Comments (9)
Adding 192.168.5.5/32 with the list of services resolves the issue.
"Acls": {
"Policies": {
"*": {
"Mfa": [
"192.168.5.5/32 icmp 22/tcp",
"192.168.5.0/24"
],
"Allow": [
]
}
}
However, to be frank, I'd prefer to have access to all ports without enumerating them. Is that possible?
from wag.
Hi there.
This happens because a rule for 192.168.5.5/32 is inserted into the ebpf firewall.
Due to the kernel data structure I have to use to match up addresses (longest prefix trie) the most specific route is what ends up controlling data flow.
I.e the rules defined in a /32 override rules defined in a /24
Unfortunately it's a bit of a limitation give datastructutes we've got to use.
In your case. A Dns entry is added to the /32 that is your dns ip address.
You should be able to just add 192.168.5.5
instead of having to define a port and that will append an allow any/any rule to the /32 for your dns server allowing all ports.
from wag.
I am having a lot of troubles making a local/internal DNS work into WAG.
Can you please give some advice on how to do it ?
I just need a simple dnsmasq for the internal wireguard network, that reads IPs from hosts file.
If I just build a "simple/classic" wireguard "star" network it works fine, but into WAG always gets blocked by its internal firewall.
The DNS IP the you put into "general" setting always gets blocked on port 53 even if It's rules into WAG say otherwise.
Very confused about the issue, tried everything, but I am unable to make it work.
Maybe I'm missing something about the logic of it ?
from wag.
I think this is a seperate issue to the original please open your own issue to discuss that there.
from wag.
You should be able to just add
192.168.5.5
instead of having to define a port and that will append an allow any/any rule to the /32 for your dns server allowing all ports.
Adding 192.168.5.5/32 to the MFA block makes DNS (192.168.5.5/32, port 53) inaccessible in non-authorized mode.
from wag.
Have you tried adding it to the public block instead
from wag.
I did, didn't help (both too) and to boot I need it only in the mfa block.
from wag.
Yeah so Mfa rules take precedence over public rules so you can't accidentally set something public when you have a conflicting Mfa rule.
What's happening here is that the any/any Mfa rule matches the 53/udp of dns and thus blocks it.
So you need to have the Mfa directive be specific to a port/port range instead of any/any
from wag.
right, thanks for the explanation, closing
from wag.
Related Issues (20)
- Default value of NAT in config is null HOT 2
- Generated Peer Config Lacks Port
- [Bug] MFA details are revealed in server log (admin access only)
- [Bug] Locking/Resetting MFA not deauthorising device HOT 1
- [Bug] Resetting MFA doesnt change MFA HOT 1
- [Bug] Unable to logout 8.0.0-beta2
- [Bug] Event Errors should not be bytes
- [Bug] Failing to initalise one MFA method disables all other methods
- [Bug] OIDC reports "unsupported protocol"
- BGP for Route Distribution HOT 4
- Websocket liveness check
- Wag check fails to report error
- Oidc set user groups fails if user has no memebership
- External State Management HOT 4
- OIDC `preferred_username` HOT 8
- Re-open issue
- Issues over mobile hotspot HOT 2
- Access to the ManagementUI HOT 11
- Register device has error HOT 1
- Membership information missing for newly created user
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wag.