Way to prevent Clients to use Wireguard Tunnel

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Way to prevent Clients to use Wireguard Tunnel

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Way to prevent Clients to use Wireguard Tunnel
Way to prevent Clients to use Wireguard Tunnel
2023-09-02 08:27:54 - last edited 2023-09-07 06:16:49
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.1

Hi,

 

as Wireguard is not supported in VPN Policy or WAN Interface in Policy Routing, is there any other way to block clients having access to the tunnel?

I have some tunnels, that should only be accessible from specific clients.

 

Thank you

  2      
  2      
#1
Options
1 Accepted Solution
Re:Way to prevent Clients to use Wireguard Tunnel-Solution
2023-09-06 06:29:48 - last edited 2023-09-07 06:16:49

Hi @bsz 

Thanks for posting in our business forum.

WireGuard with Policy Routing is estimated to be available in Q1 next year. ETA. It may be delayed or moved up depending on the task load on the dev team.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  2  
  2  
#9
Options
15 Reply
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-05 03:35:32

  @bsz 

set up acl then. ip group acl if you have a switch. if no switch, you'd use network. put the wg int in the vlan interface, and you can set the acl then. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#2
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-05 09:52:26

  @Tedd404 

Thanks for your reply.

 

Tedd404 wrote

set up acl then. ip group acl if you have a switch.

 

I have created a switch ACL that blocks (some) clients to access the subnet of the other side of the tunnel. But that does not allow me to route all traffic for some clients over the tunnel.

 

Tedd404 wrote

put the wg int in the vlan interface, and you can set the acl then. 

 

I cannot find any place where I can do it. The wireguard interface is not listed in any selection of interfaces.

  0  
  0  
#3
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-06 01:14:17 - last edited 2023-09-06 01:51:39

  @bsz 

then it is your config issue. you should read:

https://community.tp-link.com/en/business/forum/topic/619652

 

is your allowip set to 0.0.0.0? if so, that's the reason why. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#4
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-06 01:31:36 - last edited 2023-09-06 01:32:45

  @Tedd404 

 

I think you may be misunderstanding want is being asked, in the current implementation of WireGuard in Omada the Allowed IPs in the configuration is a universal option (no matter the VLAN, Subnets, Individual client configuration) it will all respect the WireGuard Config.

 

From what I understand what is being asked above is if there is a way to define which clients can route via WireGuard and which ones route via WAN with out touching the WireGuard VPN, the WireGuard interface in not definable in policy routing and in VLAN configuration there is no way to define which default gateway it will run over. So if WireGuard is configured with 0.0.0.0/0 then EVERYTHING runs via WireGuard. 

 

I am currently in the same boat as want to have either a client level option to have those devices run via WireGuard or setup a VLAN that will run only via WireGuard but it is currently not available, this is in all likelihood due to how new WireGuard is in Omada and I would bet that it is something that will be available in the future as it is currently available for other VPN options as far as I know.

  0  
  0  
#5
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-06 01:57:27 - last edited 2023-09-06 01:58:42

  @nlibby 

but if this is a wg on a pfsense, what would be the proper way to use allowip 0.0.0.0 and implement what he asks? or simply set up wg with 0.0.0.0 and do a policy routing on pfsense?

he wants to set up a routing-all-traffic on the router level while routing certain traffic to the local gateway.

let's put aside the router, just with wg, is this possible with lines and parameters? 

 

 

i am thinking of a way to do this. so if you need to write a route on the wg interface, or peer config, is there any possibility of writing a route in the router? 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#6
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-06 02:06:48 - last edited 2023-09-06 02:10:12

  @Tedd404 

 

The Allowed IPs is simply a way to tell the router what networks are on the other side of the tunnel, if you say that 192.168.1.0/24 is an allowed IP then when you navigate to that IP on the client it will route that via WireGuard but not anything else, but let's say you have a service that is only accessible on the other side of that WireGuard Tunnel, it has a dynamic IP address, and you don't want the entire network to have access to it, well then the only remaining option is a client or VLAN level config that will route traffic via what ever gateway you want it to. 

 

I currently use OpenWRT devices for my "clients" and an addon called PBR, it lets you define Devices, networks, Subnets, Mac addresses, and more to identify how those devices should be routed but I am looking to go full Omada so I have full management ability via one software interface, until this is implemented I can't.

 

And for your question about routes, until Omada has the ability to see the WireGuard as an interface, I don't see anyway to do it that I can think of. Also far as I know WireGuard was never designed to be able to do this natively, as this is ment to just be a tunnel that the router can use it is a router level problem not a WireGuard problem.

  0  
  0  
#7
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-06 02:38:19

  @nlibby 

if you say so, then it should work by setting up allowip = 0.0.0.0 and using policy routing in omada routers. 

0.0.0.0 will forward all traffic thru the wg tunnel, and use policy routing to route local ip to the local gateway. 

(policy routing does not support wg tunnel, so this might be the workaround)

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#8
Options
Re:Way to prevent Clients to use Wireguard Tunnel-Solution
2023-09-06 06:29:48 - last edited 2023-09-07 06:16:49

Hi @bsz 

Thanks for posting in our business forum.

WireGuard with Policy Routing is estimated to be available in Q1 next year. ETA. It may be delayed or moved up depending on the task load on the dev team.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  2  
  2  
#9
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-06 13:51:10
Thank you for the response on this sir!! Glad to know these features are in active development.
  0  
  0  
#10
Options
Re:Way to prevent Clients to use Wireguard Tunnel
2023-09-07 06:19:28

  @Clive_A Thanks for the clarification and I am very happy to hear that you are working on a solution.

 

Thanks also to everybody for the discussion

  3  
  3  
#11
Options