The last blog post was a quick introduction to FireHOL, the software to make firewalls. In this blog post we will see how to configure FireHOL to allow Wireguard to work, if you want to install Wireguard on the same server. In this configuration, Wireguard will be used as a simple VPN server (think OpenVPN): accepting connections from a client (typically a laptop or a mobile phone) and route that traffic to the internet.
EDIT: Corrected/simplified a couple of things, based on feedback.
For this blog post, I will assume that you already have Wireguard working, and you have FireHOL installed and configured (except that Wireguard now doesn’t work, and you have to fix FireHOL’s configuration to make it work again).
I will assume that your Wireguard interface is
wg0, you are using
the (standard) Wireguard port
51820, and your main network interface
There are three things we must do in order to make Wireguard work:
- Accept the initial connection to the Wireguard server port
- Accept traffic from the Wireguard network interface
- Route the traffic from the Wireguard interface to the internet (the main network interface)
Accepting Wireguard connections
The first thing one has to do is to open the Wireguard port. Because Wireguard’s port is not defined in FireHOL, we need to specify the port like this:
interface eth0 # ... server custom wireguard udp/51820 default accept
If you put those two lines at the end of your
definition you should be good. Note that, if you would prefer that
line to look like the other service definitions, you can
tell FireHOL what the Wireguard port is
and define that line like
server wireguard accept.
Accepting traffic from the Wireguard interface
For that we need to declare the Wireguard interface and accept everything from/to it:
interface wg0 vpn policy accept
Put those lines before or after your other
Last but not least, we need to allow the traffic from
wg0 to be
routed to and from the main network interface. To do that, put these
lines at the end of your configuration file:
router vpn2internet inface wg0 outface eth0 masquerade route all accept
One could do more sophisticated configurations, but that’s a basic one
that should work well. As always, activate the new configuration with
firehol try, so that if you break anything you will not lose access
to the server. I hope this post was useful!