Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

WireGuard Configuration

Follow
Avatar
JS

Hi All,

Seeking Gurus help here.

I am a new user of Firewalla as well as WireGuard. I am opening up my Synology Server via SMB to my peers to upload some documents for the long run. Peers connects thru Synology via WireGuard VPN

Internet > WG VPN > Synology NAS.

Currently, once connected via WG VPN, all my internal devices will be exposed to my peers.
Did some search online, changed the WG Client Configuration file field AllowedIPs to restrict to only my Synology NAS IP. But that is still a loop-hole.

Tried to access Firewalla SSH to go into WireGuard folder to configure however I am not a super user thus encountered Permission Denied.

Is there any other ways to restrict WG VPN Users to only specific IP Address?

Thanks in advance.

Cheers

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    James Willhoite

    The allowedIps in the WireGuard Config file will only allow access to that ipaddress. That is a "Split-Tunnel" in that all traffic except the AllowedIPs will go through the Default Route. 

    Example, if your NAS is ipaddress 192.168.0.10 then in the AllowedIPs you put just that 192.168.0.10/32 and bring the tunnel up. You should only be able to ping that address and nothing else.

    If you keep the AllowedIPs as 0.0.0.0/0 then this will route ALL Traffic through the VPN tunnel. You can then go in to either that Clients Profile on the Firewalla UI and block traffic to a specific LAN, but allow 192.168.0.10 .....

    I do this for my Work. I have a Connection FROM my Work to my WireGuard VPN with the AllowedIPs = 192.168.2.0/24 which says that only traffic destined for that IP subnet is allowed to go through that VPN... but in the Firewalla UI (For that Client's Profile) I say block all access to my 192.168.2.0/24 lan. Then put in the Allow rules for the specific IP addresses my Work Network is allowed to access....

    0
    Comment actions Permalink
  • Avatar
    JS

    Hi James,

    Thank you for your response.

    Yes that is exactly what I am doing now. Just that by doing this way, the config file is sent across to my peers and they are able to edit and change the AllowedIPs to 0.0.0.0/0 therefore there is no controls.

    If i were to follow your method, it meant that my Synology NAS have to be on the 192.168.0.10 and the rest of my devices to be on 192.168.2.x am I right?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post