how to use ddwrt port forwarding with wireguard?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
michael123456
DD-WRT Novice


Joined: 03 Feb 2016
Posts: 8

PostPosted: Tue Nov 30, 2021 18:24    Post subject: how to use ddwrt port forwarding with wireguard? Reply with quote
Hi all Smile

I have already searched a lot but somehow didnt find the right answer. I have following:

- wireguard server with public IP (using 10.0.5.1)
- DD-WRT on R7000 behind an ISP NAT connected to the wireguard server (using 10.0.5.2)

connection works fine, I can ping the wireguard server and the wireguard server can ping my ddwrt.

I can also open a ssh connection at 10.0.5.2 if I disabled the "Firewall inbound" on the R7000, but I cant reach any other device behind the R7000.

What do I need to setup to:

1) access the R7000 ssh port only by the one defined in the remote access management (same for the webui)
2) access all open ports (+ devices) from the port forwarding section from the wireguard server (for example: I have opened port 443 on the R7000). How can I access now 10.0.5.2:443 (which forwards to the internal IP defined on the R7000 (192.168.0.x) instead of returning the ddwrt web ui)?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Nov 30, 2021 18:51    Post subject: Reply with quote
As it can be of interest to all I moved this thread to the Advanced Networking forum.

To give optimal support we do need the router model (you already posted that) but also the build number

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Basically you do not need any port forwarding you need to setup as site-to-site setup as described in the WireGuard Advanced Setup guide.
You are connecting both Networks that is basically it Smile
Take note individual clients can have their own firewall!

WireGuard docs:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
michael123456
DD-WRT Novice


Joined: 03 Feb 2016
Posts: 8

PostPosted: Tue Nov 30, 2021 19:12    Post subject: Reply with quote
egc wrote:
To give optimal support we do need the router model (you already posted that) but also the build number

Basically you do not need any port forwarding you need to setup as site-to-site setup as described in the WireGuard Advanced Setup guide.
You are connecting both Networks that is basically it Smile
Take note individual clients can have their own firewall!

WireGuard docs:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397


Sorry Smile my build is "DD-WRT v3.0-r47665 std (11/24/21)"

with this site-to-site approach, I am opening both networks fully to the other side, correct? If I dont want to have that, is there a possibility to restrict it?

- I dont want to tunnel my own outbounding traffic (should still go over the ISP)
- I want to access some private service behind the R7000 public like:

- access https://publicip:443 (ip of the public endpoint)
- routes internally to https://10.0.5.2:443 (wireguard ip of R7000)
- routes to https://192.168.0.x:443 (client which sits behind the R7000, gets its local IP from R7000 and 443 is opened in the port forwarding)
michael123456
DD-WRT Novice


Joined: 03 Feb 2016
Posts: 8

PostPosted: Tue Nov 30, 2021 20:44    Post subject: Reply with quote
I got it working by:

- disabling the "firewall inbound" on the R7000
- adding the R7000 network "192.168.0.1/24" to the allowedIPs on the wireguard server
- now I can access each device by 192.168.0.x

but this exposes now the whole network 192.168.0.x

Is there a way to enable the inbound firewall and only allow certain ports to be seen over the R7000 ip?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Nov 30, 2021 20:48    Post subject: Reply with quote
You do not need to have all traffic via the tunnel, I have a site-to-site setup to my VPS server, the VPS server has subnet 192.168.6.0/24

I am only routing traffic for 192.168.6.0/24 via the tunnel everything else goes via the ISP

So from the client side 192.168.6.1 is the server and 192.168.6.X are other clients on the servers subnet.

If I want from my Windows client on the client side to get to a Windows client on the server side in Explorer I just type \\192.168.6.X and I see the drives on that PC

Of course the firewall of that PC has to allow traffic coming from another subnet.

It is really easy to setup with WireGuard Smile

Key points:
Disable NAT
Disable CVE
Disable Inbound Firewall
Allowed IP's: besides the tunnels subnet, on the server side add the clients subnet, on the client side add the servers subnet
Enable Route Allowed IP's

Actually exactly as described in the guide Smile

P.S. Latest builds have a WG update but this concerns Policy Based Routing so does not apply to your situation

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum