Wireguard - Mac address filter alias - extra security or not?

Started by RamSense, February 22, 2022, 05:27:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2022, 05:27:08 PM
Just wondering. I have wireguard up and running.
Should it be of any extra layer of security when I add an alias containing the Mac addresses of the allowed devices through wireguard vpn to connect, and add this alias to the firewall wan portforward rule to wireguard?
This way not only the keys are needed, but also the correct Mac address/device (?)

February 22, 2022, 05:47:55 PM #1
I remember there was an article about protecting Wireguard with a captive portal .. wouldnt this also be fine?
February 22, 2022, 05:54:12 PM #2
Thanks for your reaction. My understanding for a captive portal is: A captive portal will also add an extra layer of security, but also the captive portal is an extra item for a user to use to get on, but I was thinking about something there, but unseen / no extra user hassle(?) - and came up with the Mac address idea, but maybe there are more options or reason not to use MAC?
February 25, 2022, 04:36:06 PM #3
@mimugmail, your captive portal idea seems to be the way indeed:
Portal bypass
MAC and IP addresses can be white listed to bypass the portal.

the rest will get a blocked splash page or something.
February 25, 2022, 04:52:38 PM #4
It was not my idea ;)
February 25, 2022, 07:29:16 PM #5
Hi, I liked the idea of creating an alias with the mac of the wireguard mobile client so I have created it but when I try to connect it does not connect. I have to say that the wireguard access rule in opnsense I have it in the wan and it is not a port forward. What does work is the following. Create an alias with a fqdn ddns ( duckdns ) of the wireguard client and filter with it in the wan rule.
February 26, 2022, 09:03:19 AM #6 Last Edit: February 26, 2022, 07:49:16 PM by RamSense
humm.. [allowed address] -> adding the wireguard ip of the [allowed device] works and gets in.
When leaving empty and filling [Allowed MAC addresses] -> adding the MAC of the allowed device does not work.
So it seems to me that a. this Mac option does not work at all or b. Mac filter does not work over 4g/5g connections?

has somebody tested this?
p.s. I don't see a splash page in any scenario (?) but added the firewall rule to [wireguard (group) net] allow to port 8000-10000

p.s.s. I just found out about this: https://github.com/opnsense/core/issues/5459
Looks like this could be the problem, will test again when the next opnsense update is out.
Print
Go Up Pages1
User actions