Wireguard: Limit client access to internet

Hi! I am using latest wireguard docker image primarily as private VPN to connect from public wifis.
So the default config where all VPN Clients get internet access is fine for me.

Now I want to provide a windows vm to a friend and I don’t want to expose the RDP port to the public. So my idea was to give him access to my wireguard vpn and only allow traffic from his client to the windows vm, but not to the rest of the network.

It works if I set the AllowedIPs = RDP-Server, in the client-config, but as this config is on the client side he’d be able to route all his traffic through my wireguard easily by changing the value.

Is there a way to limit the access of a client on the serverside?
but that didn’t change anything.

Thank you very much for any help!

you would need to do it in iptables on the wg host. it’s not something we will help with, but take his ip and just allow to X and block to y

Thank you for the quick reply.

The suggested solution would be overwritten everytime the docker-host reboots… I’ll try to figgur something out. Thank you anyway!

if it is our container, put the iptables rules into the wg0 or use a startup script.

Hi @mhmuc1,

did you solve your question?

I am using the wiregard docker container with a compose.yaml. I have to provide a wg0.conf file to the container.

Within, I provide the config for the access. Here an extract of that file.

Address =
ListenPort = 51820
PrivateKey = xxxx

# Dienste im Heimnetzwerk
# Unifi
# AdGuard (Docker)
# AI-on-the-Edge Wasseruhr
# HomeAssistant (Docker)
# espHome Server (Docker)
# Synology
# Ubuntu Docker Server
# Graylog (Docker)
# Portainer (Docker)
# VLAN-Gateway für Zugriff auf Internet

# Zugriff von phonecs auf angegeben IP-Adressen im Heimnetzwerk, alles andere wird unterbunden.
PostUp = iptables -A FORWARD -i %i -s -d,,,,,,,,,,, -j ACCEPT; iptables -A FORWARD -i %i -s -d -j REJECT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -A FORWARD -i %i -s -d,,,,,,,,,,, -j ACCEPT; iptables -A FORWARD -i %i -s -d -j REJECT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE

# peer_phonecs
PublicKey = yyyy
PresharedKey = zzzz
AllowedIPs =

@ all: I would be very happy, if I could get a feedback on my config.
(I used ChatGPT to come up with this and I am not sure, if I fully understood the config… :slight_smile: )

best regards,

If you are using it in server mode (you currently are) you don’t need to provide a conf. It automatically creates all of them

@aptalca : Well that is true unless you want restrictions as the ones I mentioned, because that’s not working automatically.

@schneich: Just give it a try and see if it works. I solved it with a startup script that’s creating the iptable-rules now.