Wireguard: prohibit communication between clients (client isolation)

Wireguard: prohibit communication between clients (client isolation)

Wireguard offers many advantages as a VPN solution, but by default it allows communication between clients. This can be a security risk if the clients are misconfigured. Therefore, it is recommended to isolate the clients from each other and thus prevent them from communicating.

This can be accomplished relatively easily with iptables on the server:

ip6tables -I FORWARD -i wg0 -o wg0 -j REJECT --reject-with icmp6-adm-prohibited
iptables -I FORWARD -i wg0 -o wg0 -j REJECT --reject-with icmp-admin-prohibited

If individual clients are still to be allowed to communicate, additional rules must be built in for this purpose. In the example below, the IP of the shared client is 10.6.6.3 (subnet 32 = 1 IP address) and the subnet is 10.6.6.0 (subnet 24 = entire subnet)

iptables -I FORWARD -i wg0 -s 10.6.6.3/32 -d 10.6.6.0/24 -j ACCEPT

If there is a server on the network that is also connected via wireguard, I recommend that you do not simply release the entire server along with all ports.

Leave a Reply

Your email address will not be published. Required fields are marked *