From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AFBF5C433E6 for ; Tue, 9 Mar 2021 21:08:16 +0000 (UTC) Received: from lists.zx2c4.com (lists.zx2c4.com [165.227.139.114]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7FEF065256 for ; Tue, 9 Mar 2021 21:08:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7FEF065256 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=bcse.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=wireguard-bounces@lists.zx2c4.com Received: by lists.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 98e8fe9f; Tue, 9 Mar 2021 21:05:25 +0000 (UTC) Received: from wp100.webpack.hosteurope.de (wp100.webpack.hosteurope.de [2a01:488:42:1000:50ed:846b::]) by lists.zx2c4.com (ZX2C4 Mail Server) with ESMTPS id 6a114790 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO) for ; Tue, 9 Mar 2021 12:29:59 +0000 (UTC) Received: from app13-neu.ox.hosteurope.de ([92.51.170.147]); authenticated by wp100.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:ECDHE_RSA_AES_256_CBC_SHA1:256) id 1lJbUt-0008Eg-Fo; Tue, 09 Mar 2021 13:29:59 +0100 Date: Tue, 9 Mar 2021 13:29:58 +0100 (CET) From: wp1065151-spam wp1065151-spam To: "wireguard@lists.zx2c4.com" Message-ID: <1806565185.3541.1615292999117@ox.hosteurope.de> Subject: Question about ACL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Priority: 3 Importance: Normal X-Mailer: Open-Xchange Mailer v7.10.4-Rev18 X-Originating-IP: 212.202.64.10 X-Originating-Client: open-xchange-appsuite X-Originating-Sender: spam@bcse.de X-bounce-key: webpack.hosteurope.de;spam@bcse.de;1615292999;3f8cb0b0; X-HE-SMSGID: 1lJbUt-0008Eg-Fo X-Mailman-Approved-At: Tue, 09 Mar 2021 21:05:22 +0000 X-BeenThere: wireguard@lists.zx2c4.com X-Mailman-Version: 2.1.30rc1 Precedence: list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: wireguard-bounces@lists.zx2c4.com Sender: "WireGuard" Hi. My Question : I have two peers configured on my WG Server. Peer A should grant access to Subnet 10.0.10.0/24 Peer B to 10.0.20.0/24. In Clientconfig i set PEER A AllowedIPs = 10.255.0.0/24,10.0.10.0/24 PEER B AllowedIPs = 10.255.0.0/24,10.0.20.0/24 SERVER [Interface] Address = 10.9.254.1/24 ListenPort = 55555 PrivateKey = AAAAAAAAAAAAAAAAAAAA= [Peer] # PEER A PublicKey = BBBBBBBBBBBBBBBBBBBB= AllowedIPs = 10.9.254.100/32 [Peer] # PEER B PublicKey = CCCCCCCCCCCCCCCCCCC= AllowedIPs = 10.9.254.101/32 How can i prevent PEER B from changing his config to : AllowedIPs = 10.255.0.0/24,10.0.20.0/24,10.0.10.0/24 to get access to 10.0.10.0/24 too ? If i add allowed IP in servers PEER B config, it will add a route for 10.0.10.0/24 to wg0 So PEER A is not longer be able to access this subnet. How can i set a ACL that allows Peer A and Peer B only to access configured subnet, outside the client config. I also could be happen that you would like allow your Friend only to access your Server (.101) and Printer (.150) but you Family the whole subnet. Therefor Friend get in his peer Config: AllowedIPs = 10.9.254.0/24,10.0.10.101/32,10.0.10.150/32 Family: AllowedIPs = 10.9.254.0/24,10.0.10.0/24 How we prevent the Friend to change his config to 10.0.10.0/24 ?