Wireguard server behind ufw firewall

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
tjamaa
Posts: 16
Joined: Sat Sep 14, 2019 10:17 pm

Wireguard server behind ufw firewall

Post by tjamaa »

My network devices:
router <-> gateway <-> local devices/servers

The gateway is running dietpi on a windows 10/hyper-v virtual machine.
Behind the ufw firewall on the gateway I run a reverse proxy, PiVPN, a wireguard server, and a pihole/unbound DNS server.
The ufw allowed (local) ports are: 22, 137, 138, 139, 445, 53 from 192.168.1.0/24

My problem: I can only access the local devices/servers either with the kill-switch off in wireguard and default ufw input "DENY", or - when the kill switch is activated - by setting default ufw input to "ACCEPT" in /etc/default/ufw. Then everything runs fine, but I would prefer "DENY" as default ufw input rule with the kill-switch activated.

Following the approach in:
https://github.com/MichaIng/DietPi/comm ... ee92988080
would these additions to /dietpi/dietpi-vpn solve this problem?:
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 137 -j ACCEPT
-A INPUT -p udp --dport 138 -j ACCEPT
-A INPUT -p tcp --dport 139 -j ACCEPT
-A INPUT -p tcp --dport 445 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT

Or is there a better way to achieve my preferred configuration?
Thanks in advance,
tjamaa
Posts: 16
Joined: Sat Sep 14, 2019 10:17 pm

Re: Wireguard server behind ufw firewall

Post by tjamaa »

In following up on my previous message and the discussion in
viewtopic.php?f=11&t=9082&start=10
I added the following rule to the killswitch.rules in /boot/dietpi/dietpi-vpn

Code: Select all

-A INPUT -s 192.168.1.0/24 -j ACCEPT
and set DEFAULT_INPUT_POLICY="DROP" in /etc/default/ufw

ufw status is now: Default: deny (incoming), allow (outgoing), deny (routed)
kill-switch in wireguard: activated

It indeed seems to allow all local traffic to the gateway, which is fine with me.
This thus solves my problem, but is this the best solution?
User avatar
trendy
Posts: 360
Joined: Tue Feb 25, 2020 2:54 pm

Re: Wireguard server behind ufw firewall

Post by trendy »

Accepting input only from the local subnet is enough.
tjamaa
Posts: 16
Joined: Sat Sep 14, 2019 10:17 pm

Re: Wireguard server behind ufw firewall

Post by tjamaa »

Thanks, good to know.
However, my local devices lost access to the pihole-DNS server behind the firewall of the gateway. I have not been able to figure out how that can be resolved. Any suggestions?
User avatar
trendy
Posts: 360
Joined: Tue Feb 25, 2020 2:54 pm

Re: Wireguard server behind ufw firewall

Post by trendy »

Allow also for forward, not only input.
tjamaa
Posts: 16
Joined: Sat Sep 14, 2019 10:17 pm

Re: Wireguard server behind ufw firewall

Post by tjamaa »

Solved: I educated myself a bit, and started the gateway from scratch, also because I wanted to run bullseye. I dropped the ufw, since the gateway is behind the router-firewall anyway. It now works without problems with wireguard, pihole, and nginx for reverse proxy access. Thanks for the exellent dietpi documentation and support!
Post Reply