search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
506 stars 27 forks source link

Access dns-server fully after mfa #90

Closed krambrock closed 7 months ago

krambrock commented 7 months ago

I've got two dns-servers that I would like to access without mfa:

"Wireguard": {
    "DevName": "wg0",
    "ListenPort": 5555,
    "PrivateKey": "*** MYKEY ***",
    "Address": "10.1.2.1/24",
    "MTU": 1420,
    "DNS" : ["192.168.2.1", "192.168.2.254"]
}

And the complete /24 network with mfa:

"Acls": {
    "Policies": {
        "*": {
            "Mfa": [
                "192.168.2.0/24"
            ]
        }
    }
}

I can only access 192.168.2.1 and 192.168.2.254 on port 53 with and without mfa. That makes sense, because the public rule for 192.168.2.1 and 192.168.2.254 gernerated from my dns-entries is more specifig. So I tried this:

"Acls": {
    "Policies": {
        "*": {
            "Mfa": [
                "192.168.2.0/24",
                "192.168.2.1/32",
                "192.168.2.254/32"
            ]
        }
    }
}

Leads to this diagnostics:

"user": {
    "Policies": [
        "10.1.2.1/32 policy [public(20) any/any]",
        "192.168.2.1/32 policy [mfa(16) any/any public(20) 53/any]",
        "192.168.2.254/32 policy [mfa(16) any/any public(20) 53/any]",
        "192.168.2.0/24 policy [mfa(16) any/any]"
    ],
    "Devices": [
        {
            "LastPacketTimestamp": 0,
            "Expiry": 0,
            "IP": "10.1.2.2",
            "Authorized": false
        }
    ],
    "AccountLocked": 0
}

"mfa(16) any/any public(20) 53/any" looks perfect to me but does not work out. I cannot access 192.168.2.1 on port 53 without mfa. After mfa I can access them (but that is not what I want). Probably I am doing something wrong ...

NHAS commented 7 months ago

I don't know what you're trying to accomplish here.

You said your initial configuration worked just fine to allow you non-mfa access to your dns server.

Then changed it to over write the rule from an allow policy to an Mfa policy for your dns servers?

Also 192.168.4.1 isn't in your regular regardless and I'm assuming that's a typo.

Due to limited time on my behalf I cannot offer in-depth support. Unless it relates to a bug in the codebase itself, without financial support.

Thanks!

krambrock commented 7 months ago

It is been a typo, sorry, I corrected it. I thought accessing the dns-server on port 53 without mfa and on all ports with mfa might be a regular requirement/bug.