Correct way to limit individual WG peers to one ip rather than entire network

[DrQuinn24]

Good evening,

Apologies in advance, unskilled home user. I searched here and Google to find a solution without any luck. Found "WireGuard on OPNsense - Limit access to certain IP" on reddit but it didn't help much.

I have Wireguard setup and working great on my router. WG has multiple peers setup so the family can access devices at home when away. What I'd like to be able to configure would be limiting some of the WG peers to one IP address on an individual basis rather than the entire group.

IE:  WG peer 1: 10.10.10.3 could access the entire network (working fine as is)
      WG peer 2: 10.10.10.4 could only access a single IP (need to know how to limit access, Firewall rule?)

I don't see a way to create a firewall rule for WG peer 2. Any help would be greatly appreciated, thank you and Happy New Year.

[tiermutter]

Firewall rules are the way to go.
Simply remove (or edit) the "default allow" for WG interface and set up rules for each peer's IP...
IE:  WG peer 1: ALLOW SOURCE = 10.10.10.3 DESTINATION = LAN net
      WG peer 2: ALLOW SOURCE = 10.10.10.4 DESTINATION = desired IP address

Using aliases, you will be able to add multiple source or destination IPs in a rule.

[DrQuinn24]

tiermutter,

Thank you for your help. I really appreciate. Will give it a shot after work. Biggest lesson I have learned is backup the configuration before I "break it."

[tiermutter]

Having backups is always a good idea

For such purposes you may also want to have a "default reject" rule (last match) at the end of the table.
This will result in responding with a reject instead of block when they try to establish not allowed connections. This is more suitable for "friendly" devices.