0

Context

I successfully integrated Wireguard in my LAN so I could access my NAS (192.168.1.45) from the outside.

|Router|     ===:5182=> |VPN server|        ====> |NAS|
192.168.1.254           192.168.1.21 (wlan0)      192.168.1.45
                        10.10.10.1 (wg0)

Packets forwarding through my VPN server relies on:

  1. ip forwarding in /etc/sysctl.conf (Cf my script)
  2. the following rules added (-A) when wireguard interface (wg0) is up.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o $main_nic -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o $main_nic -j MASQUERADE

(this is the command wireguard execute when I stop wg0)

PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o $main_nic -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o $main_nic -j MASQUERADE

Need

This works like a charm but how could I restrict things so a client entering my LAN trough this VPN entrypoint could only access 192.168.1.45 and no other IP? Is it compatible with ip forwarding?

Ideally, if this could be entirely managed in the PostUp PostDown wireguard's directives (independently of the previous rules on the system), this would be amazing . Tried some but, let's face it, I am more of a developer than a network administrator

zar3bski
  • 133
  • 1
  • 2
  • 9

1 Answers1

1

Sure you can, instead of arbitrarily allowing traffic, just make sure it goes to the destination IP you expect:

-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
-A FORWARD -i wg0 -d 192.168.1.45 -j ACCEPT

As a side note, I wouldn't add and remove rules in the PostUp and PostDown hooks, it isn't useful to remove them when the interface no longer exists as they don't do anything in that case. Just leave them there all the time, it's less error-prone and easier to manage.

Ginnungagap
  • 1,998
  • 8
  • 9