HCoder.org

FireHOL and Wireguard

The last blog post was a quick introduction to FireHOL, the software to make firewalls. In this blog post we will see how to configure FireHOL to allow Wireguard to work, if you want to install Wireguard on the same server. In this configuration, Wireguard will be used as a simple VPN server (think OpenVPN): accepting connections from a client (typically a laptop or a mobile phone) and route that traffic to the internet.

EDIT: Corrected/simplified a couple of things, based on feedback.

Assumptions

For this blog post, I will assume that you already have Wireguard working, and you have FireHOL installed and configured (except that Wireguard now doesn’t work, and you have to fix FireHOL’s configuration to make it work again).

I will assume that your Wireguard interface is wg0, you are using the (standard) Wireguard port 51820, and your main network interface is eth0.

Configuring Wireguard

There are three things we must do in order to make Wireguard work:

  1. Accept the initial connection to the Wireguard server port
  2. Accept traffic from the Wireguard network interface
  3. Route the traffic from the Wireguard interface to the internet (the main network interface)

Accepting Wireguard connections

The first thing one has to do is to open the Wireguard port. Because Wireguard’s port is not defined in FireHOL, we need to specify the port like this:

interface eth0
    # ...
    server custom wireguard udp/51820 default accept

If you put those two lines at the end of your interface eth0 definition you should be good. Note that, if you would prefer that line to look like the other service definitions, you can tell FireHOL what the Wireguard port is and define that line like server wireguard accept.

Accepting traffic from the Wireguard interface

For that we need to declare the Wireguard interface and accept everything from/to it:

interface wg0 vpn
    policy accept

Put those lines before or after your other interface definitions.

Routing

Last but not least, we need to allow the traffic from wg0 to be routed to and from the main network interface. To do that, put these lines at the end of your configuration file:

router vpn2internet inface wg0 outface eth0
    masquerade
    route all accept

Conclusions

One could do more sophisticated configurations, but that’s a basic one that should work well. As always, activate the new configuration with firehol try, so that if you break anything you will not lose access to the server. I hope this post was useful!