Firewall HOME and WireGuard not such a good idea ?

    LE has 3 firewall options: off, home and public.

    The home option blocks everything incoming except private networks:

    • 192.168.x.x
    • 172.16.x.x
    • 10.x.x.x

    However the 10.x.x.x is also used by WireGuard, and would leave it potentially open to access from your VPN provider.

    Is that a correct assessment ?

    Correct, although I'd rephrase it as a general problem with commercial VPN services. It's nothing specific to WireGuard, and not all WireGuard configurations use class A addressing, although that's probably true for commercial services.

    Would it possible to add more profiles? One for VPN users for example.

    And would this go into the LE-backup/restore ?

    The unit file in LibreELEC (official): 12.0.1 for WireGuard is different compared to the wiki.

    The one from the wiki works, the one in LE 12.0.1 unfortunately does not. I updated mine to be variable, however it is limited to the first VPN connection found. This way I do not have to edit

    [Unit]
    Description=WireGuard VPN Service
    After=network-online.target nss-lookup.target wait-time-sync.service connman-vpn.service
    Before=kodi.service

    [Service]
    Type=oneshot
    RemainAfterExit=yes
    ExecStart=/usr/bin/sh -c "connmanctl connect $(connmanctl services|awk '/vpn_/{print $NF;exit}')"
    ExecStop=/usr/bin/sh -c "connmanctl disconnect $(connmanctl services|awk '/vpn_/{print $NF;exit}')"

    [Install]
    WantedBy=multi-user.target

    Edited once, last by Elicity: Merged a post created by Elicity into this post. (December 26, 2024 at 6:29 PM).

    You can add a custom firewall profile to suit your needs, and since the profile file(s) are stored under /storage/.config/iptables they will be included in any backups you take using the LE settings add-on.

    NB: I don't see any issues with the WireGuard sample template running on my own setup.