I have a NAS (192.168.1.200) on my LAN that has NFS shares. I want to make a wireguard interface on my router that will allow remote access to the NFS shares on the NAS but not allow anything else. When I setup wireguard in the past, connecting to it would change the IP of my phone to the IP of my router. I do not want that to happen. How can I restrict it?
You mean NAT?
Yes, that is right.
You can make extra gre(tap) tunnel for nfs server to client.
Configure a forwarding firewall rule that allows access to server IP address on NFS ports from WireGuard interface zone.
Do not use NAT (masquerading) between WireGuard interface zone and lan.
1 Like
Set allowed_ips on the phone to be only the IP of the NAS. This will cause the phone to send only those packets into the tunnel. It will continue to route everything else to the Internet over its local wan connection.
You should also allow the tunnel IP subnet as this makes it possible to ping the phone's tunnel IP from the router (and vise versa) which is useful for testing.
1 Like
Is the allowed_ips a setting under the wireguard interface for the phone's profile?
Interfaces>wireguard>Peers>Allowed IPs?
Right now for my device it has 10.200.200.202/32 which is my profile's IP. Are you saying to add another one for the NAS 192.168.1.100/32 and that will restrict to only that?
Allowed_ips are addresses of interest that exist on the other side of the tunnel. So set this in the phone wireguard client app, not at your router. The app default is usually 0.0.0.0/0, which causes all Internet use from the phone to go through the tunnel. In this case, you don't want that. You only want to access the NAS.