, we can tunnel pretty much anything else.

NHAS commented 1 year ago

So. If I'm understanding you correctly, you have your wag server acting as a gateway to an internal network.

In that internal network you want hosts to be able to route through the wag server and talk to the wireguard peers?

As for your issue about allowing everything from the internal network, as long as you're not natting it should retain its src and dst ip headers and so wag rules will still govern what can talk to what.

I do see what you mean and I'll have a think about how best to implement that.

NHAS commented 1 year ago

Honestly, I was doing a think, and I believe this was just an oversight on my behalf as I dont use wag like this. Im more than happy to just add a blank forward from all interfaces to your wireguard peer interfaces.

Obviously this will still be governed by the wag rules.

E.g something like 

iptables -A FORWARD -o wg0 -j ACCEPT
NHAS commented 1 year ago

I've put this in unstable branch just for fun. Please give it a go, Im trying to think if this adds any risk or not.

Also @paulb-opusvl I dont suppose you've had time to do anything with the docs page? Do you need a run through or something, could always grab your <social media here> and have a chat if you need!

bluecraank commented 1 year ago

This works as expected!

NHAS commented 1 year ago

Awesome. I'll be doing a roll up release soonish to have that as a main branch feature.