Harden OPNsense for WireGuard Access

Started by jimjohn, July 21, 2022, 12:31:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 21, 2022, 12:31:10 PM Last Edit: July 21, 2022, 12:35:14 PM by jimjohn
Hi,

I successfully configured WireGuard on an OPNsense behind a Fritz!Box. I did a port forward to the WAN of the OPNsense and was able to connect from my cellphone. So far so good. Before I activate the port forward in the Fritz!Box continuously, I wonder if there is anything I can do on the WAN side of the OPNsense to harden it. For example against any spamming / port scanning / flooding. How do you harden your VPN ports properly?

Second question: if I only want to use the WireGuard for a RoadWarrior usage, would you allow all traffic via the tunnel and block the packages on the WireGuard side via the firewall rules? Or can I somehow decide even earlier on the cellphone?

Third question: I have two interfaces for WireGuard on the OPNsense: the WireGuard (Group) and my specific WireGuard interface. How to you manage the rules here? Is the "Group" interface similar to the "Floating Rules" but only for the WireGuard interfaces?
July 23, 2022, 07:09:24 PM #1
Noone?
July 23, 2022, 08:59:09 PM #2
1. wg uses a single UDP port and is stateless. It won't respond to invalid packets. No need for further "hardening" imho.

2. Only the phone's tunnel address(es) should be added to the allowed IPs in OPNsense. And only the networks to be made accessible through the tunnel should be added to the allowed IPs on the phone. Further restrictions require firewall rules.

3. WireGuard (Group) includes all wg interfaces (which you can have many of). Firewall rules added to the group apply to all wg interfaces. If you have only one wg interface, it doesn't matter where you add the rules.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 23, 2022, 09:20:46 PM #3
Thanks!
July 28, 2022, 11:54:18 PM #4
Since you are connecting from a mobile device, it's often diffcult to "lockdown" the WAN interface rule and only allow IP traffic from IP address xxx or yyy because with a mobile device you often cannot say in advanced exactly what your IP address will be.

However, there are a few step you can take.


  • WG security is excellent and no attacker is going to easily "guess" your private keys and get in.

  • You could also use the "shared secret PSK" key inside WG for additional security. I personally don't use this, because WG's setup with it's excellent public/private based keys is very, very secure anyway.

  • If you cannot lock down the WG inbound WAN interface by IP address, you may still be able to use the GeoIP filters and only allow inbound WG connections from your country, say New Zealand only IP addresses.

  • Alternatively, you could also use GeoIP and allow inbound any IP address except from what you consider "naughty / undesirable" countries.

Personally I use WG for remote access and I lock down the WAN to WG firewall rule to only accept IP traffic from New Zealand based IP addresses.
July 29, 2022, 07:29:05 AM #5 Last Edit: July 29, 2022, 07:30:38 AM by RamSense
I have also been trying to get this one step further, but did not got it to work.
I added a captive portal to Wireguard and in that I added to "Allowed MAC addresses" the MAC addresses of the mobiles being allowed to connect.
This seems not to be working from outside/over wan and only works local / LAN, but it can also be that I missed something. So if anybody tried this and got it to work, I would love to hear that.
Deciso DEC850v2
July 29, 2022, 07:34:20 AM #6
Quote from: RamSense on July 29, 2022, 07:29:05 AM
I added a captive portal to Wireguard and in that I added to "Allowed MAC addresses" the MAC addresses of the mobiles being allowed to connect.

Nice idea with the MAC address. You could still make a firewall rule for the MAC address though ...
July 29, 2022, 07:42:36 AM #7
sounds like an option, but I seem not to being able to add mac addresses into the firewall-rules-wan rule?

Or should the rule be: source "any" being changed to source "aliases with mac addresses" ?
Deciso DEC850v2
July 29, 2022, 07:47:19 AM #8
You can set the MAC address as an alias and add it as the source in the firewall rule.
July 29, 2022, 07:50:28 AM #9
Exaclty. But I am getting the same problem. Works over LAN but not over WAN/4g/5g being away from home.

Do you get it to work?
Deciso DEC850v2
July 29, 2022, 07:52:18 AM #10
No, I did not try it, only using it in the LAN. Do a PCAP and check if the correct MAC address is in the package coming from the mobile device.
August 11, 2022, 04:42:38 AM #11 Last Edit: August 20, 2022, 10:28:45 AM by nzkiwi68
The Wireguard VPN client is routed layer 3, not a layer 2 broadcast domain, therefore the OPNsense firewall never learns the MAC address of the WG client.

Therefore it's quite impossible to use a MAC address based firewall rule.
Print
Go Up Pages1
User actions