Wireguard Access and Global IP Blocks

Started by spetrillo, November 18, 2025, 05:55:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 18, 2025, 05:55:53 PM
Hello all,

I am trying to balance the need of my developers to access my internal systems via WG VPN and the need to block IPs on a country basis. Has anyone found a way to do this? I have one developer who might be in Colombia one day and India the next day. How do I set him and others to get in while blocking the global IPs?

Thanks,
Steve
November 18, 2025, 06:57:41 PM #1
Do you fear that the WG VPN endpoint could be exploited? It should be fairly resilient, plus, you can use any exotic port you like.

Thus, you could place the rule for the WG port before the normal geoip block rules. You can further limit access by creating a more limited version of the geoip blocks only for the WG port which excludes whatever countries you want to have VPN access.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 18, 2025, 09:36:17 PM #2
No...my problem is I have no way to know what public IP this user will have, and so my global IP block does not allow the VPN connection.

Do I just need to put the VPN rule ahead of the block?
November 18, 2025, 10:01:21 PM #3
Yes.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 02:25:13 AM #4
Thanks!

Can I further lock this down by using the private IP of the incoming VPN connection as the source?
Today at 09:28:26 AM #5
With VPNs, there are always two firewall rules involved:

1. The one with which you allow access for the VPN daemon port. In order to allow access for your roadwarriors from anywhere, this must not be limited by a geoip rule.

2. The ones to define what these roadwarriors can do within your network once they get an IP assigned by the VPN (which would be an RFC1918 IP). These rules can be specified at WG group, network, WG instance or even at the client IP level, but at finest granularity, they can tell you which specific WG key is bein used. They do not carry any information as to which routeable IP (or which country) the client originally came from.

So, yes, you can, but this private IP obviously bears no information on location. I use this all day. There must be a way to do this, otherwise any VPN client could do either nothing or anything. You can use different WG instances for site-2-site tunnels than for roadwarriors or even have different instances for "types" of roadwarriors (like administrators vs. developers).
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages1
User actions