WireGuard firewall issues

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Wed May 27, 2020 12:50    Post subject: WireGuard firewall issues Reply with quote
Hi everyone
I setup my router (Netgear R6700 v3 build 43217) with several firewall rules y dig out of searchs in this forum. I’ve also included a couple of scripts which were given by the WG service provider. Something is causing a conflict as I cannot surf the web when the firewall commands are executed. The WireGuard tunnel works fine without the firewall. However when I try to route up ranges through the tunnel and not through the tunnel something stops me from navigating. I’ve also setup a bunch of devices with static up adresses to achieve this. Plus a guest network without security but with some restrictions.
Id appreciate any help on the matter.

Startup (From the WG SP)
Code:

sleep 30
if $(wg show | grep -q handshake); then
DEF_GW=$(nvram get wan_gateway)
DEF_IF=$(nvram get wan_iface)
WG_HOSTNAME=$(nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
iptables -I FORWARD -i br0 -o $DEF_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $DEF_IF -m state --state NEW -j REJECT --reject-with tcp-reset
mkdir -p /tmp/etc/config
ln -s /tmp/custom.sh /tmp/etc/config/wg-route-fix.wanup
fi


Custom (From the WG SP)
Code:


#!/bin/sh
sleep 5
DEF_GW=$(/usr/sbin/nvram get wan_gateway)
DEF_IF=$(/usr/sbin/nvram get wan_iface)
WG_HOSTNAME=$(/usr/sbin/nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache


Firewall (from searching the forum)
Code:

ip route flush cache
iptables -t mangle -F PREROUTING
ip route add default table 200 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 200
iptables -t mangle -I PREROUTING -i br0 -s 192.xxx.xxx.130/25 -j MARK --set-mark 1
iptables -t mangle -I PREROUTING -i wl0.1 -s 10.x.x.150/25 -j MARK --set-mark 1
iptables -t nat -I PREROUTING -i br0 -s 192.xxx.x.128/25 -p udp --dport xx -j DNAT --to 208.xxx.xxx.xxx
iptables -t nat -I PREROUTING -i br0 -s 192.xxx.x.128/25 -p tcp --dport xx -j DNAT --to 208.xxx.xxx.xxx
iptables -t nat -I PREROUTING -i wl0.1 -s 10.x.x.150/25 -p udp --dport xx -j DNAT --to 208.xxx.xxx.xxx
iptables -t nat -I PREROUTING -i wl0.1 -s 10.x.x.1/25 -p tcp --dport xx -j DNAT --to 208.xxx.xxx.xxx
sleep 5
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
iptables -I INPUT -i wl0.1 -p tcp --dport www -j REJECT --reject-with tcp-reset
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Wed May 27, 2020 13:04    Post subject: Reply with quote
Ditch everything!

You do not need any scripting that can be done with Enabling the route allowed IP's

But you have to use a recent build, 43217 should work

You want policy based routing there is a script for that in the WireGuard Server setup guide in the third post.

But I uploaded the patches today to get PBR in the GUI also with Kill Switch, Inbound firewall, Naming of Peers and Status window.

If I do not find any show stoppers it will be in the next beta (after build 43273) and you do not need any scripting and can set PBR from the GUI.

Have a look in the WireGuard Advanced setup guide, the last paragraph was made with that and explains PBR etc.

All WireGuard guides see my signature at the bottom of this post.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Wed May 27, 2020 22:49    Post subject: Reply with quote
Thanks. Will give it a shot tonight.
I’d tried to use pbr from the GUI in the past but it was buggy.

Thanks again!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu May 28, 2020 5:40    Post subject: Reply with quote
rebeto13 wrote:
Thanks. Will give it a shot tonight.
I’d tried to use pbr from the GUI in the past but it was buggy.

Thanks again!


Well there is no PBR in the GUI that is why I have made it and probably will be in the next public beta.
See the WireGuard client setup guide for an example there is also explained how you set up without scripts

For PBR You can use the script from the third post of the WireGuard server setup guide until the next public Beta comes out

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Mon Jun 01, 2020 5:20    Post subject: Reply with quote
True! i was using the OpenVPN previously... so i adapted the OpenVPN scripts for PBR to WG... and something got messed up.
I downloaded and installed the 43306 build. I'm about to set up PBR... will let you know how it goes.
Thanks again @egc
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Mon Jun 01, 2020 5:39    Post subject: Reply with quote
Gave it a shot with the 43306... i set up 192.168.X.80/26, and assigned a static ip to my computer (192.168.X.131)... i'm still being routed through the tunnel...
Any suggestions?
Thanks
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Jun 01, 2020 9:49    Post subject: Reply with quote
Are you using any scripts?
If so, you probably should remove them.

