Join Log in
Score:2
avatar Server

Wireguard - How to only tunnel some of the traffic

nf flag
Symeof

Is it possible to set up the Wireguard server so that only a list of ips [A, B, C,...] is tunneled via Wireguard - while the rest of the traffic is ignored and goes through the non-Wireguard interface?

Said differently, I'm trying to give access to a Wireguard VPN to some external people but I don't want them to be able to use the VPN to browse other ips/sites than the one I specified (while letting them to whatever they want on their own non-VPN interface/connection.

Thanks

3455
1 + 0
vpn
ip
Score:1
Trigus avatar Server
mx flag
Trigus

You can use iptables.
Replace eth0 with the network interface that connects to the internet and 10.6.0.1/24 with your client subnet.

Insert this somewhere in your Wireguard config below [INTERFACE]

# Drop all outgoing packets from the client subnet
PreUp = iptables -I FORWARD -s 10.6.0.1/24 -o eth0 -j DROP
## Add your exceptions here

For example:

[Interface]
PrivateKey = ...
Address = 10.6.0.1/24
MTU = 1420
ListenPort = 51820

## Before interface wg0 is up
# Drop all outgoing packets from the client subnet
PreUp = iptables -I FORWARD -s 10.6.0.1/24 -o eth0 -j DROP
# Allow clients to connect to the local network 192.168.0.1/24
PreUp = iptables -I FORWARD -s 10.6.0.1/24 -d 192.168.0.1/24 -j ACCEPT
# Allow clients to connect to tcp port 80 (usually http) on 10.10.0.5
PreUp = iptables -I FORWARD -s 10.6.0.1/24 -d 10.10.0.5 -p tcp --dport 80 -j ACCEPT

## After interface wg0 is down
PostDown = iptables -D FORWARD -s 10.6.0.1/24 -o eth0 -j DROP
PostDown = iptables -D FORWARD -s 10.6.0.1/24 -d 192.168.0.1/24 -j ACCEPT
PostDown = iptables -D FORWARD -s 10.6.0.1/24 -d 10.10.0.5 -p tcp --dport 80 -j ACCEPT

[Peer]
...

For a seamless experience on the client's side you also have to configure the AllowedIPs in the client's config. Otherwise the clients will try to use the VPN to access the internet and those requests will just time out.

Following the example above, the client's config could look like this:

[Interface]
PrivateKey = ...
Address = 10.6.0.2/24
DNS = 10.6.0.1

[Peer]
PublicKey = ...
AllowedIPs = 192.168.0.1/24, 10.10.0.5
Endpoint = ...
PresharedKey = ...

Documentation:

0 + 0
RabidTunes avatar
hm flag
RabidTunes
Question, in a setup where there's only one client and I have full control over their config (I can forbid them to touch the config file), would it be enough with just having the `AllowedIPs` restricted to those IPs you want it to access? Or would I require also the IPtables part anyways?
0
Reply
Trigus avatar
mx flag
Trigus
If you can trust the client in that the `AllowedIPs` won't be changed in the config file or after the interface has been brought up, for example, if untrusted commands are run as a user that can't modify the config file or use the `wg` command to change the interface, then you should be fine. You can test this yourself by pinging a non allowed IP over the wg interface: ```From <interface_address> icmp_seq=1 Destination Host Unreachable ping: sendmsg: Required key not available``` (https://techoverflow.net/2021/07/09/what-does-wireguard-allowedips-actually-do/)
1
Reply
RabidTunes avatar
hm flag
RabidTunes
Thanks! Yes I can trust the client and I'm 100% certain that it won't be changed, so this is perfect.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.