Re: [Astlinux-devel] Firewall - WireGuard and OpenVPN

[Michael K. <mic...@ip...>]

I like the checkbox option. Always better to give an option even if it is rarely changed I say.

Regards
Michael Knill

On 12/10/18, 1:41 pm, "Lonnie Abelbeck" <li...@lo...> wrote:

    Hi Dev minded,
    
    
    A few days back, Michael Knill authored a "[Astlinux-users] Access to VPN endpoint from external" topic.
    
    In the discussion I offered a allow_wireguard_openvpn() function in /mnt/kd/arno-iptables-firewall/custom-rules to allow WireGuard and OpenVPN to forward traffic.
    
    That got me thinking, perhaps we should have a Firewall sub-tab option to make this a standard feature ... then more thinking considering that WireGuard's config limits only AllowedIP's, I can't see any reason why WireGuard and OpenVPN can't safely forward traffic between themselves since WireGuard has allow rules of it's own ... meaning no user option is really necessary.
    
    Proposal, when both Wireguard and OpenVPN Server-or-Client are enabled, then allow the firewall to forward packets between the two VPN types.
    
    Other than testing for both VPN types, the AIF code boils down to simply:
    --
    IF_TRUSTS="$IF_TRUSTS${IF_TRUSTS:+|}wg+ tun+"
    --
    
    This looks safe to be enabled by default, but for documentation purposes we could add a rc.conf variable and make it an option:
    
    
    ___ Allow WireGuard VPN tunnel(s) to OpenVPN tunnel(s)
    
    
    Should we add this as a Firewall feature ?  Of so, should be automatically enabled when both WireGuard and OpenVPN Server-or-Client are enabled, or add a rc.conf firewall option with a web interface checkbox ?
    
    
    BTW, until WireGuard is ubiquitous, mixing both WireGuard and OpenVPN on the same box will be common.
    
    Lonnie
    
    
    
    _______________________________________________
    Astlinux-devel mailing list
    Ast...@li...
    https://lists.sourceforge.net/lists/listinfo/astlinux-devel