Allow forwarding only between VPN clients within the same subnet mask

Yeti

5/4/24, 10:08 AM

I am using Wireguard (interface wg0) for a VPN on a server, where all connected clients have IPv6 addresses assigned by the server (controlled by AllowedIPs).

Let's say we have three clients:

Client A, with 7767:1::a
Client B, with 7767:2::b
Client C, with 7767:2::c

I want to configure the server (i.e. using something like iptables) to allow forwarding between client B and C (since they are on the same subnet, /32), and deny forwarding between client A and B/C (since they are on a different subnet, /32). And I don't want to have to worry about specifying the subnet explicitly, everytime a new subnet is used.

Something like this would work (untested):

prefix="7767"

ip6tables -A FORWARD -i wg0 -m state --state INVALID -j DROP
ip6tables -A FORWARD -i wg0 -m state --state RELATED,ESTABLISHED -j ACCEPT

for ((i=0;i<65536;++i))
do
    subnet="$(printf "$prefix:%x" $i)"
    ip6tables -A FORWARD -i wg0 -s $subnet::/32 -d $subnet::/32 -j ACCEPT
done

ip6tables -A FORWARD -i wg0 -j DROP

Is there some generic rule that can be used for this scenario? Or maybe another tool than iptables is better suited for this?

0 + 0

vpn

iptables

wireguard

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Allow forwarding only between VPN clients within the same subnet mask

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.