[SOLVED]WG Setting "Allow Clients Full LAN Access"

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
Zyxx
DD-WRT Guru


Joined: 28 Dec 2018
Posts: 729

PostPosted: Thu Jul 28, 2022 13:03    Post subject: Reply with quote
Thank you all for the additional information given =)
Appreciated!

The above posted iptables MASQUERADE rule helped me a lot.
Before this my train of thoughts derailed, because of

"ME SET NAT TO YES; WHY NEW SETTING THERE (UGH)!"

Since I was bored: I tcpdumped the setting.

Disabled.jpg shows the IP of my mobile phone 192.168.92.2 (WG client on LTE --> VPS (192.168.92.1) --> N66U Endpoint in my LAN (192.168.92.5 and 192.168.1.2)" doing a ping towards another LAN device of mine: 192.168.1.3

Enabled.jpg does masquerade the source address to the local one 192.168.1.2.

Neat little setting Smile
(Also thank you for marking this as solved!)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12795
Location: Netherlands

PostPosted: Thu Jul 28, 2022 13:05    Post subject: Reply with quote
@eibgrad, thanks for your wise words.

I do agree about the formatting, I just finished the parsing of the ipset domains so to allow comma delimited in line with all the other fields (but also space works as delimiter as in most other fields Smile )

About the FULL lan access I agree that making it default is the way to go and yes a better name is welcome.

A bad help file is worse than no help file so maybe we should do without it, saves some space and above all saves a lot of work which can be dedicated to other things

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jul 28, 2022 14:22    Post subject: Reply with quote
eibgrad wrote:
gin-n-tonic wrote:
Gently remind me why the Help sidebar or more... button cannot be updated with egc's detailed explanation.


Is that kept updated? I thought most of that stopped being updated years ago. A check of Help "more" link on the Services page provides only information on PPTP!

Frankly, seems like it would better to store most of that information OFF the router, and just provide links. Perhaps even links on the labels themselves. Then updates wouldn't have to depend solely on the developers, but the larger community. Or perhaps small bubble popups with short blurbs for less well understood options.

The whole area of documentation could use some serious updating, both the information itself, and how/where it's presented.


I have added new and fixed many of the built in help topics recently, so no, it didnt stop being worked on really.

Problem is the updates are all English only with exception of the German which has also received and started syncing with the English also recently the other languages are a mess and outdated.

But, lets say I add this new string, whos going to read this crap? 1 out of 20 users? less? 1 a user in 15 even less? The reality likely would show if we could do A-B testing that most like no one clicks the help more button. I can make a guess, because Ive added new strings, both to the right menu and to the more link and only 1 user out of everyone has said something and actually reported a bug which was also fixed.

egc wrote:
About the FULL lan access I agree that making it default is the way to go and yes a better name is welcome.


I would just remove the word full from the label, certain words are moot in labels, if the functionality allows LAN access, it allows lan access, by your own explanation its not Full Lan access either, so, to make it simpler, I would not use the word full at all.

We already discussed this before, when a setting relies on another setting or when setting an incompatible setting the relevant option would become disabled/enabled depending on what user is doing, but in order to make this magic happen the issue is that currently the disabling/enabling is done via ID's and one cannot reuse an ID, else it doesn't work (I tried) and also is not fine grained, its just general.

If we could control all options like that, no one would be able to set incompatible nonsense and it would be clear that if something suddenly becomes available/disabled that its either compatible or incompatible.

