Changed Postup and Postdown script to drop traffic between the peers.

[mzs114]

Two new iptable rules were added, one to drop the traffic between the peers and another to clean this drop rule when the interface goes down.

Edit: These are required to enhance the security by avoiding the traffic between the peers.

[donaldzou]

Hi @NOXCIS , do you mind look over this please?

[NOXCIS]

@donaldzou The iptables scripts are just defaults a user can modfiy to their needs. No need to implimnet someones specific use case.

[DaanSelen]

@mzs114 is this not like the rules PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP? Which disallows peers to talk to eachother?

[mzs114]

@mzs114 is this not like the rules PostUp = iptables -I FORWARD -i wg0 -o wg0 -j DROP? Which disallows peers to talk to eachother?

Yes these are the same, as these were missing in the scripts.

@NOXCIS There exists some preset rules, this is adding a new rule(and another one to remove).
A sane default helps the users, advanced users anyways will be customizing.

[DaanSelen]

Hi @mzs114 is this not done with the new code?

[mzs114]

Hi @mzs114 is this not done with the new code?

Not sure which code or version you are referring to? I mean these changes were not merged, so this is still pending? The reason for this PR is to include such rule in the given scripts.

[DaanSelen]

Hi @mzs114 is this not done with the new code?

Not sure which code or version you are referring to? I mean these changes were not merged, so this is still pending? The reason for this PR is to include such rule in the given scripts.

Can't users do it now with the PreUp, PreDown... Etc rules inside WGDashboard itself?

[mzs114]

Hi @mzs114 is this not done with the new code?

Not sure which code or version you are referring to? I mean these changes were not merged, so this is still pending? The reason for this PR is to include such rule in the given scripts.

Can't users do it now with the PreUp, PreDown... Etc rules inside WGDashboard itself?

No, that rules are missing, that is the reason for this PR. Please check the new additions in the diff.

[DaanSelen]

Hi @mzs114 I see your branch is still on version 4.0.2. And the main application or the Docker container no longer uses these iptable rules.
How would they be used?

Maybe we can put those rules into the documentation, but having them in Bash scripts is not optimal.

@donaldzou what do you think?

[donaldzou]

Hi @mzs114 I see your branch is still on version 4.0.2. And the main application or the Docker container no longer uses these iptable rules. How would they be used?

Maybe we can put those rules into the documentation, but having them in Bash scripts is not optimal.

@donaldzou what do you think?

Just wondering... aren't Post/Pre script not identical? i.e is different for everybody?

@DaanSelen it seems like a WireGuard related issue lol

[NOXCIS]

@donaldzou @DaanSelen Wireguard and iptables restrictions for multiple users For the love of god stop breaking shit. Iptable rules are the only way to apply peer routing to a Wireguard interface.

Wireguard and iptables restrictions for multiple users

If you don't know what Wireguard is, well, you should.
It's fast, easy to setup and highly configurable.
We will configure Wireguard for multiple users with various restrictions using iptables.

Assumptions

This should fit most setups (not mine though 😉)

• LAN network: 192.168.1.0/24 (192.168.1.1 => 192.168.1.254)
• LAN DNS server address: 192.168.1.1
• Wireguard is installed (kernel and tools) on a Linux host (it should also work on other platforms though).
• The Linux host address: 192.168.1.10
• The Linux host main interface: enp4s0 (find it with ip a)

Initial server setup

1. Ensure your iptables firewall has its FORWARD table policy set to DROP:

   iptables -P FORWARD DROP

2. Generate a Wireguard private key

   echo "Private key: $(wg genkey)"

   Private key: OM5BUrGVAswOm/r8asLtdUgJB8rrXflD6TVFL5aGAHk=
   

3. Create a file /etc/wireguard/wg0.conf (or any other name than wg0) with content:

   [Interface]
   Address = 10.0.0.1/24
   ListenPort = 51820
   PrivateKey = OM5BUrGVAswOm/r8asLtdUgJB8rrXflD6TVFL5aGAHk=
   PostUp = /etc/wireguard/postup.sh
   PostDown = /etc/wireguard/postdown.sh
   

   Don't forget to replace the PrivateKey value with the one you generated

4. Create a file /etc/wireguard/postup.sh with content:

   WIREGUARD_INTERFACE=wg0
   WIREGUARD_LAN=10.0.0.0/24
   MASQUERADE_INTERFACE=enp4s0
   
   iptables -t nat -I POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
   
   # Add a WIREGUARD_wg0 chain to the FORWARD chain
   CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
   iptables -N $CHAIN_NAME
   iptables -A FORWARD -j $CHAIN_NAME
   
   # Accept related or established traffic
   iptables -A $CHAIN_NAME -o $WIREGUARD_INTERFACE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
   
   # Accept traffic from any Wireguard IP address connected to the Wireguard server
   iptables -A $CHAIN_NAME -s $WIREGUARD_LAN -i $WIREGUARD_INTERFACE -j ACCEPT
   
