Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard - Mac address filter alias - extra security or not?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Wireguard - Mac address filter alias - extra security or not? (Read 2218 times)
RamSense
Hero Member
Posts: 595
Karma: 10
Wireguard - Mac address filter alias - extra security or not?
«
on:
February 22, 2022, 05:27:08 pm »
Just wondering. I have wireguard up and running.
Should it be of any extra layer of security when I add an alias containing the Mac addresses of the allowed devices through wireguard vpn to connect, and add this alias to the firewall wan portforward rule to wireguard?
This way not only the keys are needed, but also the correct Mac address/device (?)
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: Wireguard - Mac address filter alias - extra security or not?
«
Reply #1 on:
February 22, 2022, 05:47:55 pm »
I remember there was an article about protecting Wireguard with a captive portal .. wouldnt this also be fine?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Wireguard - Mac address filter alias - extra security or not?
«
Reply #2 on:
February 22, 2022, 05:54:12 pm »
Thanks for your reaction. My understanding for a captive portal is: A captive portal will also add an extra layer of security, but also the captive portal is an extra item for a user to use to get on, but I was thinking about something there, but unseen / no extra user hassle(?) - and came up with the Mac address idea, but maybe there are more options or reason not to use MAC?
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Wireguard - Mac address filter alias - extra security or not?
«
Reply #3 on:
February 25, 2022, 04:36:06 pm »
@mimugmail, your captive portal idea seems to be the way indeed:
Portal bypass
MAC and IP addresses can be white listed to bypass the portal.
the rest will get a blocked splash page or something.
Logged
mimugmail
Hero Member
Posts: 6767
Karma: 494
Re: Wireguard - Mac address filter alias - extra security or not?
«
Reply #4 on:
February 25, 2022, 04:52:38 pm »
It was not my idea
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
yeraycito
Sr. Member
Posts: 288
Karma: 18
Re: Wireguard - Mac address filter alias - extra security or not?
«
Reply #5 on:
February 25, 2022, 07:29:16 pm »
Hi, I liked the idea of creating an alias with the mac of the wireguard mobile client so I have created it but when I try to connect it does not connect. I have to say that the wireguard access rule in opnsense I have it in the wan and it is not a port forward. What does work is the following. Create an alias with a fqdn ddns ( duckdns ) of the wireguard client and filter with it in the wan rule.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: Wireguard - Mac address filter alias - extra security or not?
«
Reply #6 on:
February 26, 2022, 09:03:19 am »
humm.. [allowed address] -> adding the wireguard ip of the [allowed device] works and gets in.
When leaving empty and filling [Allowed MAC addresses] -> adding the MAC of the allowed device does not work.
So it seems to me that a. this Mac option does not work at all or b. Mac filter does not work over 4g/5g connections?
has somebody tested this?
p.s. I don't see a splash page in any scenario (?) but added the firewall rule to [wireguard (group) net] allow to port 8000-10000
p.s.s. I just found out about this:
https://github.com/opnsense/core/issues/5459
Looks like this could be the problem, will test again when the next opnsense update is out.
«
Last Edit: February 26, 2022, 07:49:16 pm by RamSense
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Wireguard - Mac address filter alias - extra security or not?
