ESET Online Help

Search English
Select the topic

Using WireGuard with Web access protection

Issue

Suppose Web Access Protection (WAP) is combined with WireGuard using wg-quick from the command line or as a service. In that case, internet connectivity may be lost when both WAP and WireGuard interfaces are enabled. This is caused by a rule added to nftables by wg-quick, when an interface is brought up. Assume the interface is wg0, with an IP address 10.10.10.2. The rule is added to table wg-quick-wg0, chain preraw and looks like this:

iifname != "wg0" ip daddr 10.10.10.2 fib saddr type != local drop

The purpose of this rule is to provide some protection against configuration issues and malicious packets.

Workaround

On a properly configured and secured system, the nftables rule should not be necessary. Configuring wg-quick not to leave that rule in place should fix the connection issues. For example, you can edit the configuration file for the affected interface and, in the [Interface] section, add the following PostUp action:

PostUp = nft flush chain wg-quick-wg0 preraw

Note that the wg-quick-wg0 name applies only to the “wg0” interface and has to be changed accordingly for other interfaces. If you still want to get some level of protection in place, you can replace the rule with a weaker one, for example, like this:

PostUp = nft flush chain wg-quick-wg0 preraw; nft 'add rule wg-quick-wg0 preraw iifname != "wg0" iif != "lo" ip daddr 10.10.10.2 fib saddr type != local drop'

Remember that all mentions of “wg0” must be updated if the interface is not “wg0”. Also, it is necessary to update the IP address if it is not 10.10.10.2.