WG Peer Endpoint IP - Restrict Peer to single public IP

robyholmes · Aug 2, 2024, 9:40 AM

Hi,

What is the difference between having 'Dynamic' enabled or disabled on a peer? If you disable dynamic and set a public IP & Port for the endpoint. Should WG not only allow that peer to connect (Or transmit data) to the IP & Port set?

We're wanting to restrict the peer to a certain public IP it's connecting from. However when we disable dynamic and set IP. The peer can still connect on a different IP & Port and traffic is routed without restriction.

How would you go about restricting a peer connecting unless from a single public IP or hostname?

Thanks,
Rob

robyholmes · Aug 6, 2024, 7:04 AM

Surely I can't be the only person trying to lock a WG connection down so only certain public IPs can connect?

Bob.Dig · Aug 6, 2024, 8:06 AM

@robyholmes Do it on the WireGuard-firewall-rule on WAN if you think you need it.

robyholmes · Aug 6, 2024, 8:32 AM

That surely requires a dedicated tunnel for each public IP & peer we want to connect. Plus another tunnel for our roaming peers (Who can't get to as many networks).

What I don't understand is what the Endpoint IP & Port is for on a peer if it doesn't restrict the connect to it?

Bob.Dig · Aug 6, 2024, 8:38 AM

@robyholmes said in WG Peer Endpoint IP - Restrict Peer to single public IP:

https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/design.html

WireGuard does not have a concept of “Client” and “Server” per se

What I don't understand is what the Endpoint IP & Port is for on a peer if it doesn't restrict the connect to it?

If you put an IP there, WG would try to connect to that IP-address to establish a tunnel if one doesn't exist. There is no difference between peers, there is no server-model with WireGuard.

robyholmes · Aug 6, 2024, 8:45 AM

@Bob-Dig So the only way to limit a peer connecting, is to have a different tunnel (And thus port) which you then firewall on the WAN port to only allow access to that tunnel port from X public IPs?

Bob.Dig · Aug 6, 2024, 8:49 AM

@robyholmes Yes.
So you could create one tunnel for all known IP-endpoints and use an alias as source.
But also remember that WireGuard doesn't answer anything if the incoming packets don't have the right key. You can't do a port scan for WireGuard. So maybe you don't need an ip-filter there.

robyholmes · Aug 6, 2024, 8:52 AM

@Bob-Dig This is an added layer of security, if the device/machine is stolen for example they would have the private key. So by blocking by public IP we can stop the WG connect being used elsewhere. At least to certain networks using a VLAN firewall rule.