VPN firewall guide

[eduardogsilva]

WireGuard VPN Server: A Basic Firewall Configuration Guide

Welcome to this straightforward guide designed to assist you in setting up an effective firewall for your WireGuard VPN server in just a few minutes. This guide will walk you through the essential steps and provide you with practical examples to ensure your network remains secure and functional.

1. Main Firewall Settings

To begin, navigate to your firewall settings to review three important configurations:

• Default Forward Policy: This determines the action taken on packets that do not match any rule. Typically, I recommend setting this to DROP or REJECT. The default firewall configuration already includes necessary rules to allow VPN clients internet access.

• Allow Peer to Peer: This setting controls whether traffic is permitted between peers on the same WireGuard interface.

• Allow Instance to Instance: This setting determines whether traffic is allowed between peers on different WireGuard interfaces.

To "reset" your firewall rules, you can use the "Reset firewall to default" option. This action removes all port forwarding and existing firewall rules, replacing them with a default rule set that you can modify as needed. The default rules include:

• Forward: Deny traffic to private networks from WireGuard interfaces, while allowing all other traffic to the internet.
• Postrouting: Apply Masquerade (source NAT) to all outbound internet traffic.

Selecting "Display automatic rules" will reveal additional rules automatically inserted by your firewall, including state-related or established packets rules at the top, facilitating the construction of a stateful firewall. Below, you'll find the Peer to Peer and Instance to Instance rules.

2. Creating Firewall Rules

Let's explore some examples to illustrate how to create specific firewall rules:

Example 1: Block Traffic Between Peers But Allow Specific Peer to reach other peers

• Disable "allow peer to peer" in firewall settings.
• Create a new rule with:
  • Interface - Out: wg0 or wg+ for any WireGuard instance.
  • Source: Select the specific peer.
  • Destination: Leave blank for all peers or specify allowed peer destinations if necessary.
  • Action: ACCEPT.

Example 2: Allow Only Certain Peers Access to the Server Network (192.168.200.0/24)

• Create a rule with:
  • Source peer: Select peers with privileged access
  • Include networks behind peers if necessary by selecting "Source peer include networks".
  • Destination: 192.168.200.0
  • Destination netmask: 24
  • Action: ACCEPT.

Follow this by creating a rule to deny access to the server network, ensuring the ACCEPT rule for allowed peers precedes the DENY rule.

Example 3: Block All Traffic to internet Except DNS, HTTP, and HTTPS
For all the rules in this example, use:
interface In: wg+
interface Out: eth0

• Set up individual rules for DNS (port 53/udp), HTTP (port 80/tcp), and HTTPS (port 443/tcp) traffic to ACCEPT.
• Add a final rule to REJECT or DROP all other traffic.

Note: Remember to remove the default rule allowing all traffic from wg+ to WAN to enforce these settings properly.

This guide provides foundational knowledge to create a secure and tailored firewall configuration for your WireGuard VPN server. These examples illustrate just a fraction of what's possible, allowing for flexibility to meet various requirements.