WireGuard VPN and Uncomplicated Firewall
5,001
I achieved my aims via this thread that I initiated - https://www.reddit.com/r/WireGuard/comments/ik6w4h/etcdefaultufw_default_forward_policyaccept/
Related videos on Youtube
Author by
norfolk_uk
Updated on September 18, 2022Comments
-
norfolk_uk over 1 year
I have WireGuard running on a Raspberry Pi Zero W, I use it as a dedicated VPN server. I want UFW on the server too but despite having added the following two rules it does not work.
sudo ufw allow ssh
sudo ufw allow 51820/udp
Once UFW is enabled it does not work. Disable UFW, it works again. All the guides online simply show that all that is needed for it to work is to allow 51820 through.
However some suggest it is to do with forwarding but there seems to be no agreed upon answer that I can find. Using WireGuard with a firewall must be common practice surely?
-
Frank Thomas over 3 yearsdo you have any wireguard postup/postdown configuration? if so what is it? for your configuration, you did specify 51820 s the wireguard listen port, right? have you enabled
net.ipv4.ip_forward=1
in /etc/sysctl ? -
norfolk_uk over 3 yearsIn /etc/wireguard/wg0.conf I have placed the following that I found online: PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
-
norfolk_uk over 3 yearsI've also seen it said to in /etc/default/ufw - to change the DEFAULT_FORWARD_POLICY to “ACCEPT” but doesn't that open up the firewall to all and sundry?
-
norfolk_uk over 3 yearsIn the default policies routing is denied. What does this do specifically? What is the rule syntax to allow routing. I'm sorry but I'm new to firewalls.
-
Frank Thomas over 3 yearsdoes this help at all: askubuntu.com/a/1130516
-
norfolk_uk over 3 yearsI had seen that but the solution seemed to to change the DEFAULT_FORWARD_POLICY to “ACCEPT” - but then someone questioned it and I am unsure whether I am creating a security risk by doing that, i.e accepting everything.
-
Frank Thomas over 3 yearsNo I'm speaking of the more precise rule like
ufw route allow in on eth0 out on eth1 to 12.34.45.67 port 80 proto tcp
as an alternative to setting the default policy. -
norfolk_uk over 3 yearsI'm all ready to try this, except I'm not sure of the syntax of such a rule. I believe that the interface for WireGuard is wg0. Changing the DEFAULT_FORWARD_POLICY to “ACCEPT” does work but I've changed it back again to try your suggestion.
-
Frank Thomas over 3 yearsNote that you need to change your PostUp rather than create a rule in UFW. The command in your PostUp is basically setting the default forward policy of Accept that you are worried about. the PostUp event will automatically allow forwarding for your wg0 interface when connected (and then revoke it when disconnecting). since UFW just configures NetFilter the same way iptables does, UFW doesn't really enter into the equation. Sorry, should have detected that sooner.
-
norfolk_uk over 3 yearsThanks Frank, in the end I achieved my aims, best summed up in this thread - reddit.com/r/WireGuard/comments/ik6w4h/…
-
-
slhck about 3 yearsIt would be more helpful if you added the complete steps here, with an explanation.