[Question or Feature Request] Any wg1.conf option to limit peer IP as 1-to-1?
KeXianbin(http://diyism.com)
kexianbin at diyism.com
Mon Dec 17 09:10:27 CET 2018
It seems that "AllowedIPs" have nothing to do with refusing unwantted peer's IP.
It only specifes the outgoing target IPs,
For example, I sometimes set "AllowedIPs=216.58.0.0/18" to enable me
to visit https://www.google.com through the internet of the peer
"10.1.0.3".
On Mon, Dec 17, 2018 at 3:53 PM KeXianbin(http://diyism.com)
<kexianbin at diyism.com> wrote:
>
> On my machine(10.1.0.1), does the option "AllowedIPs = 10.1.0.3/32" in
> wg1.conf take effects in both input and ouput directions?
> It seems that "AllowedIPs = 10.1.0.3/32" only added ip route rule
> "10.1.0.3 dev wg1 scope link" on my side,
> can it prevent the peer to send packets to my 10.1.0.1:80 from 10.1.0.4?
> On Mon, Dec 17, 2018 at 3:40 PM Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> >
> > On Mon, Dec 17, 2018 at 2:42 AM KeXianbin(http://diyism.com)
> > <kexianbin at diyism.com> wrote:
> > > AllowedIPs = 10.1.0.3/32
> > > [...]
> > > If I want to limit the peer to a fixed IP 10.1.0.3, any wg1.conf
> > > OPTION to config it?
> > >
> > > Currently, the peer can set any IP, for example 10.1.0.4, and can
> > > send packets to my http://10.1.0.1:80 from 10.1.0.4.
> >
> > Setting that peer's allowedips to 10.1.0.3/32 should accomplish
> > exactly what you want; that peer is _only_ allowed to send packets as
> > that IP. If the peer attempts to send packets as 10.1.0.4, WireGuard
> > should reject those packets. If it doesn't, that sounds like a major
> > bug.
More information about the WireGuard
mailing list