I am running Wireguard on an unprivileged Proxmox LXC at home for friends and family to access an internal webserver and an NVR. I’d like to write firewall rules to allow certain users to hit the webserver (192.168.0.162) but not the NVR (192.168.0.153) but the logs are only showing the IP of the WG server (192.168.0.154) trying to leave the WG server and get to the 192.168.0 network. I think this has something to do with the iptables command that runs at WG startup with the masquerade option. Maybe I’m wrong.
I’m also trying to understand if there is a correlation with the Wireguard config IP address that I set for each connection (10.20.30.x) with the “AllowedIPs” option and how that maps to firewall rules, if at all.
From what I have found on the interwebs I think that removing the masquerade option from the iptables WG startup command will show me their actual ISP’s IP, which is of no value when writing firewall rules. I would prefer to write rules that accept/reject 10.20.30.x from leaving the WG server.
Short version: you’re seeing only 192.168.0.154 in the logs because the WG LXC is doing SNAT/MASQUERADE for traffic leaving wg0 toward your LAN. If you want to write rules based on each user’s 10.20.30.x, you must stop NAT on the WG box and route the 10.20.30.0/24 subnet on your LAN instead. Then you can firewall on source 10.20.30.x.
Longer Answer: I am not sure if there are restrictions on LXC containers that would stop you from doing this, but you can use ChatGPT to help you go through all the settings to rebuild this into a routed solution. I am suggesting ChatGPT (or LLM of your choice) because I don’t have any write ups to link to since most people just use their firewall VPN to do this as it already has all the work done and can be controlled through a web UI, such as using pfsense or OPNSense.
Another thought for you if you haven’t dived too far into this yet: this would actually be a terrific use for something like NetBird. It has really robust access control rules so you could manage all of the permissions centrally and even create groups of clients. It’s pretty spectacular.
At first glance Netbird seems to have WAY more options than a guy hosting a family webserver and NVR. After watching Toms video on the basics of Netbird I pulled down a copy to an Ubuntu LXC (Proxmox) but after the install it wants me to login to netbird.io. I really want to host this entirely on my home machines and not have any outside source involved with authentication. Is that not possible with Netbird? Will my friends/family have to authenticate through netbird.io to get to my stuff or am I over thinking (over paranoid?) here?
As a little background I have a simple non-ssl webserver and an NVR (Blueiris) running behind my pfSense firewall. I was using separate WG instances for the friends to hit the webserver and one for the family to access the webserver and NVR. As previously posted, using WG with its iptables Masquerade command masked all WG ips coming off the WG VM and heading to my 192.168 network and I couldnt see or limit which WG IP/user was going where, which is why I built the 2nd WG instance. Yeah, maybe a bit over complicated but it works. I was fiddling around with removing the iptables masquerade option to see if I could write UFW (or PXMX) firewall rules to contain the specific WG IPs which included Toms suggestion of adding the route, but basically I have no idea what I’m doing with routing. Thank god for Proxmox’s simple backup and restore features . To muck things up further I tried wg-easy which made WG user management way easy, but further obfuscated networks and names as it runs docker in my WG VM. I’m just looking for a relatively simple solution to letting less than a dozen people have access, provide a full tunnel for them if they travel, but be able to monitor who tries poking around on the home network where they shouldn’t. Netbird seems like a bit of overkill for my needs.
. To muck things up further I tried wg-easy which made WG user management way easy, but further obfuscated networks and names as it runs docker in my WG VM. I’m just looking for a relatively simple solution to letting less than a dozen people have access, provide a full tunnel for them if they travel, but be able to monitor who tries poking around on the home network where they shouldn’t. Netbird seems like a bit of overkill for my needs.