search

pirate / wireguard-docs

📖 Unofficial WireGuard Documentation: Setup, Usage, Configuration, and full example setups for VPNs supporting both servers & roaming clients.
https://docs.sweeting.me/s/wireguard
MIT License
4.45k stars 309 forks source link

Isolated subnets for each peer #33

Closed GiannisRallis closed 4 years ago

GiannisRallis commented 4 years ago

Hello, i want to create a wireguard server for some clients only for internet access but i want to isolate them from each other. I don't want to ping each other or discovered. I used iptables but no result. Can anyone help me?

olafrv commented 4 years ago

Hello, i want to create a wireguard server for some clients only for internet access but i want to isolate them from each other. I don't want to ping each other or discovered. I used iptables but no result. Can anyone help me?

Give this a try: Since wireguard can run in a docker container per user, to have one interface per user?.

pirate commented 4 years ago

I don't think docker is solving the specific issue that @GiannisRallis is asking about, though it might not be a bad tangent to investigate for other reasons.

I think what you're looking for can be accomplished with a single wireguard instance (no need for separate docker containers) by giving each client its own interface & subnet, and not adding the IPtables rules to forward between the different subnets on any relay servers.

e.g.

Server config for client 1 /etc/wireguard/wg0.conf:

[Interface]
...
Address = 10.0.40.1/24

[Peer]
...
AllowedIPs = 10.0.40.2/32

Server config for client 2 /etc/wireguard/wg1.conf:

[Interface]
...
Address = 10.0.41.1/24

[Peer]
...
AllowedIPs = 10.0.41.2/32

Server config for client 3 /etc/wireguard/wg2.conf:

[Interface]
...
Address = 10.0.42.1/24

[Peer]
...
AllowedIPs = 10.0.42.2/32

etc.

Client config for client 1 /etc/wireguard/wg0.conf:

[Interface]
...
Address = 10.0.40.2/32

[Peer]
...
Endpoint = server.example-vpn.tld:51820
AllowedIPs = 0.0.0.0/0, ::/0

Client config for client 2 /etc/wireguard/wg0.conf:

[Interface]
...
Address = 10.0.41.2/32

[Peer]
...
Endpoint = server.example-vpn.tld:51820
AllowedIPs = 0.0.0.0/0, ::/0

etc.

pirate commented 4 years ago

Just talked to Jason and he said this is actually doable without needing separate interfaces by using the iptables FORWARDING table to restrict traffic to only allow Wireguard <-> Ethernet forwarding and not Wireguard <-> Wireguard.