Score:0

Wireguard limiting access to services and machines in local network

ua flag

I'm running a Wireguard "Server" in my local network, that i reach remotely through my static public IP. I want to be able to limit access to Wireguard remote peers to services/machines in my lan, where i host other server.

Example: Server 1 (192.168.1.23 | 10.0.0.1) with Wireguard installed + Nextcloud + Jellyfin in same machine Server 2 (192.168.1.62) with Photoprism

Remote peer 1 (10.0.0.2 | dynamic ip) Remote peer 2 (10.0.0.3 | dynamic ip)

I want to:

1- Allow peer1 (10.0.0.2) to access Server 1 Nextcloud + Jellyfin and access to Server 2 to Photoprism.

2- Allow Peer2 (10.0.0.3) to only access Server 1 Nextcloud but not Jellyfin and block access to Server 2

Right now i can access all machines in my lan from all Peers.

Iptables rules:

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o enp0s7 -j MASQUERADE; iptables -t nat -A POSTROUTING -o wg0
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o enp0s7 -j MASQUERADE; iptables -t nat -D POSTROUTING -o wg0

I followed this tutorial, from Justin Ludwig because Site to Point topology is very similar to mine. So i tried to replicate Iptables rules with these rules:

# masquerading
PreUp = iptables -t mangle -A PREROUTING -i wg0 -j MARK --set-mark 0x200
PreUp = iptables -t nat -A POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE
PostDown = iptables -t mangle -D PREROUTING -i wg0 -j MARK --set-mark 0x200
PostDown = iptables -t nat -D POSTROUTING ! -o wg0 -m mark --mark 0x200 -j MASQUERADE

# wireguard ingress
PreUp = iptables -I INPUT -p udp --dport 2332 -j ACCEPT
PostDown = iptables -D INPUT -p udp --dport 2332 -j ACCEPT

# site firewall
PreUp = iptables -N wg0-filter
PreUp = iptables -N to-photoprism
PreUp = iptables -N to-jellyfin
PreUp = iptables -N to-nextcloud

PreUp = iptables -I INPUT   -i wg0 -j wg0-filter
PreUp = iptables -I FORWARD -i wg0 -j wg0-filter
PreUp = iptables -I FORWARD -o wg0 -j wg0-filter
PreUp = iptables -I OUTPUT  -o wg0 -j wg0-filter

PreUp = iptables -A wg0-filter -m state --state ESTABLISHED,RELATED -j ACCEPT
PreUp = iptables -A wg0-filter -d 192.168.1.63  -p tcp --dport   2342 -j to-photoprism
PreUp = iptables -A wg0-filter -d 192.168.1.23  -p tcp --dport   8096 -j to-jellyfin
PreUp = iptables -A wg0-filter -d 192.168.1.23  -p tcp --dport     80 -j to-nextcloud
PreUp = iptables -A wg0-filter -j REJECT

PreUp = iptables -A to-photoprism     -s 10.0.0.2    -j ACCEPT

PreUp = iptables -A to-jellyfin       -s 10.0.0.2    -j ACCEPT
PreUp = iptables -A to-jellyfin       -s 10.0.0.3    -j ACCEPT

PreUp = iptables -A to-nextcloud      -s 10.0.0.2    -j ACCEPT
PreUp = iptables -A to-nextcloud      -s 10.0.0.3    -j ACCEPT

PostDown = iptables -D INPUT   -i wg0 -j wg0-filter
PostDown = iptables -D FORWARD -i wg0 -j wg0-filter
PostDown = iptables -D FORWARD -o wg0 -j wg0-filter
PostDown = iptables -D OUTPUT  -o wg0 -j wg0-filter

PostDown = iptables -F to-photoprism
PostDown = iptables -F to-jellyfin
PostDown = iptables -F to-nextcloud

PostDown = iptables -X to-photoprism
PostDown = iptables -X to-jellyfin
PostDown = iptables -X to-nextcloud

This didn't worked, Peer 1 and Peer 2 can reach Server 1, both services, but not Server 2.

I'm not so savvy to understand what i have to change to make this work, I would be happy if someone can chime in.

Thanks in advance

Score:0
cn flag

Overall your iptables rules look good to me; although:

  1. In the question description, you mention Server 2 has an IP address of 192.168.1.62; but in in the iptables rules, you seem to be using 192.168.1.63 for it:

     iptables -A wg0-filter -d 192.168.1.63  -p tcp --dport   2342 -j to-photoprism
    

    Is that a typo in one place or the other?

  2. In the description, you mention Peer 2 (10.0.0.3) should not have access to Jellyfin; but in the iptables rules, you grant it access with this line:

     iptables -A to-jellyfin       -s 10.0.0.3    -j ACCEPT
    

    Perhaps you meant to remove this rule?

  3. I don't see any PostDown commands to tear down the wg0-filter chain, like you have for the other custom chains; make sure you include them:

     PostDown = iptables -F wg0-filter
     PostDown = iptables -X wg0-filter
    

    Without these tear-down commands, if you make changes and restart, the wg0-chain may end up using the old rules from previous attempts, instead of newer updates. (And make sure you follow the Making Config Changes advice from the article, to shut down the WireGuard interface before making config changes and restarting -- run sudo iptables-save when the interface is down to double-check if you have any old rules or chains that haven't been cleaned up.)

ua flag
Thanks a lor for taking the tame to answer to my sloppy post. I'm really sorry for being sloppy. The ip was indeed wrong in my wg0.conf file. The "PostDown = iptables -X wg0-filter" was just a typo doing the post. Not it works as it should. Thanks for the great tutorials and write-ups!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.