Hi! I am using latest wireguard docker image primarily as private VPN to connect from public wifis.
So the default config where all VPN Clients get internet access is fine for me.
Now I want to provide a windows vm to a friend and I don’t want to expose the RDP port to the public. So my idea was to give him access to my wireguard vpn and only allow traffic from his client to the windows vm, but not to the rest of the network.
It works if I set the AllowedIPs = RDP-Server, in the client-config, but as this config is on the client side he’d be able to route all his traffic through my wireguard easily by changing the value.
Is there a way to limit the access of a client on the serverside?
I tried SERVER_ALLOWEDIPS_PEER_maxRDPtest=IP_OF_RDP
but that didn’t change anything.
I am using the wiregard docker container with a compose.yaml. I have to provide a wg0.conf file to the container.
Within, I provide the config for the access. Here an extract of that file.
[Interface]
Address = 10.10.11.1
ListenPort = 51820
PrivateKey = xxxx
# Dienste im Heimnetzwerk
# 192.168.1.4 Unifi
# 192.168.1.3 AdGuard (Docker)
# 192.168.30.18 AI-on-the-Edge Wasseruhr
# 192.168.30.20 HomeAssistant (Docker)
# 192.168.30.21 espHome Server (Docker)
# 192.168.40.40 Synology
# 192.168.70.2 Ubuntu Docker Server
# 192.168.70.3 Graylog (Docker)
# 192.168.70.5 Portainer (Docker)
# 192.168.100.1 VLAN-Gateway für Zugriff auf Internet
# Zugriff von phonecs auf angegeben IP-Adressen im Heimnetzwerk, alles andere wird unterbunden.
PostUp = iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.1.1,192.168.1.4,192.168.1.3,192.168.30.18,192.168.30.20,192.168.30.21,192.168.40.40,192.168.70.2,192.168.70.3,192.168.70.5,192.168.70.6,192.168.100.1 -j ACCEPT; iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.0.0/16 -j REJECT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.1.1,192.168.1.4,192.168.1.3,192.168.30.18,192.168.30.20,192.168.30.21,192.168.40.40,192.168.70.2,192.168.70.3,192.168.70.5,192.168.70.6,192.168.100.1 -j ACCEPT; iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.0.0/16 -j REJECT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
[Peer]
# peer_phonecs
PublicKey = yyyy
PresharedKey = zzzz
AllowedIPs = 10.10.11.2/32
@ all: I would be very happy, if I could get a feedback on my config.
(I used ChatGPT to come up with this and I am not sure, if I fully understood the config… )