I have two VPN subnets configured as server:
* first with internet access (Kill Switch=Disabled, Allow Clients WAN Access=Enabled)
* the second without internet (Kill Switch=Enabled, Allow Clients WAN Access=Disabled)
I have noticed that on oet2 with Kill Switch=Enabled also blocks WAN traffic on oet1 with Kill Switch=Disabled. If I want the internet access on oet1, than Kill Switch in oet2 must be Disabled.
Is this normal behavior?
I have read the manual but I couldn't figure out the difference between Kill Switch and Allow Clients WAN Access. Could somebody explain this to me?
Thanks.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun May 21, 2023 7:47 Post subject:
Quote:
Kill Switch: Enabled (checked)
A kill switch is used if you want to block traffic going out of the WAN interface.
The Kill switch is intelligent, meaning that when PBR is used, only the IP addresses in the PBR field are
blocked from accessing the WAN, if you do not use PBR all traffic coming from all LAN clients is
blocked from going out of the WAN.
Basically that says it all: all traffic from all LAN clients is blocked going out of the WAN (if PBR is *not* used)
Quote:
Allow Clients WAN Access
This is mainly used when you use WG as a server or setting up for a site-to-site setup, see the Server Setup guide. So disable (untick) for normal client use.
So not relevant for a normal Client setup.
From the Server setup guide:
Quote:
14. Allow Clients WAN Access: Enable, if you want to have your connecting WireGuard clients to have internet access via the server (NAT out via the servers WAN).
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Sun May 21, 2023 9:17 Post subject:
lol this thread feels like dejavoo, as i read it couple of hours ago...and rubbed my eye's and read it again and again it was different...anyway just to ask if the Wireguard and OpenVPN kill switches are made by the same guy...
if im not wrong eibgrad made one for the VPN back in the days...and i was just using a single line for quite long time instead (egc way) assumed br0 is your default bridge..
iptables -I FORWARD -i br0 -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
could be tailored like that to be less specific..but..not ideal
iptables -I FORWARD -o $(get_wanface) -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
and there ware lot of other examples..but when it went to PBR, than GUI killswitch was introduced..
I want to isolate VPN subnet form the rest of the network. Only VPN clients of that subnet can communicate to each other.
I have managed to write those commands:
iptables -I FORWARD -i oet2 -j DROP
iptables -I FORWARD -o oet2 -j DROP
iptables -I FORWARD -s $(nvram get oet2_ipaddrmask) -d $(nvram get oet2_ipaddrmask) -j ACCEPT
But I am not completely satisfied... gateways of other subnets are still reachable (eg. DDWRT GUI on 192.168.1.1).
How would you write the iptables commands for this problem?
What is the best practice to achieve that?
Thanks for reply that I wasn't clear enough. I will try to explain a bit more.
I have two Wireguard tunnels (of course on different subnets) and they are configured independently. First tunnel is not subject of this topic.
I am just asking for the second tunnel, how to achieve total isolation from the rest of the network. Like it is the switch (without WAN connection) in the locked room with some computers. Computers can communicate to each other, but can not communicate outside tunnel. Also other devices outside this tunnel/subnet can not reach devices/computers in that tunnel.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Fri May 26, 2023 6:24 Post subject:
The WireGuard tunnels indeed have different subnets otherwise it could not work.
I assume you have PBR running on both tunnels to differentiate which clients uses which tunnel.