   # Drop everything else coming through the Wireguard interface
   iptables -A $CHAIN_NAME -i $WIREGUARD_INTERFACE -j DROP
   
   # Return to FORWARD chain
   iptables -A $CHAIN_NAME -j RETURN

5. Create a file /etc/wireguard/postdown.sh with content:

   WIREGUARD_INTERFACE=wg0
   WIREGUARD_LAN=10.0.0.0/24
   MASQUERADE_INTERFACE=enp4s0
   CHAIN_NAME="WIREGUARD_$WIREGUARD_INTERFACE"
   
   iptables -t nat -D POSTROUTING -o $MASQUERADE_INTERFACE -j MASQUERADE -s $WIREGUARD_LAN
   
   # Remove and delete the WIREGUARD_wg0 chain
   iptables -D FORWARD -j $CHAIN_NAME
   iptables -F $CHAIN_NAME
   iptables -X $CHAIN_NAME

6. Start the Wireguard server (without any client configured yet):

   wg-quick up wg0

First admin client

Let's setup a client with full access to Internet and your LAN through Wireguard.

1. Install Wireguard on your client device

2. On your client device, create a configuration file client.conf with content:

   [Interface]
   Address = 10.0.0.2/32
   DNS = 192.168.1.1
   PrivateKey = YOUR_CLIENT_PRIVATE_KEY
   
   [Peer]
   AllowedIPs = 0.0.0.0/0, ::/0
   Endpoint = 192.168.1.10:51820
   PersistentKeepalive = 25
   PublicKey = YOUR_SERVER_PUBLIC_KEY
   

3. Replace in the configuration above YOUR_SERVER_PUBLIC_KEY with the key shown using wg show wg0 public-key on your server. For example: p6aGalk69yCM8vNhbvC5mEH/HhJr1c8f55UaeJSChX0=.

4. Generate keys for your client:

   priv=`wg genkey` && printf "Private key: $priv\nPublic key: `echo "$priv" | wg pubkey`\n" && unset -v priv

   Private key: 2L4L8YwusK4Ot4jVoo/1wwQfLAeRM6kJ/WWxzfnWKm4=
   Public key: GmVyaj+K36xEk7ko/8jijMB9XX9dFgi4mJxsAEFMHmA=
   

5. Replace in client.conf YOUR_CLIENT_PRIVATE_KEY with the private key just generated above.

6. Use the public key shown above to add the following block to /etc/wireguard/wg0.conf on your server:

   [Peer]
   # Your first admin client
   PublicKey = GmVyaj+K36xEk7ko/8jijMB9XX9dFgi4mJxsAEFMHmA=
   AllowedIPs = 10.0.0.2/32
   

7. On your server, restart Wireguard: wg-quick down wg0 && wg-quick up wg0.

8. You should now be able to connect to the Wireguard server from your client. You can check on the server with wg and it should show a latest handshake line.

LAN only user

Let's add a user who should only have access to the LAN.

1. Repeat steps 1 to 5 from the First admin client section above.

2. Use the public key shown in step 4 to add the following block to /etc/wireguard/wg0.conf on your server:

   [Peer]
   # LAN only user
   PublicKey = 7GneIV/Od7WEKfTpIXr+rTzPf3okaQTBwsfBs5Eqiyw=
   AllowedIPs = 10.0.0.3/32
   

3. Shutdown Wireguard: wg-quick down wg0

4. Modify /etc/wireguard/postup.sh:

   • Limit full access to our first admin client 10.0.0.2 only by changing:

     iptables -A $CHAIN_NAME -s 10.0.0.0/24 -i $WIREGUARD_INTERFACE -j ACCEPT

     to

     iptables -A $CHAIN_NAME -s 10.0.0.2 -i $WIREGUARD_INTERFACE -j ACCEPT

   • Add a new line to allow our new user to LAN access only

     iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.0/24 -j ACCEPT

5. Start Wireguard: wg-quick up wg0

6. Note that the client should set its AllowedIPs = 0.0.0.0/0, ::/0 to AllowedIPs = 192.168.1.0/24 so it tunnels only to when trying to reach an address on the LAN.

Restrict the user to a port

Let's re-use the user we previously created. Let's only allow him to access port 445 (Samba) on a server 192.168.1.20 for example.

1. Shutdown Wireguard: wg-quick down wg0

2. Modify

   iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.0/24 -j ACCEPT

   to

   iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.10.20 -p tcp --dport 445 -j ACCEPT

3. Start Wireguard: wg-quick up wg0

Restrict the user to limited Web browsing only

That's useful for our friends who want to stream restricted content on Netflix without allowing them on your LAN 😉

1. Shutdown Wireguard: wg-quick down wg0

2. Modify

   iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.10.20 -p tcp --dport 445 -j ACCEPT

   to

   # DNS
   iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 192.168.1.1 -p udp --dport 53 -j ACCEPT
   # Drop traffic to your any private IP address
   iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j DROP
   # Accept outgoing connections to HTTP(S) ports to any IP address (public because of rule above)
   iptables -A $CHAIN_NAME -s 10.0.0.3 -i $WIREGUARD_INTERFACE -d 0.0.0.0/0 -p tcp -m multiport --dports 80,443 -j ACCEPT

3. Start Wireguard: wg-quick up wg0

4. Don't forget to set back the client to AllowedIPs = 0.0.0.0/0, ::/0

More rules

Feel free to comment, I'll try my best to make you a rule 😉

Enjoy!