In the PBR field enter 192.168.X.64/26
That routes all clients from .64 - .127 via the tunnel.
so .131 should use the WAN.

Reboot router wait at least two minutes after the router has come up and then send output of (from CLI i.e, telnet/putty):
Code:
ip route show
ip rule show
ip route show table 21

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Mon Jun 01, 2020 13:07    Post subject: Reply with quote
Hi... yes i'm running scripts which were provided by my VPN service provider. Should I remove them?

Startup (From the WG SP)

Code:

sleep 30
if $(wg show | grep -q handshake); then
DEF_GW=$(nvram get wan_gateway)
DEF_IF=$(nvram get wan_iface)
WG_HOSTNAME=$(nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
iptables -I FORWARD -i br0 -o $DEF_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $DEF_IF -m state --state NEW -j REJECT --reject-with tcp-reset
mkdir -p /tmp/etc/config
ln -s /tmp/custom.sh /tmp/etc/config/wg-route-fix.wanup
fi


Custom (From the WG SP)
Code:

#!/bin/sh
sleep 5
DEF_GW=$(/usr/sbin/nvram get wan_gateway)
DEF_IF=$(/usr/sbin/nvram get wan_iface)
WG_HOSTNAME=$(/usr/sbin/nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache



[img]
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Mon Jun 01, 2020 13:34    Post subject: Reply with quote
Yes you should remove them all

My esteemed colleague @kp69 reminded me to update the guides specifically stating that scripts are no longer necessary (read: wreak havoc) and he appears to be right Smile

Have a look at the WireGuard client setup guide, see my signature, how to setup up a client

Basically
NAT via Tunnel: Enable
Allowed IP's : 0.0.0.0/1,128.0.0.0/1
Route Allowed IP's: Enabled.

BTW you are also using a kill switch

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Tue Jun 02, 2020 4:58    Post subject: Reply with quote
Thanks @egc... I couldnt get the PBR to work.
The tunnel works, but those IPs outside the range i defined to be routed through the tunnel dont connect to the internet.
Any ideas?
I'm attaching the output and settings again.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Jun 02, 2020 11:38    Post subject: Reply with quote
Well lets check your firewall rules:

iptables -vnL FORWARD
iptables -vnL INPUT

Make sure you use an IP address outside .64 - .127 those are the addresses which should use the tunnel

From the client if it is windows run from cmd:
ipconfig/all
tracert 8.8.8.8

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Tue Jun 02, 2020 11:42    Post subject: Reply with quote
Also from the router, from the CLI run:
traceroute 8.8.8.8

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
rebeto13
DD-WRT Novice


Joined: 10 Sep 2019
Posts: 15

PostPosted: Sat Jun 06, 2020 15:09    Post subject: Reply with quote
Hi... i've been battling with this but havent been able to get it to work.
I'm guessing that some of the commands maybe got stuck in the nvram despite not being in the commands.
Is there a way to clear these commands from the nvram without a hard reset
Attached are some outputs of some commands.

Thansk again @egc


Last edited by rebeto13 on Sat Jun 06, 2020 19:49; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat Jun 06, 2020 15:23    Post subject: Reply with quote
Since you can't follow simple rules about image sizes, I am locking this thread for now until I un-muck YOUR stupidly huge image. While you are waiting, please read through ALL the forum rules and guidelines and study them for a few hours.

EDIT: Here is your output from Terminal. Next time, if it's going to be more than 3 screenshots, either do the second post or use an image hosting site. Thank you.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Jun 06, 2020 16:44    Post subject: Reply with quote
At first glance I do not see anything out of the ordinary.

Never use the command shell for anything.
Just use the Command Line interface (telnet/putty) so you can also easily copy and paste.

Strange your provider uses a CGNAT address (starting with 100)

The router shows it goes out of the WAN like it should

Lets see the output of a client in the PBR range and a client outside the PBR range.

For windows open a command prompt (cmd) and do:
ipconfig/all
tracert 8.8.8.8

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum