Posted: Tue Nov 30, 2021 18:24 Post subject: how to use ddwrt port forwarding with wireguard?
Hi all
I have already searched a lot but somehow didnt find the right answer. I have following:
- wireguard server with public IP (using 10.0.5.1)
- DD-WRT on R7000 behind an ISP NAT connected to the wireguard server (using 10.0.5.2)
connection works fine, I can ping the wireguard server and the wireguard server can ping my ddwrt.
I can also open a ssh connection at 10.0.5.2 if I disabled the "Firewall inbound" on the R7000, but I cant reach any other device behind the R7000.
What do I need to setup to:
1) access the R7000 ssh port only by the one defined in the remote access management (same for the webui)
2) access all open ports (+ devices) from the port forwarding section from the wireguard server (for example: I have opened port 443 on the R7000). How can I access now 10.0.5.2:443 (which forwards to the internal IP defined on the R7000 (192.168.0.x) instead of returning the ddwrt web ui)?
Joined: 18 Mar 2014 Posts: 11495 Location: Netherlands
Posted: Tue Nov 30, 2021 18:51 Post subject:
As it can be of interest to all I moved this thread to the Advanced Networking forum.
To give optimal support we do need the router model (you already posted that) but also the build number
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Basically you do not need any port forwarding you need to setup as site-to-site setup as described in the WireGuard Advanced Setup guide.
You are connecting both Networks that is basically it
Take note individual clients can have their own firewall!
To give optimal support we do need the router model (you already posted that) but also the build number
Basically you do not need any port forwarding you need to setup as site-to-site setup as described in the WireGuard Advanced Setup guide.
You are connecting both Networks that is basically it
Take note individual clients can have their own firewall!
Sorry my build is "DD-WRT v3.0-r47665 std (11/24/21)"
with this site-to-site approach, I am opening both networks fully to the other side, correct? If I dont want to have that, is there a possibility to restrict it?
- I dont want to tunnel my own outbounding traffic (should still go over the ISP)
- I want to access some private service behind the R7000 public like:
- access https://publicip:443 (ip of the public endpoint)
- routes internally to https://10.0.5.2:443 (wireguard ip of R7000)
- routes to https://192.168.0.x:443 (client which sits behind the R7000, gets its local IP from R7000 and 443 is opened in the port forwarding)
- disabling the "firewall inbound" on the R7000
- adding the R7000 network "192.168.0.1/24" to the allowedIPs on the wireguard server
- now I can access each device by 192.168.0.x
but this exposes now the whole network 192.168.0.x
Is there a way to enable the inbound firewall and only allow certain ports to be seen over the R7000 ip?
Joined: 18 Mar 2014 Posts: 11495 Location: Netherlands
Posted: Tue Nov 30, 2021 20:48 Post subject:
You do not need to have all traffic via the tunnel, I have a site-to-site setup to my VPS server, the VPS server has subnet 192.168.6.0/24
I am only routing traffic for 192.168.6.0/24 via the tunnel everything else goes via the ISP
So from the client side 192.168.6.1 is the server and 192.168.6.X are other clients on the servers subnet.
If I want from my Windows client on the client side to get to a Windows client on the server side in Explorer I just type \\192.168.6.X and I see the drives on that PC
Of course the firewall of that PC has to allow traffic coming from another subnet.
It is really easy to setup with WireGuard
Key points:
Disable NAT
Disable CVE
Disable Inbound Firewall
Allowed IP's: besides the tunnels subnet, on the server side add the clients subnet, on the client side add the servers subnet
Enable Route Allowed IP's
