Hello all. I have my proxy (Nginx Proxy Manager) opened to the internet. I have fail2ban reading the logs. I want to add a GeoIP block to only let IPs in my country to access it. This should give another layer of security.
I starting taking a look at OPNsense (maybe a forbidden router?) but I also saw that OpenWRT has some packages available to that end. I want to do DNS and NTP also in the router, but both should be capable of that. So:
Does OpenWRT have support to do GeoIP blocking and it is good enough?
Good idea.
My logs tell me that a good chunk of attacks on my server originate from IPs registered overseas.
However, another chunk (about the same size) originate from cloud services (really any cloud service you know and some you don’t - yet).
I would buy a router for that with good support. My main motivation to use OpenWRT is to use a low power device to do all, router, firewall and Wifi.
I would block all that.
If you are advising me to use it, I already use Wireguard. If you are telling me that an attacker in another country can use it to simulate to be in mine, I know it is not bulletproof, but I would be making things more difficult to them.
In my experience geo blocking brought malicious traffic down by a lot, and I mean a lot. For a motivated attacker it’s a speed bump, but casual wannabe hackers, bots - waaay down. I still get some from local cloud providers and infected WordPress instances but nowhere near what was coming from China, US and Russia - my top 3 sources of malicious traffic.
There is nothing wrong with using either router OS solution.
For OpenWRT there is a plug-in that has a luci component that allows for country blocking (among others).
If you have the resources I would suggest you spin up a forbidden router of each OS and play around with both. I love pfsense (with pfblockerNG) but flipped back to openwrt about 4 months ago and its been rock solid for all of my needs and I run both as a VMs on proxmox with zero issues like this.
We all have preferred OSes but its not often a common feature such as geoblock is unavailable on a popular platform. I respect TryTwice’s opinion but the comment openwrt is meant to repurpose consumer grade and not good for what the OP asked is a point I would disagree with.
Anyway you choose, share your results and good luck!