Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: spetrillo on November 18, 2025, 05:55:53 PM

Title: Wireguard Access and Global IP Blocks
Post by: spetrillo on November 18, 2025, 05:55:53 PM
Hello all,

I am trying to balance the need of my developers to access my internal systems via WG VPN and the need to block IPs on a country basis. Has anyone found a way to do this? I have one developer who might be in Colombia one day and India the next day. How do I set him and others to get in while blocking the global IPs?

Thanks,
Steve
Title: Re: Wireguard Access and Global IP Blocks
Post by: meyergru on November 18, 2025, 06:57:41 PM
Do you fear that the WG VPN endpoint could be exploited? It should be fairly resilient, plus, you can use any exotic port you like.

Thus, you could place the rule for the WG port before the normal geoip block rules. You can further limit access by creating a more limited version of the geoip blocks only for the WG port which excludes whatever countries you want to have VPN access.
Title: Re: Wireguard Access and Global IP Blocks
Post by: spetrillo on November 18, 2025, 09:36:17 PM
No...my problem is I have no way to know what public IP this user will have, and so my global IP block does not allow the VPN connection.

Do I just need to put the VPN rule ahead of the block?
Title: Re: Wireguard Access and Global IP Blocks
Post by: meyergru on November 18, 2025, 10:01:21 PM
Yes.
Title: Re: Wireguard Access and Global IP Blocks
Post by: spetrillo on November 19, 2025, 02:25:13 AM
Thanks!

Can I further lock this down by using the private IP of the incoming VPN connection as the source?
Title: Re: Wireguard Access and Global IP Blocks
Post by: meyergru on November 19, 2025, 09:28:26 AM
With VPNs, there are always two firewall rules involved:

1. The one with which you allow access for the VPN daemon port. In order to allow access for your roadwarriors from anywhere, this must not be limited by a geoip rule.

2. The ones to define what these roadwarriors can do within your network once they get an IP assigned by the VPN (which would be an RFC1918 IP). These rules can be specified at WG group, network, WG instance or even at the client IP level, but at finest granularity, they can tell you which specific WG key is bein used. They do not carry any information as to which routeable IP (or which country) the client originally came from.

So, yes, you can, but this private IP obviously bears no information on location. I use this all day. There must be a way to do this, otherwise any VPN client could do either nothing or anything. You can use different WG instances for site-2-site tunnels than for roadwarriors or even have different instances for "types" of roadwarriors (like administrators vs. developers).
Text only | Text with Images