Way to prevent Clients to use Wireguard Tunnel
Way to prevent Clients to use Wireguard Tunnel
Hi,
as Wireguard is not supported in VPN Policy or WAN Interface in Policy Routing, is there any other way to block clients having access to the tunnel?
I have some tunnels, that should only be accessible from specific clients.
Thank you
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @bsz
Thanks for posting in our business forum.
WireGuard with Policy Routing is estimated to be available in Q1 next year. ETA. It may be delayed or moved up depending on the task load on the dev team.
- Copy Link
- Report Inappropriate Content
set up acl then. ip group acl if you have a switch. if no switch, you'd use network. put the wg int in the vlan interface, and you can set the acl then.
- Copy Link
- Report Inappropriate Content
Thanks for your reply.
Tedd404 wrote
set up acl then. ip group acl if you have a switch.
I have created a switch ACL that blocks (some) clients to access the subnet of the other side of the tunnel. But that does not allow me to route all traffic for some clients over the tunnel.
Tedd404 wrote
put the wg int in the vlan interface, and you can set the acl then.
I cannot find any place where I can do it. The wireguard interface is not listed in any selection of interfaces.
- Copy Link
- Report Inappropriate Content
then it is your config issue. you should read:
https://community.tp-link.com/en/business/forum/topic/619652
is your allowip set to 0.0.0.0? if so, that's the reason why.
- Copy Link
- Report Inappropriate Content
I think you may be misunderstanding want is being asked, in the current implementation of WireGuard in Omada the Allowed IPs in the configuration is a universal option (no matter the VLAN, Subnets, Individual client configuration) it will all respect the WireGuard Config.
From what I understand what is being asked above is if there is a way to define which clients can route via WireGuard and which ones route via WAN with out touching the WireGuard VPN, the WireGuard interface in not definable in policy routing and in VLAN configuration there is no way to define which default gateway it will run over. So if WireGuard is configured with 0.0.0.0/0 then EVERYTHING runs via WireGuard.
I am currently in the same boat as want to have either a client level option to have those devices run via WireGuard or setup a VLAN that will run only via WireGuard but it is currently not available, this is in all likelihood due to how new WireGuard is in Omada and I would bet that it is something that will be available in the future as it is currently available for other VPN options as far as I know.
- Copy Link
- Report Inappropriate Content
but if this is a wg on a pfsense, what would be the proper way to use allowip 0.0.0.0 and implement what he asks? or simply set up wg with 0.0.0.0 and do a policy routing on pfsense?
he wants to set up a routing-all-traffic on the router level while routing certain traffic to the local gateway.
let's put aside the router, just with wg, is this possible with lines and parameters?
i am thinking of a way to do this. so if you need to write a route on the wg interface, or peer config, is there any possibility of writing a route in the router?
- Copy Link
- Report Inappropriate Content
The Allowed IPs is simply a way to tell the router what networks are on the other side of the tunnel, if you say that 192.168.1.0/24 is an allowed IP then when you navigate to that IP on the client it will route that via WireGuard but not anything else, but let's say you have a service that is only accessible on the other side of that WireGuard Tunnel, it has a dynamic IP address, and you don't want the entire network to have access to it, well then the only remaining option is a client or VLAN level config that will route traffic via what ever gateway you want it to.
I currently use OpenWRT devices for my "clients" and an addon called PBR, it lets you define Devices, networks, Subnets, Mac addresses, and more to identify how those devices should be routed but I am looking to go full Omada so I have full management ability via one software interface, until this is implemented I can't.
And for your question about routes, until Omada has the ability to see the WireGuard as an interface, I don't see anyway to do it that I can think of. Also far as I know WireGuard was never designed to be able to do this natively, as this is ment to just be a tunnel that the router can use it is a router level problem not a WireGuard problem.
- Copy Link
- Report Inappropriate Content
if you say so, then it should work by setting up allowip = 0.0.0.0 and using policy routing in omada routers.
0.0.0.0 will forward all traffic thru the wg tunnel, and use policy routing to route local ip to the local gateway.
(policy routing does not support wg tunnel, so this might be the workaround)
- Copy Link
- Report Inappropriate Content
Hi @bsz
Thanks for posting in our business forum.
WireGuard with Policy Routing is estimated to be available in Q1 next year. ETA. It may be delayed or moved up depending on the task load on the dev team.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Clive_A Thanks for the clarification and I am very happy to hear that you are working on a solution.
Thanks also to everybody for the discussion
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 2414
Replies: 15