Is it bad idea that all user and all devices connect to one WireGuard VPN interface?

hando han

11/1/23, 1:24 AM

I have few knowledge for network, I need some basic advice.

On my business domain, users is facility manager or system installer. There are not many users and they can have some responsibility for security.

My devices are made by Raspberry Pi that use Web GUI to control. But it is only used when it installed, few hours, no heavy traffic.

I think VPN is enough to handle this with following network description.

one WireGuard VPN Interface on AWS EC2 with public IP.
All devices connect to one WireGuard VPN Interface.
All authentic users connect to one WireGuard VPN Interface.
Admin restrict each user's accessing devices by iptables.

Could anybody tell me this is totally bad or suggest good direction?

Edit1: Expected Specification

Mainly, I worry about security.

One user can access only to allowed devices.
Users cannot access to EC2
Users cannot access to other devices.

Is it possible that is configured by one VPN and iptables?

Thanks,

409

0 + 6

security

vpn

iptables

amazon-ec2

wireguard

Lasse Michael Mølgaard

11/1/23, 5:00 AM

I am a bit unsure what you want to achieve? Raspberry can certainly be used for VPN (using a Raspberry Pi 4 myself and it have no problem delivering 350 mbps throughput on my 500 mbps Internet connection).

hando han

11/1/23, 5:05 AM

Sorry for ambiguous, I worry about security. I want one user can access only to allowed Raspberry Pi device, not to AWS EC2 and other Raspberry Pi. I have few information VPN and iptables.

Lasse Michael Mølgaard

11/1/23, 5:34 AM

Normally I would say you could not make iptables rules based on who was logged in, but then I saw parameters like: `m owner --uid-owner <USERNAME>` and figurer it is possible to allow/deny traffic based on whoever is loggede in. Though for simplicity I would create groups instead and create rules depending on which groups the user is assigned to.

hando han

11/1/23, 6:12 AM

I thought using VPN IP address that got when user/device connect to VPN, and iptables allow or block packet between user and devices. Hard to say clearly but I think VPN IP gathering system is possible. Am I missing something?

Lasse Michael Mølgaard

11/1/23, 11:54 PM

Ok. My confusions stems from which way the expected traffic should flow? Do you want to remotely access all the Raspberry Pis via VPN through the EC2 server and at the same time prevent any users on the individual Raspberry Pis to use the VPN connection to access the EC2 server? In that case the solution is simple. Use iptables on the EC2 server to allow outbound traffic to VPN and related inbound traffic from VPN only and drop all other packages. You will need to add exceptions in iptables for any client, which is allowed to connect to the server.

hando han

11/2/23, 1:24 AM

@LasseMichaelMølgaard Thanks for kind help, even though my confusing asking. I think your answer is right.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it bad idea that all user and all devices connect to one WireGuard VPN interface?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.