Wireguard: Limit client access to internet

mhmuc1 · 20 December 2023 16:09

Hi! I am using latest wireguard docker image primarily as private VPN to connect from public wifis.
So the default config where all VPN Clients get internet access is fine for me.

Now I want to provide a windows vm to a friend and I don’t want to expose the RDP port to the public. So my idea was to give him access to my wireguard vpn and only allow traffic from his client to the windows vm, but not to the rest of the network.

It works if I set the AllowedIPs = RDP-Server, in the client-config, but as this config is on the client side he’d be able to route all his traffic through my wireguard easily by changing the value.

Is there a way to limit the access of a client on the serverside?
I tried SERVER_ALLOWEDIPS_PEER_maxRDPtest=IP_OF_RDP
but that didn’t change anything.

Thank you very much for any help!

driz · 20 December 2023 16:19

you would need to do it in iptables on the wg host. it’s not something we will help with, but take his ip and just allow to X and block to y

mhmuc1 · 20 December 2023 16:37

Thank you for the quick reply.

The suggested solution would be overwritten everytime the docker-host reboots… I’ll try to figgur something out. Thank you anyway!

driz · 20 December 2023 16:44

if it is our container, put the iptables rules into the wg0 or use a startup script.

schneich · 26 December 2023 09:10

Hi @mhmuc1,

did you solve your question?

I am using the wiregard docker container with a compose.yaml. I have to provide a wg0.conf file to the container.

Within, I provide the config for the access. Here an extract of that file.

[Interface]
Address = 10.10.11.1
ListenPort = 51820
PrivateKey = xxxx

# Dienste im Heimnetzwerk
# 192.168.1.4 Unifi
# 192.168.1.3 AdGuard (Docker)
# 192.168.30.18 AI-on-the-Edge Wasseruhr
# 192.168.30.20 HomeAssistant (Docker)
# 192.168.30.21 espHome Server (Docker)
# 192.168.40.40 Synology
# 192.168.70.2 Ubuntu Docker Server
# 192.168.70.3 Graylog (Docker)
# 192.168.70.5 Portainer (Docker)
# 192.168.100.1 VLAN-Gateway für Zugriff auf Internet


# Zugriff von phonecs auf angegeben IP-Adressen im Heimnetzwerk, alles andere wird unterbunden.
PostUp = iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.1.1,192.168.1.4,192.168.1.3,192.168.30.18,192.168.30.20,192.168.30.21,192.168.40.40,192.168.70.2,192.168.70.3,192.168.70.5,192.168.70.6,192.168.100.1 -j ACCEPT; iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.0.0/16 -j REJECT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.1.1,192.168.1.4,192.168.1.3,192.168.30.18,192.168.30.20,192.168.30.21,192.168.40.40,192.168.70.2,192.168.70.3,192.168.70.5,192.168.70.6,192.168.100.1 -j ACCEPT; iptables -A FORWARD -i %i -s 10.10.11.2 -d 192.168.0.0/16 -j REJECT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE



[Peer]
# peer_phonecs
PublicKey = yyyy
PresharedKey = zzzz
AllowedIPs = 10.10.11.2/32

@ all: I would be very happy, if I could get a feedback on my config.
(I used ChatGPT to come up with this and I am not sure, if I fully understood the config… )

best regards,
Chris

aptalca · 26 December 2023 14:09

If you are using it in server mode (you currently are) you don’t need to provide a conf. It automatically creates all of them

mhmuc1 · 28 December 2023 09:17

@aptalca : Well that is true unless you want restrictions as the ones I mentioned, because that’s not working automatically.

@schneich: Just give it a try and see if it works. I solved it with a startup script that’s creating the iptable-rules now.