Cannot get firewalld to accept Wireguard connections

I have been struggling to set up a simple mesh network with Wireguard and firewalld. My goal was to configure PC2 (10.0.0.3) in order to allow connections from PC1 (10.0.0.1). Just a simple connection, no VPN or anything like that, for now.

I am using Fedora Workstation 40, and I can’t seem to find the rule to make it work. Disabling the firewalld service works (ICMP, and other services like Cockpit and Torrent). Settings the target to ACCEPT works as well. Both machines are configured to use port 51820/udp, so I’m not really sure what else I should do.

I have finally come here because firewalld is used on Fedora, so maybe someone can help me figure out what I’m missing. I don’t even know if I should add masquerading, IP forwarding and so on, since the concepts sound so similar.

There is a handshake on both sides even when the ping doesn’t work, interestingly enough.

So far I have these rules applied:

FedoraWorkstation (default, active)
  target: DROP
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: wg0 wlp3s0
  sources: 
  services: ssh wireguard
  ports:
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Wireguard .conf files on their respective machines:

PC1

[Interface]
Address = 10.0.0.1/32
PrivateKey = hidden
ListenPort = 51820

[Peer]
PublicKey = hidden
Endpoint = hidden:51820
AllowedIPs = 10.0.0.3/32
PC2

[Interface]
Address = 10.0.0.3/32
PrivateKey = hidden
ListenPort = 51820

[Peer]
PublicKey = hidden
Endpoint = hidden:51820
AllowedIPs = 10.0.0.1/32

Added f40, firewalld, wireguard

I have wireguard and firewalld work on my Fedora power router.

What is output of these commands for both ends of the wiregurtd tunnel.

  1. ip route
  2. ip addr

You do not need masquerade (that implements NAT).

Do you have wireguard service configured on both ends of the wireguard tunnel?

I’m worried about the DROP target. Any packet which is not matched will be dropped. Can you ssh into 10.0.0.1 and 10.0.0.3? The zone allows ssh and wireguard and is bound to both wlp3s0 and wg0.

If a connection works with firewalld off and does not work with firewalld on, you can set “log-denied” temporary to “ALL” in firewall-config or firewall-cmd, and follow the log with “journalctl -f” or “tail -f /var/log/messages”. If you ping the wg0 address and it is refused, it will be immediately logged.

The standard value for target is “default”

This is embarrassing, but I eventually figured out that the DROP target is actually that restrictive. Since a handshake was happening on both ends, I realized data was being actually exchanged.

So I looked into allowing ICMP with “firewall-cmd --permanent --add-icmp-block-inversion” and “firewall-cmd --permanent --add-icmp-block=echo-request”. Then I allowed the respective ports for managing other WebUIs. Now everything works as intended. Sorry for the inconveniences.

2 Likes