Open taladar opened 1 year ago
afeiszli
commented
1 year ago This exists already via ACL's. You can set "default ACL rule" per node to either allow or deny. So, simply switch a node to "deny", and then by default, nodes will not have access to it.
taladar
commented
1 year ago This is not about blocking entire nodes, this is about filtering individual allowed IPs or subnets, specifically those of hosts which are reached via egress nodes and which will not know anything about the VPN themselves but which will use services on some of the nodes which are part of the VPN.
The use case we are currently facing here is that of trying to use egress routes to allow employees to access IP restricted services on non-netmaker-aware hosts. Usually something like a dev server where the IP restriction allows skipping a basic auth protection or SSH which is limited to some known IPs.
Lets call the host that hosts such a service A.
To allow the netmaker nodes to access it I configured the IP restriction to include the IP of a netmaker node on host B which is on a hosted server with a static IP. Then I configured the netmaker node on host B as an egress node and added the IP for host A to the egress routes.
This works fine for most nodes on the network, in particular for the nodes employees would use.
However where this breaks down is for host C, which offers some services used (via host C's public address, not the VPN) by host A. The requests from A to C now go the same public route they always have but the responses from C to A go via the netmaker VPN, are NATed to host B's address and then discarded at host A because it did not expect a response from B's public address, it expected one from C's public address.
Now it is of course possible to work around this with complex policy routing setups but it would be much easier if it would just be possible to not include A's address in C's Allowed IPs for the Wireguard peer B at all.
I still need the VPN to be able to route other traffic between B and C though, including some other egress networks.
Sometimes it is useful to have the vast majority of nodes on a network reach an egress subnet or IP address via the VPN but one or two nodes should not, e.g. because they are connected to that network or IP via other means and the routes conflict or lead to asymmetric routing (that IP contacts the node outside the VPN, the node routes the response via the VPN and the egress node NATs it and so the response is discarded).
So it would be useful if a node had some kind of "never allowed peer CIDRs" setting and filtered the list of allowed IPs of its peers via that setting.