How to prevent ext clients from editing conf
# clientb
bulky-waitress-18193
11/16/2022, 9:17 PMHow to prevent ext clients from editing conf
bulky-waitress-18193
11/16/2022, 9:17 PMI have 10.28.0.0/16 setup as a main network for administrators and I created a second network inside that of 10.28.100.0/24 and make that have an ingress gateway. If I generate a conf for an external client inside 10.28.100.0/24 network that works perfectly giving the external client an expected 10.28.100.x ip. However, that external client can simply edit their .conf in wireguard to /16 instead of /24 and have access to the all of 10.28.0.0/16 — how can I prevent that from happening ?
b
bored-island-21407
11/16/2022, 10:16 PMthe only was to guard against that is to set up a firewall rule on the ingress
b
bulky-waitress-18193
11/16/2022, 10:57 PMOk. How would that be done and where do you set firewall rules on the ingress ?
b
bored-island-21407
11/16/2022, 11:00 PMif you set RCE="yes" you can add firewall rules to postup/postdown fields in the UI for the ingress node. It would take some research to come up with the proper set of rules.
bored-island-21407
11/16/2022, 11:01 PMother option is to run iptables (or nftables) commands directly on the ingress host.
bored-island-21407
11/16/2022, 11:03 PMI think the rules would be whole lot easier if you created two networks without overlapping ranges. Give admininstrators access to both networks and extclients to only one. if the ingress node is only on the non-admin network, no firewall rules would be required.
b
bulky-waitress-18193
11/17/2022, 12:53 PMThank you for your help!
bulky-waitress-18193
11/20/2022, 9:51 PMWhat would an example post up/down syntax be to allow only the “allowed IPs” set when generating the confit so even if the client edits them, the original ones are enforced ? Very much appreciate your help!