search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
499 stars 27 forks source link

DNS IP issue #67

Closed vnovichek closed 10 months ago

vnovichek commented 11 months ago

Hi, thanks a lot for the project. Here is the issue that bothers me.

...
    "Wireguard": {
        ...
        "PersistentKeepAlive": 25,
        "DNS": [
            "192.168.5.5/32"
        ]
    },
    "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "192.168.5.0/24"
                ],
                "Allow": [
                ]
            }
        }
    }
...
    "test": {
        "Policies": [
            "10.1.2.1/32 policy [public(20) any/any]",
            "192.168.5.5/32 policy [public(20) 53/any]",
            "192.168.5.0/24 policy [mfa(16) any/any]"
        ],
...

After authorization, all 192.168.5.0/24 hosts are perfectly accessible, except for 192.168.5.5/32, which only allows access to port 53. Adding 192.168.5.5/32 to the MFA block resolves the issue but renders DNS (192.168.5.5/32, port 53/any) inaccessible in non-authorized mode.

Please advise, thanks.

vnovichek commented 11 months ago

Adding 192.168.5.5/32 with the list of services resolves the issue.

    "Acls": {
        "Policies": {
            "*": {
                "Mfa": [
                    "192.168.5.5/32 icmp 22/tcp",
                    "192.168.5.0/24"
                ],
                "Allow": [
                ]
            }
        }

However, to be frank, I'd prefer to have access to all ports without enumerating them. Is that possible?

NHAS commented 10 months ago

Hi there.

This happens because a rule for 192.168.5.5/32 is inserted into the ebpf firewall.

Due to the kernel data structure I have to use to match up addresses (longest prefix trie) the most specific route is what ends up controlling data flow.

I.e the rules defined in a /32 override rules defined in a /24

Unfortunately it's a bit of a limitation give datastructutes we've got to use.

In your case. A Dns entry is added to the /32 that is your dns ip address.

You should be able to just add 192.168.5.5 instead of having to define a port and that will append an allow any/any rule to the /32 for your dns server allowing all ports.

Wyk72 commented 10 months ago

I am having a lot of troubles making a local/internal DNS work into WAG.

Can you please give some advice on how to do it ?

I just need a simple dnsmasq for the internal wireguard network, that reads IPs from hosts file.

If I just build a "simple/classic" wireguard "star" network it works fine, but into WAG always gets blocked by its internal firewall.

The DNS IP the you put into "general" setting always gets blocked on port 53 even if It's rules into WAG say otherwise.

Very confused about the issue, tried everything, but I am unable to make it work.

Maybe I'm missing something about the logic of it ?

NHAS commented 10 months ago

I think this is a seperate issue to the original please open your own issue to discuss that there.

vnovichek commented 10 months ago

You should be able to just add 192.168.5.5 instead of having to define a port and that will append an allow any/any rule to the /32 for your dns server allowing all ports.

Adding 192.168.5.5/32 to the MFA block makes DNS (192.168.5.5/32, port 53) inaccessible in non-authorized mode.

NHAS commented 10 months ago

Have you tried adding it to the public block instead

vnovichek commented 10 months ago

I did, didn't help (both too) and to boot I need it only in the mfa block.

NHAS commented 10 months ago

Yeah so Mfa rules take precedence over public rules so you can't accidentally set something public when you have a conflicting Mfa rule.

What's happening here is that the any/any Mfa rule matches the 53/udp of dns and thus blocks it.

So you need to have the Mfa directive be specific to a port/port range instead of any/any

vnovichek commented 10 months ago

right, thanks for the explanation, closing