Can Wireguard access be limited to a specific VLAN?

So just wondering if Wireguard through Luci can be setup with access limited within a specific VLAN or subdomain? What kind of configuration do I need? And how does Tailscale compare with it's ACL?

More context could be useful, as it's not totally clear what you're asking.

Wireguard is a VPN protocol... there is a LuCI interface to administer the service, but it's not really "through LuCI" in any way.

Can you be more specific here:

  • Is the VPN in inbound one (i.e. allowing remote access to your network while off premisis), or an outbound one (such as connecting to a commercial VPN provider)?
  • Likewise, is the goal to prevent remote peers (in the inbound case) from reaching certain VLANs behind your router, or (in the outbound case) do you want to selectively route such that some networks use (or have access to) the tunnel while others egress via the standard wan?
1 Like

When I said through Luci, I just mean't setting this specific things with wireguard through Luci (GUI) not through config files.

I would like to connect to my home router when I'm elsewhere, and I would like to specifically (for the time being) connect to my NAS, which is on a separate VLAN and separate SSID at home. I would also allow a few members to do the same, so they use some of the NAS features when we are not at home.

This is really a function of the firewall configuration... just allow forwarding from the VPN zone to the zone with the VLAN in question.

1 Like

This isn't a Wireguard question; this would be done by the firewall. As traffic enters the router on any network interface, the firewall decides whether it will be allowed to forward to another network.

So first get Wireguard remote connections working generally. Make sure that the Wireguard interface and the VLAN connected to the NAS are in different firewall zones. Then you can write specific rules to allow only certain traffic. This can all be done in LuCI.

@psherman @mk24 Thanks guys. This would work in the case where I only allow the NAS to be accessed remotely. What happens if I want to access other VLANs on my network, do I need (can I even do that) create multiple Wireguard interfaces and assign them to the appropriate VLANs through the firewall?

Again, I would like to share this to family members and I would be the only one with access to all the VLANs.

All of this can be handled by the firewall and/or the allowed ip's on the remote peer's configuration (the allowed ips can be easily modified, so you probably want to do this with the firewall).

You could even setup 2 different wireguard interfaces -- one that is more restrictive and one that is more permissive (they also need to be on different ports).

There are lots of ways to approach it. You need to define the specific access you want to allow/prevent and then you can go from there.

Ok, so you are saying that the peer's config is where you select the exact ip/subnet to join and not in the wireguard interface config (thought I believe I saw an IP address field in luci's wireguard interface settings), therefore I need to firewall it?

Every peer has an allowed IPs field.

On your OpenWrt 'server' side peer, that field serves as the address that the remote peer will use for the purpose of establishing the tunnel. It will allow the rotuer to know to send data that is bound for a given peer over the tunnel to said peer.

On the remote ('client') peer, there is, of course, a wg configuration that allows it to establish the tunnel back to your OpenWrt based peer at home. In this case, the allowed IPs defines what traffic should be sent via the tunnel. If you use 0.0.0.0/0 that means send all traffic through the tunnel. If you were to say 192.168.1.0/24 it would specify only that subent should go through the tunnel to the 'server' side, and if you were to specify 192.168.1.42/32 that would mean only traffic destined for that specific host should go through the tunnel. (any traffic that doesn't go through the tunnel would normally egress via the normal network/wan that the remote peer would use if it wasn't connected to the tunnel in the first place).

The problem with this approach is that it doesn't prevent access to other hosts/networks insofar as someone could just modify the allowed IPs on their ('client') peer configuration (i.e. on their phone/computer, etc.).

The firewall is the way you actually allow/deny specific traffic by crafting rules with appropriate granularity.

2 Likes

Ok, nice. I believe what you are saying is basically in line what I was thinking. Thanks for the info.

In theory, if I were to have 3 users, all with different permissions, say one full access to all vlans/subnets, one NAS access only, one IoT + NAS, I can accomplish this only by having three different WG interfaces (with different ports and the three different firewall configs)?

Can I define any port with Wireguard? I know that the default port is 51820, but I can just use anything right?

How's tailscale on openwrt and can the ACL part of tailscale help in my situation?

You could do 3 different wireguard interfaces, or you could do 1 interface with firewall rules based on the IP addresses.

Yes, as long as it is UDP.

I don't use tailscale, so that's not my area of expertise.

1 Like

Based on the IP addresses the peers are trying to connect to, or what? Becuase then it still means that they can choose to what subnet they want to connect? It's not that I don't trust my family members, it's more that I don't trust their device hygiene.

Based on the IP addresses of the peers themselves (their WG address, specifically).

I see, didn't know that you can do that and also firewall based on the peer.

Which pages from the wiki are the most important to setup WG? https://openwrt.org/docs/guide-user/services/vpn/wireguard/start

And lastly for the DDNS, what do you recommend using? There is a simpler way to implement DuckDNS, but I thought going with Cloudflare and I believe the packages would be ddns-scripts and ddns-scripts-cloudflare for it. Let me know if you have any suggesetions on that when using it with WG.

Look at the road warrior type config -- that's the most relevant to your situation.

I personally use changeip, but there are tons of options. Just look at the supported options within ddns scripts. The service you use has nothing to do with WireGuard or anything else. IMO, the choice really boils down to a matter of the right option for you when it comes to cost, features, domain name options and other features.

1 Like

This seems very simple, aside setting up the DDNS, and the config in the scripts, it pretty straight forward. Thanks for suggestoin on the road-warrior setup.

I wanted to ask though, can you ELI5 to me the road-warrior part, like what does it do different then doing it yourself aside automating the process through a script?

Also I see that an IP address for the WG interface is needed, actually a separate subnet, is this how WG works, it has it's own subnet and this is why you can then firewall it off specific peers off the other subnets?

In its current form, it's really just a script to automate the process. It can reduce the number of errors that users will encounter. IIRC, there was a previous version that explained the general principle and process of setting up the road warrior config (you'd be amazed how often people don't quite understand the goals).

Yes, it is a routed protocol, so it requires a unique subnet.

precisely.

1 Like