Wireguard limiting peers to Internet browsing only

[Geoffrey_Cleaves]

Hi. How could I create a Wireguard tunnel which will only allow peers to browse the Internet using my home IP address? I want to block complete access to my LAN and Unraid box.

 

I tried using the community VPN Manager interface with the firewall option to deny to my local LAN and tunnel IP address, but the peers can still access my Unraid server's file shares and HTTP management site.

 

Any tips? Thanks!

[bonienl]

A wireguard tunnel terminates on your Unraid server, you can not deny peer access to your server, unless you use a different device (router) to terminate the WG tunnel.

 

The WG configuration has a limited firewall function to allow or deny access to other devices in your network. A simple solution would be to define your local network, e.g. 192.168.1.0/24 and deny access.

 

[Geoffrey_Cleaves]

I would expect that adding a combination of firewall rules it would be possible to prevent access to any services on the Unraid host and only allow forwarding to the Internet.

Edited July 27, 2020 by Geoffrey_Cleaves

[bonienl]

The WG tunnel terminates internally to the system and bypasses the firewall (iptables) function.

 

[Ruato]

On 7/27/2020 at 11:41 AM, bonienl said:

The WG tunnel terminates internally to the system and bypasses the firewall (iptables) function.

 

 

Is this still the status? That is, no way to restrict the wireguard clients' access to Unraid server services / dockers via iptables?

Additionally, are you aware if there are any plans to enhance the Unraid wireguard firewall functionalities?

 

Thank you!

[kiwijunglist]

Any updates on this?