Set Wireguard Interface Firewall Missing?

trystan · December 6, 2018, 11:58am

Configuration path: interfaces wireguard wg0 [firewall] is not valid
Set failed

This is on 1.2.0-rc10

hagbard · December 6, 2018, 6:04pm

yes, that functinalityhasn’t been implemented yet. Can you please open a feature request in phabricator,vyos.net? So far most ppl only used it to secure there routing protocols such as BGP which they don’t want to have any fw rules applied. That’s why it slipped under the radar.

trystan · December 7, 2018, 12:43am

It appears that not only is there no firewall option for wireguard interfaces, but local firewalls on host interfaces are not applied to traffic exiting the wireguard interface.

For example, eth0 local firewall default drop with no other rules allows traffic traversing a wireguard interface to access it.

additionally,

monitor traffic interface eth0 shows no traffic from wireguard interfaces (icmp/ssh/etc)

Seems pretty serious.

hagbard · December 7, 2018, 6:18pm

Can you please clarify? Why would you expect ssh traffic on eth0 if you send it via wg?

trystan · December 7, 2018, 11:39pm

Given a vyos instance with 2 interfaces: wg0 10.1.1.1 and eth0 192.168.64.1, ssh listening on eth0, there’s no way to prevent traffic routing over the wg0 interface from being able to access 192.168.64.1:22.

I had assumed adding a local firewall default action drop on eth0 would prevent it.

hagbard · September 5, 2019, 2:47pm

Firewall settings are possible in rolling releases as well as in the crux based images.