IPTables & Wireguard Connection to Internet, restricted Local Lan

Hi!

I am currently setting up a wireguard instance on an raspberry pi. This is for private use, and has to

  • Relay my internet traffic through my houses ISP
  • Give access to my homelab and a bunch of other things

Following WireGuard Access Control With Iptables | Pro Custodibus , I recognized that I have certain gaps in my understanding of how firewalls actually do things.
I was able to give access to my local lan (see link), but of course the config in there blocks all outgoing internet traffic.

From my understanding the way to go should (?) be

  • Allow all traffic
  • Block all local traffic, except for the stuff that should be reachable

Is this the only way? Seems a little too much work for just “free to go to WAN and whatever …”

Extra question:

  • In this scenario, the traffic is handled on the wireguard host itself. Should one also implement the same inter-Lan rules on a router level (the wireguard network is a VLAN, the rest is separated into different VLANs as well) Or is this just extra work?

Thx.

@Greedence, Have you heard of a project called Tailscale? It will make what I think you are trying to do a lot easier.

I am aware of tailscale, but I want to learn things.
(Besides: Not sure how tailscale would make things easier in terms of network segmentation …)

What router do you have? I would try installing Wireguard on the router, not the host. I don’t know anything about Wireguard; I use Tailscale instead. I think the problem lies in what you block. I hope I have helped a Little.

1 Like

Maybe try swapping to UFW on your client? I feel like it’s pretty straight forward compared to other firewall utilities, even though its command line only.

Start by blocking everything and only allowing the ports you need.

sudo ufw status shows all your current rules

think of wireguard like a secure tunnel to whatever you’re doing. Doesn’t need internet. You just need ipv4 forwarding on the host (with wireguard pointing to the outside world) and then clients configured for the wireguard host.

You can allow/disallow certain clients access to the internet by splitting wireguard instances under different ports.

You could have wg1 and wg2, wg1 points to the outside world and wg2 is LAN

Like set wifi1 network to be wg1, and wifi2 network to be wg2 LAN

or wg1 could be one large tunnel, and you can disallow specific clients outside world access.

music to my ears

1 Like

the tutorial OP was following, was pretty intense

went thru line by line, and it does things like allowing port-by-port for services like IMAP to access certain hosts, or only select endpoints to establish an ssh tunnel.

UFW would be even More to learn, even if fewer rules were to be put in place.

obvioulsy it is just an easier front-end for ntTables, but still, might be better to carry on with iptables.

or, perhaps, ditch both, and try and learn nftables itself, and config that way?

I personally use iptables as I am a dumb-ass, and it’s a single wall of rules I can grok, step by step, on each client I put it on

1 Like

oof. Personally I’ve always had a hard time understanding iptables. Too many rules, too many easy ways to lock yourself out. At least ufw gives you a simple list. But my brain might work differently

1 Like

deffo this, like, same other way round. the verbosity was more useful for me, so could be MY broken brain

when I’ve used UFW, it has been a case of SSH on or off

not, laptop at work can SSH, but fridge at home cannot

I did not dig too dee into the system afterwards

2 Likes

On your point, I think Amnezia would be the most simple config for OP if this is all overwhelming.

A.I. can help simplify much of this as well

2 Likes

I’mma just quietly back away now, and leave the room before I get all silly and tin-foil…

I hear lots of good things about co-pilot the visual studio suite place thing…

but I learned the basics from mike Murphy on YT, before he moved it to archive.org

and I can’t view them anyway, as archive blocks my VPN.

Summary

iptables: A Basic Router : Dr. Mike Murphy : Free Download, Borrow, and Streaming : Internet Archive

Introduction to iptables : Dr. Mike Murphy : Free Download, Borrow, and Streaming : Internet Archive

and sorry to OP for de-railing the thread

2 Likes

:joy:

There’s more A.I. tools than you could imagine if you know how to word things correctly. You use it everyday without realizing it

2 Likes

@Greedence, good luck getting Chatgpg to be much help writing firewall rules for you. The only use ChatGPG is going to be when it comes to writing firewall rules is to give some suggestions when things do not work; at least, that has been my experience

I really think tailscale can help you with this, but you’d need to play with the firewall either end anyway

Except for outbound traffic to another wireguard instance on another device.

Do you have a mock network setup with dummy IP addresses?

Can wireguard establish a tunnel to begin with?
If no tunnel, then perhaps firewall misconfig.
If tunnel established, then routing issues.

Also be aware, you might not be sending ICMP/ping traffic, so that might not be a network test for this

1 Like

One does jot need tailscale, if one has a working tunnel

But it can help establish a 2 way tunnel.

Also be aware hosts might need encouragement to send their traffic over the link, instead of over the default route obtained bu DHCP/regular internet settings

1 Like

Hi, thx for the eager discussion!

I think, I didn’t phrase my question clearly enough.

  • I was able to follow the tutorial in the link I provided.
  • It works as described on my setup. => I can connect, get the correct IP and can only reach the stuff that I allowed (specific other VLans and some specific IP adresses)
  • BUT: this implementation blocks all internet traffic (as it should)

Question:
If I would like to expand the configuration, how would I proceed?

1 Like

For the sake of completeness: I also found this linux - Block traffic to LAN but allow traffic to Internet (iptables) - Super User
which got me wondering if this is the only way to do it …