Closed GiannisRallis closed 4 years ago
Hello, i want to create a wireguard server for some clients only for internet access but i want to isolate them from each other. I don't want to ping each other or discovered. I used iptables but no result. Can anyone help me?
Give this a try: Since wireguard can run in a docker container per user, to have one interface per user?.
I don't think docker is solving the specific issue that @GiannisRallis is asking about, though it might not be a bad tangent to investigate for other reasons.
I think what you're looking for can be accomplished with a single wireguard instance (no need for separate docker containers) by giving each client its own interface & subnet, and not adding the IPtables rules to forward between the different subnets on any relay servers.
e.g.
Server config for client 1 /etc/wireguard/wg0.conf
:
[Interface]
...
Address = 10.0.40.1/24
[Peer]
...
AllowedIPs = 10.0.40.2/32
Server config for client 2 /etc/wireguard/wg1.conf
:
[Interface]
...
Address = 10.0.41.1/24
[Peer]
...
AllowedIPs = 10.0.41.2/32
Server config for client 3 /etc/wireguard/wg2.conf
:
[Interface]
...
Address = 10.0.42.1/24
[Peer]
...
AllowedIPs = 10.0.42.2/32
etc.
Client config for client 1 /etc/wireguard/wg0.conf
:
[Interface]
...
Address = 10.0.40.2/32
[Peer]
...
Endpoint = server.example-vpn.tld:51820
AllowedIPs = 0.0.0.0/0, ::/0
Client config for client 2 /etc/wireguard/wg0.conf
:
[Interface]
...
Address = 10.0.41.2/32
[Peer]
...
Endpoint = server.example-vpn.tld:51820
AllowedIPs = 0.0.0.0/0, ::/0
etc.
Just talked to Jason and he said this is actually doable without needing separate interfaces by using the iptables
FORWARDING
table to restrict traffic to only allow Wireguard <-> Ethernet forwarding and not Wireguard <-> Wireguard.
Hello, i want to create a wireguard server for some clients only for internet access but i want to isolate them from each other. I don't want to ping each other or discovered. I used iptables but no result. Can anyone help me?