Community discussions

MikroTik App
 
KWL
just joined
Topic Author
Posts: 1
Joined: Thu Nov 17, 2022 1:46 pm

Onesided srever to client connection with wireguard

Tue Nov 29, 2022 10:37 am

Hello,
I have mikrotik router with static IP and server in a different location being client in wireguard VPN connection. I set the connection up no problem, but I want to limit access from the client site to my network behind mikrotik. As of right now anyone logged on to server has full access to everything behind mikrotik. Can I limit what part of the network is accessible to remote users (maybe even to deny connection to any part of my network)? Current config below:
MT:
/interface wireguard
add listen-port=Z mtu=1420 name=wireguard2
/interface wireguard peers
add allowed-address=x.x.x.3/32 interface=wireguard2 persistent-keepalive=1m \
public-key="XXXXXXXXXXXX"
/ip address
add address=x.x.x.2/32 interface=wireguard2 network=x.x.x.0
/ip firewall filter
add action=accept chain=input dst-port=\
Z protocol=udp
Client:
[Interface]
PrivateKey = YYYYYYYYYYYYY
Address = x.x.x.3/32
DNS = 8.8.8.8
[Peer]
PublicKey = WWWWWWWWW
AllowedIPs = x.x.x.2/32
Endpoint = z.z.z.z:Z
PersistentKeepalive = 10
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Onesided srever to client connection with wireguard

Tue Nov 29, 2022 4:06 pm

Draw a diagram of the network as the explanation was very confusing.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Onesided srever to client connection with wireguard

Tue Nov 29, 2022 5:32 pm

Generally, firewall filter is your friend, if you want to block something, then block it, or don't allow it in the first place. But even without it, it doesn't sound likely that client can access everything behind MT, because if it has only x.x.x.2/32 in allowed addresses, that's all that will pass through tunnel (in client->MT direction).

Who is online

Users browsing this forum: cloud45, karlisi and 77 guests