Set Wireguard Interface Firewall Missing?


#1

Configuration path: interfaces wireguard wg0 [firewall] is not valid
Set failed

This is on 1.2.0-rc10


#3

Hi @trystan,

yes, that functinalityhasn’t been implemented yet. Can you please open a feature request in phabricator,vyos.net? So far most ppl only used it to secure there routing protocols such as BGP which they don’t want to have any fw rules applied. That’s why it slipped under the radar.


#4

It appears that not only is there no firewall option for wireguard interfaces, but local firewalls on host interfaces are not applied to traffic exiting the wireguard interface.

For example, eth0 local firewall default drop with no other rules allows traffic traversing a wireguard interface to access it.

additionally,

monitor traffic interface eth0 shows no traffic from wireguard interfaces (icmp/ssh/etc)

Seems pretty serious.


#5

Can you please clarify? Why would you expect ssh traffic on eth0 if you send it via wg?


#6

Given a vyos instance with 2 interfaces: wg0 10.1.1.1 and eth0 192.168.64.1, ssh listening on eth0, there’s no way to prevent traffic routing over the wg0 interface from being able to access 192.168.64.1:22.

I had assumed adding a local firewall default action drop on eth0 would prevent it.