since I don't want friends and colleagues in my VPN to use my VPN server as a proxy VPN for "anonymous" surfing, I want to disable the default route for the VPN. In a nutshell:
- LAN (
10.20.0.0/24
) must be accessible - WAN (
0.0.0.0/0
) must be inaccessible
I was unable to find a WireGuard setting to do this except configuring the AllowedIPs
directive in the client config. But what kind of security does that provide?? Anyone can easily edit his/her config, replace 10.20.0.0/24
with 0.0.0.0/0
, and use my VPN as a proxy...
My next approach was to delete the iptables rule that permitts the forwarding from the VPN subnet to the WAN. But somehow I cannot delete the affected rule. If I create a similar rule (same subnet, same policy) I can delete it, but I am prevented from deleting the WireGuard rule somehow.
The rule in question has been marked with -->
in the following output:
root@[...]:~# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
...
ACCEPT all -- anywhere 10.6.0.0/24 ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT all -- 10.6.0.0/24 anywhere /* wireguard-forward-rule */
Commands that I have tried to get rid of this rule:
root@[...]:~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
If I add the same rule again (without the comment):
root@[...]:~# iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
...
ACCEPT all -- anywhere 10.6.0.0/24 ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT all -- 10.6.0.0/24 anywhere /* wireguard-forward-rule */
--> ACCEPT all -- 10.6.0.0/24 anywhere
root@[...]:~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
root@[...]:~#
No problem... :|
Note: If you need further logs/output, please let me know. Thanks in advance!