I am trying to achieve something similar to the diagram below. I would like to run a Wireguard server on the Flint2 and remotely access the specific IP addresses on the server LAN (Flint2 subnet). I would like to prevent specific LAN IP addresses from routing through the Wireguard server.
This part was easy: Setting up the Wireguard server and selecting "Allow Remote Access the LAN Subnet." This allows my remote wireguard client to connect to the Flint2 router and access ALL of the LAN subnet, as well as to access the internet appearing from the Flint2 IP.
However, the Wireguard server appears to interfere with some of the LAN devices that cannot be on VPN. Also I would like to set this up so that a specific profile generated in the server only gives access to specific resources.
It seems like maybe this is possible via some combination of "Allowed IP," "Route Rules," and or firewall rules, but I am unable to find clear definitions or guides on how these should be implemented.
For the remote client (assumng it doesn't have policy based routing active), this would be handled with the Allowed IP ranges. Usually the remote client has Allowed IPs of 0.0.0.0/0 (everything goes over the tunnel) or 192.168.8.0.24 (only things on your Flint 2 LAN go over the tunnel, and the rest out the default route). In your case you could have allowed IPs of VMA/32, VMB/32, VMC/32. Or, you could assign the VMs in the range of 192.168.8.128/25 and refer to that.
Harder to still access the internet from the client only over the tunnel. Then the Allowed IPs would be 0.0.0.0/0 and you would code a firewall rule to drop traffic from the client to 192.168.1/25 (the lower part of the LAN range, where you assign IPs for the devices you are blocking.
The next challenge is making sure that the other clients on the wireguard server/Flint2 LANsubnet side do no interact with the wireguard server, and just go straight to the Flint2 unimpeded. Adguard Home is also running on the Flint 2, and I do not want the Wireguard server to interfere.
Question: Does setting the Allowed IP solve this, or do I need to modify some additional settings? (perhaps in the firewall?)
@elorimer OK. Thanks for your response. I sort of understand your explanation.
I edited the Allowed IPs on the client configuration profile on the wireguard server to allow only the IP address of a specific VM (192.168.xx/32) on the Flint2/Wireguard server LAN subnet. I then tested connectivity from the remote client. The remote client is able to access only the Allowed VM/32 IP address. The remote client cannot access other Flint2 subnet IPs, and the remote client does not access the internet over the tunnel.
The use of /32 was critical for success.
I also selected "Allow Remote Access to the LAN Subnet" and deselected the "Client to Client" option.
