1

since I don't want friends and colleagues in my VPN to use my VPN server as a proxy VPN for "anonymous" surfing, I want to disable the default route for the VPN. In a nutshell:

  • LAN (10.20.0.0/24) must be accessible
  • WAN (0.0.0.0/0) must be inaccessible

I was unable to find a WireGuard setting to do this except configuring the AllowedIPs directive in the client config. But what kind of security does that provide?? Anyone can easily edit his/her config, replace 10.20.0.0/24 with 0.0.0.0/0, and use my VPN as a proxy...

My next approach was to delete the iptables rule that permitts the forwarding from the VPN subnet to the WAN. But somehow I cannot delete the affected rule. If I create a similar rule (same subnet, same policy) I can delete it, but I am prevented from deleting the WireGuard rule somehow.

The rule in question has been marked with --> in the following output:

root@[...]:~# iptables -L FORWARD

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    ACCEPT     all  --  anywhere             10.6.0.0/24          ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere             /* wireguard-forward-rule */

Commands that I have tried to get rid of this rule:

root@[...]:~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

If I add the same rule again (without the comment):

root@[...]:~# iptables -L FORWARD

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    ACCEPT     all  --  anywhere             10.6.0.0/24          ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere             /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere

root@[...]:~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
root@[...]:~#

No problem... :|

Note: If you need further logs/output, please let me know. Thanks in advance!

TheClockTwister
  • 151
  • 1
  • 7
  • 2
    You must run `iptables` with the `-v` option to see the complete firewall rule. This is a long standing design flaw with this command. – Michael Hampton Oct 17 '20 at 03:02
  • @MichaelHampton Indeed, I found that WireGuard specifies interfaces which are not shown without `-v`... Please post your reply as an answer, so I can acknowledge it and resolve the question... Thanks! – TheClockTwister Oct 17 '20 at 03:05
  • You can also list rules with `--line-numbers` and delete by index if you don't want to bother. – Ginnungagap Oct 17 '20 at 07:18
  • @Ginnungagap That was my first idea, but I soon realized that it may be dangerous since the order in which the rules are added at each boot can be another if some application adds or removes rules to be applied at startup. I therefore discarded the idea, although it worked as intended when no changes to the routing table were made. – TheClockTwister Oct 17 '20 at 13:51
  • Ah if it's for scripting it shouldn't be used, I didn't catch that from the question. – Ginnungagap Oct 17 '20 at 13:54
  • @Ginnungagap Sorry, should have mentioned it... – TheClockTwister Oct 17 '20 at 15:33

1 Answers1

0

WireGuard also specifies interfaces and a comment.

These have to be an exact match when deleting rules. You can see the full list of arguments using iptables with the -v option.

The command that finally removed the rule was:

iptables -D FORWARD -i wg0 -o wlan0 -s 10.6.0.0/24 -m comment --comment "wireguard-forward-rule" -j ACCEPT
TheClockTwister
  • 151
  • 1
  • 7