I am currently setting up a wireguard instance on an raspberry pi. This is for private use, and has to
Relay my internet traffic through my houses ISP
Give access to my homelab and a bunch of other things
Following WireGuard Access Control With Iptables | Pro Custodibus , I recognized that I have certain gaps in my understanding of how firewalls actually do things.
I was able to give access to my local lan (see link), but of course the config in there blocks all outgoing internet traffic.
From my understanding the way to go should (?) be
Allow all traffic
Block all local traffic, except for the stuff that should be reachable
Is this the only way? Seems a little too much work for just “free to go to WAN and whatever …”
Extra question:
In this scenario, the traffic is handled on the wireguard host itself. Should one also implement the same inter-Lan rules on a router level (the wireguard network is a VLAN, the rest is separated into different VLANs as well) Or is this just extra work?
What router do you have? I would try installing Wireguard on the router, not the host. I don’t know anything about Wireguard; I use Tailscale instead. I think the problem lies in what you block. I hope I have helped a Little.
Maybe try swapping to UFW on your client? I feel like it’s pretty straight forward compared to other firewall utilities, even though its command line only.
Start by blocking everything and only allowing the ports you need.
sudo ufw status shows all your current rules
think of wireguard like a secure tunnel to whatever you’re doing. Doesn’t need internet. You just need ipv4 forwarding on the host (with wireguard pointing to the outside world) and then clients configured for the wireguard host.
You can allow/disallow certain clients access to the internet by splitting wireguard instances under different ports.
You could have wg1 and wg2, wg1 points to the outside world and wg2 is LAN
Like set wifi1 network to be wg1, and wifi2 network to be wg2 LAN
or wg1 could be one large tunnel, and you can disallow specific clients outside world access.
went thru line by line, and it does things like allowing port-by-port for services like IMAP to access certain hosts, or only select endpoints to establish an ssh tunnel.
UFW would be even More to learn, even if fewer rules were to be put in place.
obvioulsy it is just an easier front-end for ntTables, but still, might be better to carry on with iptables.
or, perhaps, ditch both, and try and learn nftables itself, and config that way?
I personally use iptables as I am a dumb-ass, and it’s a single wall of rules I can grok, step by step, on each client I put it on
oof. Personally I’ve always had a hard time understanding iptables. Too many rules, too many easy ways to lock yourself out. At least ufw gives you a simple list. But my brain might work differently
@Greedence, good luck getting Chatgpg to be much help writing firewall rules for you. The only use ChatGPG is going to be when it comes to writing firewall rules is to give some suggestions when things do not work; at least, that has been my experience
One does jot need tailscale, if one has a working tunnel
But it can help establish a 2 way tunnel.
Also be aware hosts might need encouragement to send their traffic over the link, instead of over the default route obtained bu DHCP/regular internet settings
I think, I didn’t phrase my question clearly enough.
I was able to follow the tutorial in the link I provided.
It works as described on my setup. => I can connect, get the correct IP and can only reach the stuff that I allowed (specific other VLans and some specific IP adresses)
BUT: this implementation blocks all internet traffic (as it should)
Question:
If I would like to expand the configuration, how would I proceed?