Wireguard setup + firewall rules via CLI?

NETWORKING SOLUTIONS
12

Finally, I got it working again. :slight_smile:

Set up WG on Fritzbox:

  1. Connect networks or establish special connections
  2. Has this WireGuard® connection already been set up at the remote connection? => select: No
  3. Should the new WireGuard® connection be used used concurrently with an existing connection on the remote site? => select: No
  4. Is the connection to be made with a single device (laptop, smartphone, tablet), or a router that supports WireGuard® (such as a FRITZ!Box)? => select: Router with WireGuard® support
  5. Name of the WireGuard® connection => enter: RUTX11 (or some other name)
  6. Remote IPv4 network => enter: 192.168.11.0
  7. Subnet mask => enter: 255.255.255.0
  8. DNS domains => enter: fritz.box (this was pre-filled in my case)
  9. Send all IPv4 network traffic via the VPN connection => untick
  10. Allow NetBIOS over this connection => tick
  11. Only certain devices in the home network are to be accessible over this WireGuard® connection => untick
  12. This resulted in a wg_config.conf file that I downloaded - content anonymized:
[Interface]
PrivateKey = -------------------------------------------=
Address = 192.168.11.1/24
DNS = 192.168.178.21,192.168.178.1
DNS = fritz.box

[Peer]
PublicKey = -------------------------------------------=
PresharedKey = -------------------------------------------=
AllowedIPs = 192.168.178.0/24
Endpoint = ----------------.myfritz.net:-----
PersistentKeepalive = 25

Set up WG on RUTX11:

  1. Add new instance - New configuration name => enter: Home (or some other instance name)
  2. General settings - Enable => tick
  3. Private key => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Interface]_PrivateKey>
  4. Public key => enter: nothing (really - leave this empty!)
  5. IP addresses => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Interface]_Address> but replace last number of IP by 0 (zero), e.g.: 192.168.11.1/24 from wg_config.conf file translates to: 192.168.11.0/24 (when I left the 1, it did not let me save)
  6. Advanced settings - Metric => enter: 3
  7. Listen port => enter: 51820
  8. MTU => enter: 1280
  9. DNS servers => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Interface]_DNS> (multiple rows possible): 192.168.178.1, fritz.box. As I do not want to use my Fritzbox DNS for the WG tunnel, I entered: 1.1.1.1 (=Cloudflare; 8.8.8.8=Google, etc.)
  10. Add new peer instance - Add new instance => enter: FB7590AX (or some other peer name)
  11. General settings - Public key => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_PrivateKey>
  12. Endpoint host => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_Endpoint> (e.g. 123456789abcdefg.myfritz.net, i.e. without the port, which comes later)
  13. Allowed IPs => enter: (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_AllowedIPs> (e.g. 192.168.178.0/24 in my case)
  14. Description => enter: Fritzbox 7590 AX ISDN (or some other description)
  15. Route allowed IPs => tick (in my case, as I want automatic firewall rules set, so all clients connected to RUTX11 can use the WG tunnel and reach all devices behind Fritzbox at home)
  16. Advanced settings - Tunnel source => select: Any
  17. Pre-shared key => enter (from wg_config.conf file that you exported from Fritzbox): <value of [Peer]_PresharedKey>
  18. Endpoint port => enter (from wg_config.conf file that you exported from Fritzbox): <port value of [Peer]_Endpoint> (only the port number)
  19. Persistent keep alive => enter (from wg_config.conf file that you exported from Fritzbox): <port value of [Peer]_PersistentKeepalive> (e.g. 25)
  20. Routing table => enter: nothing (i.e., leave empty)
  21. QR settings - Server IP => select: WIFI1 (192.168.178.64) (in my case, as this is the interface and IP as RUTX11 appears in Fritzbox network when conneted via Wifi; another option could be: MOB1S1A1 (<some_IP>), which is IP of RUTX11 when connected to Internet via its mobile modem - I have not yet tested this; it is not possible to select both, i.e. one or the other)
  22. Tunnel addresses => enter: 192.168.11.2/32 (in my case, as RUTX11 DHCP range starts from 192.168.11.2 - I hope my understanding is correct)
  23. Peer allowed IPs => select: All IPv4 (0.0.0.0/0) and All IPv6 (::/0 ) (There is also LAN (192.168.11.0/24) in my case, but I do not know what this is for. When I also selected this, the WG tunnel was closed/did not work anymore, if I remember it correctly.)
  24. QR code - Generate => do not click
  25. Save & Apply
  26. Save & Apply

Recap of my setup:

  1. Fritzbox (at home), IP: 192.168.178.1 - with multiple clients
  2. RUTX11 (in car), IP: 192.168.11.1 - with multiple clients
    Clients on both ends should be able to connect with clients on the other side. I know that I could restrict this, but as a first step, this is ok for me.

Next steps for me will be to understand whether the aforementioned settings make sense to the experts here, if there is something I should change, and then eventually come up with some basic script that supports this process a bit via CLI, i.e. importing the wg_config.conf file from Fritzbox into RUTX11 and let its magic do the rest, so the user does not have to go through all these GUI menus. Ideally, the script will ask questions like “Do you want to allow all clients to use all clients on the other side” etc., in words that the less savvy user understands well enough to take a correct decision. Personally, I am definitely not yet at this stage.

So, thanks a lot for everybody’s comments and help - I very much appreciate it! :heart: