6

I have set up wireguard and ufw using this guide. If ufw on the vpn server is enabled, it blocks some packets below (internet through the vpn on the client doesn't work). If ufw is disabled, the packets flow as expected.

wg0 is a wireguard interface, 10.0.0.5 is a vpn peer ip, OS is Debian 8

Jul 19 05:38:45 jojo kernel: [49649.152926] [UFW BLOCK] IN=wg0 OUT=eth0 MAC= SRC=10.0.0.5 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1825 DF PROTO=ICMP TYPE=8 CODE=0 ID=4464 SEQ=1 
Jul 19 05:38:45 jojo kernel: [49649.155578] [UFW BLOCK] IN=eth0 OUT=wg0 MAC=52:54:00:ac:49:3a:60:73:5c:c4:e7:c0:08:00 SRC=8.8.8.8 DST=10.0.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=56 ID=0 PROTO=ICMP TYPE=0 CODE=0 ID=4464 SEQ=1 
Jul 19 05:39:11 jojo kernel: [49674.957246] [UFW BLOCK] IN=eth0 OUT=wg0 MAC=52:54:00:ac:49:3a:60:73:5c:c4:e7:c0:08:00 SRC=64.233.165.188 DST=10.0.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=107 ID=44510 PROTO=TCP SPT=5228 DPT=37290 WINDOW=62392 RES=0x00 ACK SYN URGP=0 
Jul 19 05:39:44 jojo kernel: [49708.584724] [UFW BLOCK] IN=wg0 OUT=eth0 MAC= SRC=10.0.0.5 DST=64.233.165.188 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=11308 DF PROTO=TCP SPT=37290 DPT=5228 WINDOW=27600 RES=0x00 SYN URGP=0 
Jul 19 05:39:44 jojo kernel: [49708.621356] [UFW BLOCK] IN=eth0 OUT=wg0 MAC=52:54:00:ac:49:3a:60:73:5c:c4:e7:c0:08:00 SRC=64.233.165.188 DST=10.0.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=107 ID=62713 PROTO=TCP SPT=5228 DPT=37290 WINDOW=62392 RES=0x00 ACK SYN URGP=0 
Jul 19 05:40:01 jojo kernel: [49724.776855] [UFW BLOCK] IN=wg0 OUT=eth0 MAC= SRC=10.0.0.5 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=7438 DF PROTO=ICMP TYPE=8 CODE=0 ID=4466 SEQ=6 

ufw status verbose:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
51820/udp                  ALLOW IN    Anywhere
22/tcp                     ALLOW IN    Anywhere
51820/udp                  ALLOW IN    Anywhere (v6)
22/tcp                     ALLOW IN    Anywhere (v6)

I don't understand what blocks these packets. How can I figure out which rule does? What rule might fix the problem?

2 Answers 2

5

By default, ufw will apply rules to all available interfaces. To limit this, specify DIRECTION on INTERFACE, where DIRECTION is one of in or out (interface aliases are not supported). For example, to allow all new incoming http connections on eth0, use:

ufw allow in on eth0 to any port 80 proto tcp

so I've added the interface to my configuration:

ufw allow in on wg0 to any

before this I had the following rules, which also worked:

sudo ufw allow from 192.168.5.0/24
sudo ufw allow from fd42:42:42::1/64
1

For easier step install gufw with apt or whatever installer you use.

sudo apt install ufw gufw

Launch GUI UFW with your favorite launcher there you can see what apps are using internet and on which port specifically.

snap1

After that, in rules section you can create a rule what ports you want to be whitelisted or what service you wish to whitelist for example type openvpn and click add.

snap2

In conclusion, you can just drop the firewall at all because your traffic is behind the VPN network already and most of the popular VPN services have Cyber Security built-in alike NordVPN there's no need in firewall, I'm not aware of all the features of Wireguard though, you can check this on their website.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.