I have a VPN server set up with WireGuard in my AX1800 and a number of clients connecting to it. I would like to ensure that certain clients connected to the VPN can only access specific domains or IPs, while other connected VPN clients have no restrictions. Is this possible?
No, this isn’t possible. Those restrictions need to be done on the VPN server then.
1 Like
And could be possible with MT6000?
Everything is possible if you set it up manually, mostly.
But this isn’t a standard feature for any router.
No idea how to set it up, tbh. Some firewall / dns stuff might be required. Not even sure if it would really work at the end.
1 Like
It’s possible, although you would be subnetting the VPN clients and applying policies per group.
Restricted Group 10.0.1.1
Unrestricted Group 10.0.2.1
You would then run this through something like AdGuardHome to restrict certain client IP addresses and unrestrict the others.
Whether the AX1800 is capable of this with GL.iNet stock firmware is an unknown, the MT6000 is capable of this running real Openwrt but you would have to consider whether it’s simpler to just run a VPN VPS.
1 Like
AdGuard Home can’t block IP addresses. So this won’t help.
1 Like
But the firewall can, just need a restricted ip list.
1 Like
Indeed, but having a block list is always waaaay worse than having an allow list.
So yes, it could be done, but this is totally behind of scope of this forum, I guess.
2 Likes
In the current router’s vpn design, the vpn polices based on domain, is implemented on the vpn client side, not vpn server side.
2 Likes
I’ll explain a bit, on one of the most famous forums in Spain (https://forocoches.com/foro/showthread.php?t=9943924) I started a thread to work on a project with gl.inet products.
There are many users there who have issues with streaming platforms because they detect that devices are connecting from different IPs. The project I propose is that shared accounts (usually among family members) be shared with a VPN. Here, the gl.inet products are very easy to use. I’m preparing a manual in which I discuss creating a central node (base family) and clients connecting (client family) to the base node. Since some people share not just with family but also with friends, giving them VPN access to browse wherever they want is a sensitive matter, so I acquired the AX1800 thinking I could control it. Ideally, certain client families would be allowed to browse while certain other client families could only access the streaming platform.
Normally, many solutions of this type are shared on this forum, and I was excited to contribute my solution with your products. I have almost completed the manual to publish it, but now there’s this issue of VPN traffic control on the server side, so for now I don’t know how I will solve it.
1 Like
I highly doubt it’s even possible to solve this.
The problem from my point of view is that the central server has to provide all the security - otherwise a client could weaken the security.
In my view, OpenWrt is not suitable for this. It is certainly possible, but the main purpose of OpenWrt is different. You would have to think more in terms of a firewall, e.g. OpnSense.
In addition, the central hub would have to know all the IP addresses that need to be routed. However, since many video portals only use cloud resources such as AWS, it is difficult or even impossible to define rules on an IP basis. DNS will not always be enough - and not all DNS names are always known.
1 Like
so maybe control should be to allow or not http traffic ?