Connection to WG Peers from LAN with CVE-2019-14899 enabled

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
tm2023
DD-WRT Novice


Joined: 29 Jan 2023
Posts: 12

PostPosted: Sat Feb 04, 2023 16:07    Post subject: Connection to WG Peers from LAN with CVE-2019-14899 enabled Reply with quote
Hi,

I have setup wireguard on an TP-Link ARCHER-C7 v5 on build 49838 following "DDWRT Wireguard Server Setup guide v47.pdf.
The Router is connected to another (outer) LAN which then connects to the internet.

The DDWRT router is in normal gateway mode with subnet 192.168.1.1/24.

I have enabled the CVE-2019-14899 patch with the workaround iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE.

Clients from subnet 192.168.1.1/24 could not connect to the Peers from inside the subnet 192.168.1.1/24. Is this due to the enabled patch or do I have
another wrong routing configuration?

Is my understanding right, that "echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter" only slows down the connection during an attack?

If so it could be used as security back up for the rare scenario of an attack. If, where and how should "echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter"
be deployed to be safe?

Regards
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 04, 2023 16:47    Post subject: Reply with quote
An attack can only come from something directly connected, so from your LAN or from the LAN on the WAN side which is also controlled by you.
If your LAN is compromised you have bigger problems, so you can safely disable CVE.

Furthermore an attacker can only see where the traffic is going to, an attacker cannot decrypt the traffic, so the risk is minimal and in your case non existent as you control LAN and WAN side

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tm2023
DD-WRT Novice


Joined: 29 Jan 2023
Posts: 12

PostPosted: Sat Feb 04, 2023 17:25    Post subject: Reply with quote
LAN on the WAN under control means Phone or own MIFI Router to the LTE network but not the WLAN in a Hotel, right? Sometimes I am in Hotels where no LTE is available and I have to use the Hotel WLAN. But there an attack is a rare condition but possible. Therefore I ask for "echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter" to secure this rare but possible condition.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Feb 04, 2023 17:33    Post subject: Reply with quote
But you do not have the server in the hotel, the server is at your home that cannot be attacked.

There are links in the guide so perhaps read up on it and do some research if you do want to know everything about this Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum