WireGuard connecting hosts WAN->LAN

WireGuard connecting hosts WAN->LAN

[Germano Massullo]

A simple question to Wireguard developers, since while asking for help
in OpenWRT forum[1] I have been told that I am asking a thing that
Wireguard cannot do, so I want to ask upstream if it is possible or not

Scenario:
A = internet (WAN) host (WireGuard IP 10.1.1.3)
B = OpenWRT router (WireGuard IP 10.1.1.1)
C = LAN host (WireGuard IP 10.1.1.2)

I want to:
1) connect A to C passing through B. I don't want to expose C to
internet at all, (so no things like port forwarding)
2) A must have C public key (and viceversa), so in case of B being
compromised, the A<->C VPN will not be compromised.

In a few words, I want B to just route forwards packages from A to C.

I have been told:
=====
In your scenario A is not connected to C. Having peer entries for A and
C at each end are completely pointless because they're not doing
anything. The keys you have in those entries will only ever be used if A
and C are connected directly. As long as you have B in the middle then
packets will be sent from A (or C) to B which will decrypt then with the
appropriate public key. B will then re-encrypt them with it's own
private key before sending them on to C (or A). If you don't want that
to happen then you'll need to connect A and C directly.
=====

What do you think about?
For information completeness, below I attach the configuration of the
three hosts
In past I had a similar configuration with 3 Fedora/CentOS machines,
where A had just the B public key and I could connect to C because in A
configuration, the allowed IPs of B had a /24 mask. Now I would like to
setup a more strict configuration

Thank you for your time

[1]: https://forum.openwrt.org/t/wireguard-connecting-hosts-wan-lan/



**Host A - WireGuard configuration file (Fedora)**

```
[Interface]
Address = 10.1.1.3/24
PrivateKey = censored
ListenPort = 51820

# Host B
[Peer]
PublicKey = censored
Endpoint = tom.foo.bar:51820
AllowedIPs = 10.1.1.1/32

# Host C
[Peer]
PublicKey = censored
AllowedIPs = 10.1.1.2/32
```

**Host B - OpenWRT /etc/config/network configuration file**

```
root@OpenWrt:/etc# cat config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'censored::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option username 'censored'
        option password 'censored'
        option ipv6 'auto'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr 'censored'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'censored'
        option listen_port '51820'
        option route_allowed_ips '1'
        list addresses '10.1.1.1/24'
# Host A
config wireguard_wg0 'wg_client_host_A'
        option public_key 'censored'
        list allowed_ips '10.1.1.3/32'
# Host C
config wireguard_wg0 'wg_client_host_C'
        option public_key 'censored'
        list allowed_ips '10.1.1.2/32'
```

**Host C - WireGuard configuration file (CentOS)**
```
[Interface]
Address = 10.1.1.2/24
ListenPort = 51820
PrivateKey = censored

# Host B
[Peer]
PublicKey = censored
Endpoint = 192.168.1.1:51820
AllowedIPs = 10.1.1.1/32

# Host A
[Peer]
PublicKey = censored
AllowedIPs = 10.1.1.3/32
```

Re: WireGuard connecting hosts WAN->LAN

[Luis Ressel]

On Sat, Mar 14, 2020 at 04:33:44PM +0100, Germano Massullo wrote:
> I want to:
> 1) connect A to C passing through B. I don't want to expose C to
> internet at all, (so no things like port forwarding)
> 2) A must have C public key (and viceversa), so in case of B being
> compromised, the A<->C VPN will not be compromised.

The answer you quoted is correct. If you don't wish to set up port
forwarding, and C is thus not accessible from the internet at all, A
can't establish a tunnel with it.

You may want to consider setting up two tunnels on A:
* wg0 with B as the peer
* wg1 with C as the peer
and then route the encrypted packets of wg1 through wg0. The
disadvantage of this is that you're encrypting every packet twice, which
hurts performance and lowers the tunnel MTU.

Cheers,
Luis

Re: WireGuard connecting hosts WAN->LAN

[Kent Friis]

> Scenario:
> A = internet (WAN) host (WireGuard IP 10.1.1.3)
> B = OpenWRT router (WireGuard IP 10.1.1.1)
> C = LAN host (WireGuard IP 10.1.1.2)

What you have been told is correct for the case of A connecting to C.
there is no way for A to reach the Wireguard port on C without B
forwarding that port.

However, if you can turn it around and have C connect to A, assuming
the wireguard port on A is accessible from the internet, C will be able
to connect to A. Once the connection is established, traffic will flow
both ways.

Re: WireGuard connecting hosts WAN->LAN

[Germano Massullo]

Il 14/03/20 19:16, Luis Ressel ha scritto:
> On Sat, Mar 14, 2020 at 04:33:44PM +0100, Germano Massullo wrote:
>> I want to:
>> 1) connect A to C passing through B. I don't want to expose C to
>> internet at all, (so no things like port forwarding)
>> 2) A must have C public key (and viceversa), so in case of B being
>> compromised, the A<->C VPN will not be compromised.
> The answer you quoted is correct. If you don't wish to set up port
> forwarding, and C is thus not accessible from the internet at all, A
> can't establish a tunnel with it.
>
> You may want to consider setting up two tunnels on A:
> * wg0 with B as the peer
> * wg1 with C as the peer
> and then route the encrypted packets of wg1 through wg0. The
> disadvantage of this is that you're encrypting every packet twice, which
> hurts performance and lowers the tunnel MTU.
>
> Cheers,
> Luis

Hi Luis, thank you for the explanation
Have a nice day

Re: WireGuard connecting hosts WAN->LAN

[Bruno Wolff III]

On Sat, Mar 14, 2020 at 16:33:44 +0100,
  Germano Massullo <germano.massullo@gmail.com> wrote:
>A simple question to Wireguard developers, since while asking for help
>in OpenWRT forum[1] I have been told that I am asking a thing that
>Wireguard cannot do, so I want to ask upstream if it is possible or not
>
>Scenario:
>A = internet (WAN) host (WireGuard IP 10.1.1.3)
>B = OpenWRT router (WireGuard IP 10.1.1.1)
>C = LAN host (WireGuard IP 10.1.1.2)
>
>I want to:
>1) connect A to C passing through B. I don't want to expose C to
>internet at all, (so no things like port forwarding)
>2) A must have C public key (and viceversa), so in case of B being
>compromised, the A<->C VPN will not be compromised.
>
>In a few words, I want B to just route forwards packages from A to C.

This set of requirements seems odd.
Do you not trust C to be able to properly ignore unwanted packets?

It is possible to have C ignore layer 3 traffic (DHCP traffic is special) 
that is not using the tunnel. Inbound you block all traffic not 
destined for the tunnel's port. Outbound you block all traffic not 
tagged as tunnel traffic. (Wireguard provides a way to tag tunnel traffic.) 
The default route should be through the tunnel. Tunnel traffic should be 
routed through B. The configuration gets trickier if you want to send 
traffic to A's external address as then you have a routing dependency not 
based on the destination address. You can do this by having two routing 
tables using the tag to pick which table gets used.