Posted: Wed May 27, 2020 12:50 Post subject: WireGuard firewall issues
Hi everyone
I setup my router (Netgear R6700 v3 build 43217) with several firewall rules y dig out of searchs in this forum. I’ve also included a couple of scripts which were given by the WG service provider. Something is causing a conflict as I cannot surf the web when the firewall commands are executed. The WireGuard tunnel works fine without the firewall. However when I try to route up ranges through the tunnel and not through the tunnel something stops me from navigating. I’ve also setup a bunch of devices with static up adresses to achieve this. Plus a guest network without security but with some restrictions.
Id appreciate any help on the matter.
Startup (From the WG SP)
Code:
sleep 30
if $(wg show | grep -q handshake); then
DEF_GW=$(nvram get wan_gateway)
DEF_IF=$(nvram get wan_iface)
WG_HOSTNAME=$(nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
iptables -I FORWARD -i br0 -o $DEF_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $DEF_IF -m state --state NEW -j REJECT --reject-with tcp-reset
mkdir -p /tmp/etc/config
ln -s /tmp/custom.sh /tmp/etc/config/wg-route-fix.wanup
fi
Custom (From the WG SP)
Code:
#!/bin/sh
sleep 5
DEF_GW=$(/usr/sbin/nvram get wan_gateway)
DEF_IF=$(/usr/sbin/nvram get wan_iface)
WG_HOSTNAME=$(/usr/sbin/nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache
Joined: 18 Mar 2014 Posts: 12878 Location: Netherlands
Posted: Thu May 28, 2020 5:40 Post subject:
rebeto13 wrote:
Thanks. Will give it a shot tonight.
I’d tried to use pbr from the GUI in the past but it was buggy.
Thanks again!
Well there is no PBR in the GUI that is why I have made it and probably will be in the next public beta.
See the WireGuard client setup guide for an example there is also explained how you set up without scripts
True! i was using the OpenVPN previously... so i adapted the OpenVPN scripts for PBR to WG... and something got messed up.
I downloaded and installed the 43306 build. I'm about to set up PBR... will let you know how it goes.
Thanks again @egc
Gave it a shot with the 43306... i set up 192.168.X.80/26, and assigned a static ip to my computer (192.168.X.131)... i'm still being routed through the tunnel...
Any suggestions?
Thanks
Hi... yes i'm running scripts which were provided by my VPN service provider. Should I remove them?
Startup (From the WG SP)
Code:
sleep 30
if $(wg show | grep -q handshake); then
DEF_GW=$(nvram get wan_gateway)
DEF_IF=$(nvram get wan_iface)
WG_HOSTNAME=$(nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache
iptables -t nat -I POSTROUTING -o oet1 -j MASQUERADE
iptables -I FORWARD -i br0 -o $DEF_IF -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
iptables -I FORWARD -i br0 -p tcp -o $DEF_IF -m state --state NEW -j REJECT --reject-with tcp-reset
mkdir -p /tmp/etc/config
ln -s /tmp/custom.sh /tmp/etc/config/wg-route-fix.wanup
fi
Custom (From the WG SP)
Code:
#!/bin/sh
sleep 5
DEF_GW=$(/usr/sbin/nvram get wan_gateway)
DEF_IF=$(/usr/sbin/nvram get wan_iface)
WG_HOSTNAME=$(/usr/sbin/nvram get oet1_rem0)
route add -host $WG_HOSTNAME gw $DEF_GW dev $DEF_IF
route del default
route add default dev oet1
ip route flush cache
Joined: 18 Mar 2014 Posts: 12878 Location: Netherlands
Posted: Mon Jun 01, 2020 13:34 Post subject:
Yes you should remove them all
My esteemed colleague @kp69 reminded me to update the guides specifically stating that scripts are no longer necessary (read: wreak havoc) and he appears to be right
Have a look at the WireGuard client setup guide, see my signature, how to setup up a client
Thanks @egc... I couldnt get the PBR to work.
The tunnel works, but those IPs outside the range i defined to be routed through the tunnel dont connect to the internet.
Any ideas?
I'm attaching the output and settings again.
Hi... i've been battling with this but havent been able to get it to work.
I'm guessing that some of the commands maybe got stuck in the nvram despite not being in the commands.
Is there a way to clear these commands from the nvram without a hard reset
Attached are some outputs of some commands.
Thansk again @egc
Last edited by rebeto13 on Sat Jun 06, 2020 19:49; edited 1 time in total
Joined: 08 May 2018 Posts: 14210 Location: Texas, USA
Posted: Sat Jun 06, 2020 15:23 Post subject:
Since you can't follow simple rules about image sizes, I am locking this thread for now until I un-muck YOUR stupidly huge image. While you are waiting, please read through ALL the forum rules and guidelines and study them for a few hours.
EDIT: Here is your output from Terminal. Next time, if it's going to be more than 3 screenshots, either do the second post or use an image hosting site. Thank you. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net