#StackBounty: #iptables #docker #wireguard Wireguard Internet Only clients + LAN/Internet Clients

Bounty: 50

I have a Wireguard installation running based on the docker image linuxserver/wireguard.
It’s running on a Ubuntu 20.04 host.

The speed is good and the my client can connect from both my local LAN and from the Internet gaining access to both local LAN and internet in both situations. So far so good.

Now I want to add a second type of clients. These clients should only have internet access when connected to the VPN. The restriction must be configured on the server. Also I would like the clients to use my LAN’s DNS server (pihole). I realize that the clients would be able to perform LAN DNS lookups and exposing LAN IP’s of services on the LAN. That is OK for now. The important thing is that the traffic cannot be routed to LAN hosts and services.

Network range 192.168.X.0 - 192.168.X.255
My router IP: 192.168.X.1
Pihole IP: 192.168.X.Y

wg0.conf (which is generated by the linuxserver/wireguard image)

[Interface]
Address = 10.13.13.1
ListenPort = 51820
PrivateKey = XXXXX
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = XXXXX
AllowedIPs = 10.13.13.2/32

[Peer]
PublicKey = XXXXX
AllowedIPs = 10.13.13.3/32


Get this bounty!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.