But My ideas how to design User interfaces is either too advanced and full of brain farts, just like the universe, its all gas or not advanced enough.
Anyway it wouldn't happen, 2MB flash routers dictate when DD-WRT can have nice things on 32MB flash devices (which is the max amount of flash available on a 128MB flash total device, the rest is for JFFS)

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12795
Location: Netherlands

PostPosted: Thu Jul 28, 2022 15:58    Post subject: Reply with quote
A user wanted to have restricted WG access:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1268358#1268358

Probably on false assumptions but still Very Happy

Will remove the word full and make the Allow LAN access default but as said I am fine with anything

I will do this with the big ipset update and that is just in its infancy so can take a while

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Jul 28, 2022 17:52    Post subject: Reply with quote
egc wrote:
A user wanted to have restricted WG access:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1268358#1268358

Probably on false assumptions but still Very Happy

Will remove the word full and make the Allow LAN access default but as said I am fine with anything

I will do this with the big ipset update and that is just in its infancy so can take a while


Thumbs up to sanity, no matter how long that takes.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
prt
DD-WRT Novice


Joined: 04 Jun 2021
Posts: 5

PostPosted: Wed Aug 17, 2022 19:11    Post subject: Reply with quote
Thanks for this excellent discussion.

Just for my clarity, if I am running a WG server but I only want connected clients to be able to access the internet / utilize the router IP, I can uncheck "Allow clients full LAN access," correct?

I've also enabled net isolation for the WG interface in the networking settings.

All is working as expected with those two tweaks to the server setup, but just wanted to make sure I'm not making some giant error. Thanks!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 18, 2022 9:28    Post subject: Reply with quote
prt wrote:
Thanks for this excellent discussion.

Just for my clarity, if I am running a WG server but I only want connected clients to be able to access the internet / utilize the router IP, I can uncheck "Allow clients full LAN access," correct?

I've also enabled net isolation for the WG interface in the networking settings.

All is working as expected with those two tweaks to the server setup, but just wanted to make sure I'm not making some giant error. Thanks!


This feature was added to DD-WRT at my suggestion, specifically wrt the OpenVPN client, and so I know exactly how it's implemented and for what purpose. I assume the same is true for WG.

This feature has the problem of being poorly named. No one's fault, it's just hard to sum up what it's about in a 2-3 word label. All it does is NAT the inbound traffic from the VPN as it's dropped on the local network (br0) so it *appears* to have originated from the router's LAN ip, rather than the tunnel's IP network. The purpose is to "trick" the target device into believing the client is on its own local IP network (e.g., 192.168.1.1), when in fact it is remote (e.g., 10.8.0.2). This allows the client to get around personal firewalls on target devices that have a same-origin policy (i.e., they insist on NOT allowing access by devices unless they are on the same *private* IP network). Personally, I find this to be a rather silly security measure, introduced by Microsoft years ago, and which others have followed suit. Esp. when it's considered acceptable to entertain public IPs over the internet w/o such concerns!

That's what the "Full" in Full LAN Access means. It's FULL in the sense that OpenVPN/WG clients are NOT denied access due to this silly same-origin policy Microsoft and other have introduced. Again, we get around the issue by this little bit of trickery.

So no one should be under the illusion that this is the same thing as intentionally firewall'ing target devices from VPN clients. By default, we assume such clients are to be trusted just as if they had local access on the private network itself (e.g., 192.168.1.0/24). The fact they have a different IP network (e.g., 10.8.0.0/24) is just incidental; a product of the implementation, NOT as a means of formal isolation. Granted, you *could* create such isolation if you needed it, but that needs to be done irrespective of this GUI setting. IOW, you need to add firewall rules, either on the router, or target devices, to truly manage the access.

I just don't want ppl to misunderstand the intent of this option. It is NOT about firewall'ing target devices from clients! It's about this narrow issue of same-origin. Something I believe @egc eventually plans to remove from the GUI and just implement in the firmware 24/7. IOW, you'll never even be aware it's happening unless you have a situation where you need to filter VPN clients and target devices. And if you do, most likely you'll do that from the router anyway, before that traffic is ever NAT'd, or ever reaches the target.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Aug 18, 2022 12:28    Post subject: Reply with quote
The technicalities of XYZ feature when labeling must be transparent to user, and such technical explanations must be condensed and refined into a jargon free version that can be added to the DD-WRT sidebar help or more... help page.

On that note this seems enough for the help pages at first glance, feel free to refine it further, I can make the patch when ready ASAP.

