Home Network Community > Wi-Fi Routers > AX23 wireguard client - firewall does not protect LAN/UI/dnsmasq for incoming connections over VPN
< Wi-Fi Routers

AX23 wireguard client - firewall does not protect LAN/UI/dnsmasq for incoming connections over VPN

AX23 wireguard client - firewall does not protect LAN/UI/dnsmasq for incoming connections over VPN

AX23 wireguard client - firewall does not protect LAN/UI/dnsmasq for incoming connections over VPN
AX23 wireguard client - firewall does not protect LAN/UI/dnsmasq for incoming connections over VPN
Yesterday
Tags: #WireGuard #Access Control #VPN #Feature Request
Model: Archer AX23  
Hardware Version: V2
Firmware Version: 1.1.2 Build 20250814 rel.14122(4555)

Hi,

I configured wireguard vpn client on TP-Link Archer AX23 V2 running firmware 1.1.2 Build 20250814 rel.14122(4555) and discovered the following security problems:

1. router's LAN is not protected for incoming traffic through the wireguard tunnel regardless of the 'NAT Enabled' setting in the vpn client configuration.

The only difference is: with 'NAT Enabled = YES' the source IP address of connections originated from the router's LAN is the wireguard client IP address (masquerade), while with 'NAT Enabled = NO' the source IP is the LAN client IP address.

2. router's http/https UI and dnsmasq server are always accessible over the VPN tunnel, also with 'NAT Enabled = YES'. I did not find firewall settings in the router's UI allowing filtering incoming traffic over vpn.

 

Is it possible to configure firewall for incoming traffic over wireguard vpn ? If not, please add to firmware the firewall configuration options for vpn.

 

  0      
 
  0      
 
#1
Options
1 Reply
Re:AX23 wireguard client - firewall does not protect LAN/UI/dnsmasq for incoming connections over VPN
Yesterday

nmap scan of the router's wireguard client IP address - scan executed from the wireguard server where the router's wireguard client was connected to:

# nmap -Av 192.168.100.100
...
Scanning 192.168.100.100 [1000 ports]
Discovered open port 80/tcp on 192.168.100.100
Discovered open port 53/tcp on 192.168.100.100
Discovered open port 443/tcp on 192.168.100.100
...
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE        VERSION
53/tcp  open  domain         dnsmasq 2.83
| dns-nsid:
|_  bind.version: dnsmasq-2.83
80/tcp  open  http           BusyBox http 1.19.4
|_http-title: Did not follow redirect to ...
| http-methods:
|_  Supported Methods: GET HEAD POST
443/tcp open  ssl/tcpwrapped

nmap scan of the router's LAN client 'NAT Enabled = YES' in router's wireguard client config - scan executed from the wireguard server where the router's wireguard client was connected to:
# nmap -Av 192.168.0.220
...
Scanning 192.168.0.220 [1000 ports]
Discovered open port 22/tcp on 192.168.0.220
Discovered open port 111/tcp on 192.168.0.220
...
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.7 (protocol 2.0)
| ssh-hostkey:
...
111/tcp open  rpcbind 2-4 (RPC #100000)

  0  
  0  
#2
Options

Information

Helpful: 0

Views: 77

Replies: 1

Tags

WireGuard Access Control VPN Feature Request
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.