Restrict WireGuard peer access to server

I have WireGuard set up on my router running OpenWrt 18.06.4. I have several peers connecting to it. I want to restrict one remote peer’s access to the local LAN while it should still being accessible from LAN.

This is how the peer is configured in the router:

config wireguard_wireguard
option description 'Peer2'
option public_key <PUBLICKEY>
option route_allowed_ips '0'
list allowed_ips '10.10.0.15/32'

This is the peer’s WireGuard settings:

[Interface]
Address = 10.10.0.15/32
PrivateKey = <PRIVATEKEY>

[Peer]
PublicKey = <PUBLICKEY>
AllowedIPs = 10.10.0.0/24, 192.168.0.0/24
Endpoint = <ENDPOINT>
PersistentKeepalive = 25

192.168.0.0/24 was added to the AllowedIPs so that it can be accessed from my local LAN.

I set up the following Traffic Rule in my router to block access to the local LAN:

option src_ip '10.10.0.15'
option proto 'all'
option target 'REJECT'
option name 'Block-Peer2’
option src '*'
option dest '*'

This above setup almost works: the peer can be accessed from LAN and it is blocked to access almost everything inside the LAN. The only exception is the router itself. The peer can still access the LuCi management page; i.e., it is not prevented from accessing port 80 of 192.168.0.1 (my router).

Is there a way to prevent it from accessing anything inside my LAN, including ports of the router itself?

Add another rule with "dest" unset. This should block INPUT to the router itself.

option src_ip '10.10.0.15'
option proto 'all'
option target 'REJECT'
option name 'Block-Peer2’
option src '*'
4 Likes

Thank you, that made the trick!

1 Like