Quote:
This allows the client to get around personal firewalls on target devices that have a same-origin policy. The inbound traffic is NATed from the VPN as it flows through the local network interface e.g. br0 to make it appear to have originated from the router's LAN IP, rather than the tunnel's IP network.


Hows that for a start?

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
prt
DD-WRT Novice


Joined: 04 Jun 2021
Posts: 5

PostPosted: Fri Aug 19, 2022 4:05    Post subject: Reply with quote
eibgrad wrote:


So no one should be under the illusion that this is the same thing as intentionally firewall'ing target devices from VPN clients.


Thanks! Doesn't sound like it's relevant for my system so leaving it unchecked. I've taken care of the firewalling through other settings and iptables. Have a good one
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Aug 20, 2022 11:33    Post subject: Reply with quote
the-joker wrote:
Quote:
This allows the client to get around personal firewalls on target devices that have a same-origin policy. The inbound traffic is NATed from the VPN as it flows through the local network interface e.g. br0 to make it appear to have originated from the router's LAN IP, rather than the tunnel's IP network.


Hows that for a start?


Also since this is the explanation, the Label should be something like Same-Origin Policy Override or something to that effect. That's something that explain the option better IMO.

Ive added the above help string now to both PPTP.asp and eop-tunnel.asp more or less, can be refined later.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Aug 20, 2022 11:41    Post subject: Reply with quote
the-joker wrote:
the-joker wrote:
Quote:
This allows the client to get around personal firewalls on target devices that have a same-origin policy. The inbound traffic is NATed from the VPN as it flows through the local network interface e.g. br0 to make it appear to have originated from the router's LAN IP, rather than the tunnel's IP network.


Hows that for a start?


Also since this is the explanation, the Label should be something like Same-Origin Policy Override or something to that effect. That's something that explain the option better IMO.

Ive added the above help string now to both PPTP.asp and eop-tunnel.asp more or less, can be refined later.


I had suggested "Bypass LAN Same-Origin Policy" (or Policies) previously, which didn't elicit any responses, either positive or negative.

As far as the documentation, as I've said before, it's so out of date already, I'm just not sure how many ppl even bother anymore. Seems to me updating it now only emphasizes the point. But that's your call.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat Aug 20, 2022 12:25    Post subject: Reply with quote
"Bypass LAN Same-Origin Policy" is a sound label name, I must have missed your original mention.

I can change it on my next PR

Re: documentation (I mean DD-WRT built in help pages/texts). If no one ever does it, will be out-of-date permanently, Ive updated quite a great deal and added new stuff, why bother you say? Because for that reason precisely, it needs doing and because not many volunteers queuing up I do it. Like anything it takes time before its better.

It beats the wiki (now that is really absurdly out of date) the DD-WRT built in help pages at least must be accurate to whats added no matter new or old.
Problem is like everything else, it takes time and most developers are not fans of writing documentation for what they add.

And volunteers, did I mention these illusive creatures? most fearful of terminals and svn/git, and they are hunted to near extinction in their natural habitats Wink

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 25, 2022 3:51    Post subject: Reply with quote
the-joker wrote:
"Bypass LAN Same-Origin Policy" is a sound label name, I must have missed your original mention.

I can change it on my next PR

Re: documentation (I mean DD-WRT built in help pages/texts). If no one ever does it, will be out-of-date permanently, Ive updated quite a great deal and added new stuff, why bother you say? Because for that reason precisely, it needs doing and because not many volunteers queuing up I do it. Like anything it takes time before its better.

It beats the wiki (now that is really absurdly out of date) the DD-WRT built in help pages at least must be accurate to whats added no matter new or old.
Problem is like everything else, it takes time and most developers are not fans of writing documentation for what they add.

And volunteers, did I mention these illusive creatures? most fearful of terminals and svn/git, and they are hunted to near extinction in their natural habitats Wink


Just noticed it today in the most recent build. Does look kind of nice. And I do think it makes things much clearer. Whether that's clear enough to continue supporting the option in the GUI is yet to be determined. But at least it seems possible now.

Thanks.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum