Posted: Sat Feb 04, 2023 16:07 Post subject: Connection to WG Peers from LAN with CVE-2019-14899 enabled
Hi,
I have setup wireguard on an TP-Link ARCHER-C7 v5 on build 49838 following "DDWRT Wireguard Server Setup guide v47.pdf.
The Router is connected to another (outer) LAN which then connects to the internet.
The DDWRT router is in normal gateway mode with subnet 192.168.1.1/24.
I have enabled the CVE-2019-14899 patch with the workaround iptables -t nat -I POSTROUTING -o br0 -s $(nvram get oet1_ipaddr)/$(nvram get oet1_netmask) -j MASQUERADE.
Clients from subnet 192.168.1.1/24 could not connect to the Peers from inside the subnet 192.168.1.1/24. Is this due to the enabled patch or do I have
another wrong routing configuration?
Is my understanding right, that "echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter" only slows down the connection during an attack?
If so it could be used as security back up for the rare scenario of an attack. If, where and how should "echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter"
be deployed to be safe?
Joined: 18 Mar 2014 Posts: 12834 Location: Netherlands
Posted: Sat Feb 04, 2023 16:47 Post subject:
An attack can only come from something directly connected, so from your LAN or from the LAN on the WAN side which is also controlled by you.
If your LAN is compromised you have bigger problems, so you can safely disable CVE.
LAN on the WAN under control means Phone or own MIFI Router to the LTE network but not the WLAN in a Hotel, right? Sometimes I am in Hotels where no LTE is available and I have to use the Hotel WLAN. But there an attack is a rare condition but possible. Therefore I ask for "echo 1 > /proc/sys/net/ipv4/conf/<interface>/rp_filter" to secure this rare but possible condition.