HCoder.org
Posts Tagged “vpn”
-
FireHOL and Wireguard
Apr 8, 2020 onThe last blog post was a quick introduction to FireHOL, the software to make firewalls. In this blog post we will see how to configure FireHOL to allow Wireguard to work, if you want to install Wireguard on the same server. In this configuration, Wireguard will be used as a simple VPN server (think OpenVPN): accepting connections from a client (typically a laptop or a mobile phone) and route that traffic to the internet.
EDIT: Corrected/simplified a couple of things, based on feedback.
Assumptions
For this blog post, I will assume that you already have Wireguard working, and you have FireHOL installed and configured (except that Wireguard now doesn’t work, and you have to fix FireHOL’s configuration to make it work again).
I will assume that your Wireguard interface is
wg0
, you are using the (standard) Wireguard port51820
, and your main network interface iseth0
.Configuring Wireguard
There are three things we must do in order to make Wireguard work:
- Accept the initial connection to the Wireguard server port
- Accept traffic from the Wireguard network interface
- Route the traffic from the Wireguard interface to the internet (the main network interface)
Accepting Wireguard connections
The first thing one has to do is to open the Wireguard port. Because Wireguard’s port is not defined in FireHOL, we need to specify the port like this:
interface eth0 # ... server custom wireguard udp/51820 default accept
If you put those two lines at the end of your
interface eth0
definition you should be good. Note that, if you would prefer that line to look like the other service definitions, you can tell FireHOL what the Wireguard port is and define that line likeserver wireguard accept
.Accepting traffic from the Wireguard interface
For that we need to declare the Wireguard interface and accept everything from/to it:
interface wg0 vpn policy accept
Put those lines before or after your other
interface
definitions.Routing
Last but not least, we need to allow the traffic from
wg0
to be routed to and from the main network interface. To do that, put these lines at the end of your configuration file:router vpn2internet inface wg0 outface eth0 masquerade route all accept
Conclusions
One could do more sophisticated configurations, but that’s a basic one that should work well. As always, activate the new configuration with
firehol try
, so that if you break anything you will not lose access to the server. I hope this post was useful!