[DaanSelen]

@donaldzou @DaanSelen Wireguard and iptables restrictions for multiple users For the love of god stop breaking shit. Iptable rules are the only way to apply peer routing to a Wireguard interface.

Hey Noxcis, if we are breaking things please let me know what, so we/Donald can fix them.
I know WireGuard needs Iptables for routing. But my question is not about that. It is about this PR and if it's still relevant.

These rules are good rules. But please point me to the code that has a reference to it. Right now it looks just like a script that is not being used.

I was thinking about moving this to the documentation, so people can forge their own Iptables rules based on this.

Hopefully we can think of something together! And I do not wish to be argumentative, I just want to have reasons behind actions which we can all agree on.

[mzs114]

Hi @mzs114 I see your branch is still on version 4.0.2. And the main application or the Docker container no longer uses these iptable rules. How would they be used?

Maybe we can put those rules into the documentation, but having them in Bash scripts is not optimal.

@donaldzou what do you think?

Yes, documentation too helps, we can suggest these rules.

Basically help a non-docker user to bootstrap quickly with a working VPN setup that is having secure rules, I am yet to see how this change breaks anything, other than the intended use - Drop the traffic between peers.

Personally, after going through the available approaches, I think that having a script is ok, as this can be a sane default for the operator to use in the Pre and Post settings, let me know if there is an alternative, this is like how Debian provides some out of the box default settings, any operator with advanced needs will edit these anyways.

I sent a PR for this script as this is where I found the rules stored and unused at that time, hence the branch drifted.

[donaldzou]

Hi @NOXCIS,

First, I want to express my gratitude for your contributions to this project. I'm truly thankful to everyone who has helped make it better. Building this project has been my own effort, done entirely as a hobby, with no external funding or compensation.

The reason WGDashboard may have seemed stable for a long time is that it was initially very simple, with only a few features. Over time, I decided it was necessary to refactor the project using a newer tech stack. If there are imperfections, please feel free to hold me accountable.

I’ll definitely look into the issues you mentioned. Thank you again for bringing them to my attention. In the future, if you're open to it, feel free to suggest any improvements. I welcome all feedback, and be nice, as I strive to treat everyone in this community with the same respect.

Lastly, I want to give a shoutout to WireGate.

Hope you have a great day.

Best,
Donald

[DaanSelen]

@NOXCIS First off - I want to sincerely apologize for how I acted.

By the way you made a spelling mistake, I love obfuscating though:

00000000: 5247 4668 626c 4e6c 6247 5675 4947 6c7a  RGFhblNlbGVuIGlz
00000010: 4947 4567 5a6e 566a 6132 6c75 5a79 4270  IGEgZnVja2luZyBp
00000020: 5a47 6c76 6443 4268 626d 5167 5247 3975  ZGlvdCBhbmQgRG9u
00000030: 5957 786b 4948 4279 6232 4a68 596d 7835  YWxkIHByb2JhYmx5
00000040: 4947 5276 5a58 4e75 6443 4272 626d 3933  IGRvZXNudCBrbm93
00000050: 4947 4675 6553 4269 5a58 5230 5a58 494b  IGFueSBiZXR0ZXIK
00000060: 0a                                       .

My response.

00000000: 5658 5a6c 616e 4236 4c43 4251 4947 7432  VXZlanB6LCBQIGt2
00000010: 4947 5277 656d 3867 5958 5967 6232 686a  IGRwem8gYXYgb2hj
00000020: 6243 426d 646d 4a35 4948 4231 6432 4a68  bCBmdmJ5IHB1d2Jh
00000030: 4948 5a31 4947 4676 6348 6f67 6433 6c32  IHZ1IGFvcHogd3l2
00000040: 6357 7871 5953 343d 0a                   cWxqYS4=.

My vision for this has always been to help people get this to work quickly through Docker. And I do not like how our exchange went down.
I do value your inputs. You raised some very good points about the project. We will work on those.
I have always welcomed people to give me feedback. Well thought about feedback, not just "because".

Regarding the useless code in the Docker container, you do have a point. My plan was always to remove more code as it becomes supported by WGDashboard itself. Like the start-on-boot feature has been removed. Most of the audience is not very known which deep technical concepts.
You have helped the security of this project with Docker analysis using scout and switching to Alpine Linux, I do not want to downplay that.

That said, making this project is about working together. Not one person rules because he thinks he knows best. Anyone can challenge me in a discussion on my methods, and if they are right then we can change those things. You can do this as well, but removing someone's work will spark anger - so communicate with each other.

@mzs114 I would love your input - if you can, would you like to join the Discord so we can talk pro-actively?