search

WireGuard / wireguard-vyatta-ubnt

WireGuard for Ubiquiti Devices
https://www.wireguard.com/
GNU General Public License v3.0
1.45k stars 68 forks source link

Can't apply firewall rules to VPN clients #129

Closed adampetrovic closed 1 year ago

adampetrovic commented 1 year ago

Package version

1.0.20220627-1

Firmware version

v1.10.11

Device

UXG Pro

Issue description

I've had my UXG Pro as a Wireguard server running nicely for a while now. My use case is that I have a VPS box that holds open a Wireguard connection to my UXG so it can access some of my internal devices and services.

I don't want my VPS to be able to access all of my network, just a few specific hosts in a particular VLAN. My VPS box has a single /32 IP assigned when it connects to Wireguard, so I figured I could just easily add LAN In rules in my firewall to control what my VPN client can access, however deny rules don't seem to be taking any effect.

I can ping / interact with any VLAN even if I add a deny all for the client IP address.

Is it possible to set firewall rules for clients that connect to my wireguard server?

Configuration and log output

No response

peacey commented 1 year ago

Hi @adampetrovic, are you using the UXG Pro, or the UniFi Security Gateway XG 8 as your device/wireguard server? You said "UniFi Security Gateway XG 8 - UGWXG" for Device but then said UXG-Pro in description.

adampetrovic commented 1 year ago

UXG Pro (ive updated my description) - it wasn't an option in the template dropdown, so I picked the closest I could :)

peacey commented 1 year ago

Oh sorry, I didn't know it's a dropdown.

Anyhow, for the Unifi routers, the problem is Ubiquiti only forwards interfaces it created to its firewall rules. If you want to also forward the wireguard interface to the Ubiquiti firewall rules, you can add custom rules to jump to the correct chains like this in SSH: 

  iptables -A FORWARD -i wg0 -j UBIOS_LAN_IN_USER
  iptables -A FORWARD -o wg0 -j UBIOS_LAN_OUT_USER
  iptables -A INPUT -i wg0 -j UBIOS_LAN_LOCAL_USER

Make sure to change wg0 to your interface name if different. This will add the jumps for LAN IN, LAN OUT, and LAN LOCAL for the wireguard interface, which will make traffic from/to this interface honour all the rules.

You can also add it to PostUp/PreDown in your wg0.conf like so:

PostUp = iptables -A FORWARD -i %i -j UBIOS_LAN_IN_USER; iptables -A FORWARD -o %i -j UBIOS_LAN_OUT_USER; iptables -A INPUT -i %i -j UBIOS_LAN_LOCAL_USER
PreDown = iptables -D FORWARD -i %i -j UBIOS_LAN_IN_USER; iptables -D FORWARD -o %i -j UBIOS_LAN_OUT_USER; iptables -D INPUT -i %i -j UBIOS_LAN_LOCAL_USER

Please see if your firewall rules work with the above addition.

Thanks!

adampetrovic commented 1 year ago

Perfect. That worked like a charm! Thanks @peacey

UnlimitedCookies commented 1 year ago

Hey @peacey, would you mind adding this to the wiki? Seems very useful to me.

peacey commented 1 year ago

Hi @UnlimitedCookies, sorry I meant to add it to the wiki but completely forgot. Will do it soon.

UnlimitedCookies commented 1 year ago

Hi @UnlimitedCookies, sorry I meant to add it to the wiki but completely forgot. Will do it soon.

Awesome!